A General Forensics Acquisition for Android Smartphones with Qualcomm Processor

AGeneral Forensics Acquisition for Android Smartphones with Qualcomm Processor

INTRODUCTION

 Smartphones have become more integrated into every aspect of our lives. However, it also was witnessed that smartphones were increasing used in crimes [1]. Increasingly, mobile phones involved in crime actives often play an important digital evidence for criminal investigations. Because of the largest market share of Android, forensics on Android device always is a focus in the field of digital forensics. Data extraction is a key aspect for mobile device forensics, existing extraction solutions can be roughly divided into two categories, logical acquisition and physical acquisition.Code Shoppy The logical extraction is to copy files from device storage through an ADB (Android Debug Bridge) connection. The logical extraction just copy the logical data of the storage partition, “unused space” will not be extracted, that results the deleted files to not be recovered. 

A physical image is a bit-by-bit copy of a storage partition. This image means all of data including logical files, deleted files, or “empty space” [2]. Vidas et al. [3] outlined a general method for obtaining physical storage images of Android device using the recovery mode. This approach flashes a custom collection oriented recovery image onto the Android device, then reboots the device into recovery mode and collects the data images. Son et al. [4] continued that of Vidas et al., also focused specifically on data integrity concerns in the case of using custom recovery image. Son et al. confirmed that the acquisition method through recovery mode can preserve the integrity of user data partition by comparing data images respectively collecting through recovery mode and JTAG (Joint Test Action Group) [5]. However, if a device’s bootloader is locked, it must be unlocked before flashing the recovery partition, which is very likely to cause user data to be erased. 

In this paper, we proposed an improved scheme of acquiring data images using special modes of Qualcomm processors, which almost taken more than half of market share of mobile smartphones’ CPU (Central Processing Unit). The main contributions of this paper are as follows: xWe proposed physical acquire approaches by using the Qualcomm’s 9008 mode and 9006 mode. Through 9008 mode, we could bypass the bootloader lock and flash a custom collection oriented recovery image onto the recovery partition of Android device. 

By using the Qualcomm 9006 mode, we could acquire data images using forensics soundly toolkits. xWe discuss concerns of our approach on preserving data integrity, and evaluate our approaches using various smartphones, our experiments confirmed that the proposed methods are practicable and the data integrity of extracted partition image was preserved.

BACKGROUND 

A. Partition Layout Partitions are logical storage divisions of the mobile device’s persistent storage memory and its layout varies between vendors and platforms, some (important) partitions are fairly standard in all Android devices. Here we will outline the classical partition layout of the Android smartphones. 

Generally speaking, the device’s storage always using the following partition layout [8]: xBootloader: This partition stores the boot loader program. When the phone is powered on, the program begin to initialize hardware and operating system of the Android device. 

This program also provides alternative boot modes such as recovery mode. xBoot: A boot image is stored in this partition, which consists of A Linux kernel and a root file system ram disk. xRecovery: Stores a minimal Android OS that includes a kernel, a ram disk that provides various low-level maintenance tools such as updating Android OS. xSystem: This partition contains the Android framework, libraries, system applications, and pre-installed applications. After Android OS booted, this partition is mounted as “/system” path. xUserdata: This partition stores user data including installed Apps data, documents, pictures, audio, videos and so on. It is mounted as “/data” path (data partition) after system booted xSdcard: If the phone uses an extended SD card, the path “/sdcard” path links a separate Sdcard partition, otherwise the path “/sdcard” is included in the Userdata partition. The path “/sdcard” contains data including pictures and videos taken by the smartphone’s camera application, and downloaded files. 

B. Bootloader Lock The bootloader lock puts rigid restrictions to prevent the device from being booted or flashed by unauthentic image. Most of implemented measures usually verify the importing image using a cryptographic signature [8]. If the user wants to boot device from a custom recovery image, the boot loader needs to be unlocked first. Also some manufacturers, such as Google, may provide an official mechanism to unlock the boot loader, unlocking a locked bootloader will trigger erasing all the user data for privacy protection. 

C. Fastboot Fastboot is an Android protocol that allow a computer to communicate with the bootloader of an Android device via USB (Universal Serial Bus) connection. The fastboot client running on host enable the user to flash or erase partitions of the device by a command-line, it also can boot the Android device with a custom recovery image whilst not flashing the devices’ partitions. Android device manufacturers could choose to support fastboot or implement themselves flashing protocol in the bootloader.