Challenges of Android and iOS Forensics

Mobile forensics is the science behind recovering digital evidence from mobile phones. Digital evidence encompasses all digital data that can be used as evidence in a case. With the increasing prevalence of mobile phones being a part of our daily lives, data acquired from mobile phones becomes an invaluable source of evidence for investigations relating to criminal and civil cases.

With Android being the leading operating system (OS) for the U.S. smartphone market share at 76.61%, and iOS being the second most popular smartphone operating system, holding the market share at 20.66%, it is important that examiners have an understanding of both operating systems, the file systems and folder structures, what items of potential evidentiary value could be found on each device as well as where data is stored and different forensic data extraction tools and techniques that could be of use when examining both Android and iOS devices. (Statcounter, 2018)

Google announced that as of 2017, there are now more than two billion monthly active Android devices in use around the world. (Rossignol, 2017). Along with Android being open-source, which means anyone can access and freely modify the source code, and the variety of device types and differences ranging from one device to the next, there is a unique challenge posed to examiners when examining an Android device. The challenge being that examiners must be prepared to expect the unexpected when handling an Android device due to its capability of being customized to the device owner’s preferences and understand that Android devices will not be exactly alike, making it more of a challenge when it comes to finding data.

For examiners to effectively examine an Android device to successfully extract the necessary data pertinent to each case, it would be beneficial to understand the Android architecture. Android was designed with a focus on security. The Linux kernel is responsible for managing the core functionality of Android, such as process management, memory management, security, and networking. The file hierarchy is designed as a single tree with the top being denoted as the root, where certain folders are only visible through root access. Rooting is the process of gaining privileged access on an Android device, which is very beneficial for examiners. It is important for examiners to make an informed decision about where to look for data. The several important partitions that are common to most Android devices and key for examiners to understand are as follows:

• Boot: This information and partition is required for the phone to boot and contains the kernel and RAM disk. Data residing in the RAM contains important information to an examination and should be captured.
• System: Contains the system-related files other than the kernel and RAM disk and should never be deleted as it will make the device unbootable.
• Recovery: This is designed for backup purposes and allows the device to book into recovery mode.
• Data: This is where the data of each application is stored, which is of great importance to an examination. Data belonging to the user such as contacts, SMS, and dialed numbers is stored in this partition.
• Cache: This is where frequently accessed data and app components are stored, which is beneficial to examiners to know which data is regularly accessed by the device user.
• Misc: This partition contains information about miscellaneous settings, and information about hardware settings, and USB settings can be accessed from this partition.
• SD card: This is where all the information present on an SD card is held. This is valuable to an examination as it could contain information such as pictures, videos, files, documents, and more.

(Shaikh, 2017)

Understanding the Android file system is also essential to examiners and is useful during forensic analysis. The file system refers to the way data is stored, organized, and retrieved from the volume. Android uses several file systems, and it’s important to understand what file systems are used, as well as the significance of each to an investigation.

• The temporary file system is a temporary storage facility that stores the files in RAM which is volatile memory. It is important that examiners examine or extract data in RAM before the device reboots since this data will not be accessible after the device is restarted or turned off.
• Microsoft’s FAT32 file system is supported by Android devices and enables the system to easily read, modify, and delete the files present on the FAT32 portion of the Android device, as well as most external SD cards are formatted using the FAT32 file system.
• Yet Another Flash File System 2 (YAFFS2) is an open-source, single-threaded file system and is mainly designed to be fast when dealing with the NAND flash.
• Flash Friendly File System (F2FS) relies on log-structured methods that optimize the NAND flash memory.
• Robust File Systems (RFS) supports NAND flash memory.

(Bommisetty, Skulkin, & Tamma, 2018).

SQLite database is the most common data storage format used to save crucial data, storing all of the user information in the form of files and holds a wealth of valuable data for examiners to extract and analyze. SQLite is the database for internet browsers, web applications, and software products to keep their data. Also, storing usernames, passwords, account numbers, as well as deleted data, and browser history including downloads, keywords, and URLs.  SQLite database allows for the analysis and extraction of key artifacts from social networking applications such as Whatsapp, Facebook, and Skype. (Bommisetty, Skulkin, & Tamma, 2018).

There is a vast amount of data types that examiners will encounter during an Android examination to include, SMS, MMS, backups, emails, call logs, contacts, pictures, videos, browser history, GPS data, downloaded documents, third-party apps, and more. Once an examiner understands how data is stored on the device, commercial forensic tools can be deployed to ensure that all accessible data is being captured. There are many commercial Android data extraction tools available that can extract data for examiners to analyze.  Magnet AXIOM is one of the leading commercial forensic tools on the market which supports Android devices and can be used for both logical and file system acquisitions. Magnet AXIOM will acquire a physical image of the flash memory from a locked or unlocked Android device and collect evidence from files, folders, user data, native data, and unallocated space.  It can also be used for parsing backups, and acquiring call logs, SMS/MMS, browser history, third-party application user data, calendar, user accounts, and Wi-Fi hot spots. (Magnet Forensics, n.d.)

Mobilyze from BlackBag Technologies is another commercial, user-friendly forensic tool for Android devices. Mobilyze performs logical acquisitions, allowing investigators to acquire data in real time through an easy-to-use integrated interface, allowing examiners to exam data through various categories, filters, searches and views. All relevant user data is securely preserved in a forensically sound manner, and Mobilyze seamlessly imports into other forensic tools without the need to perform another data collection. (BlackBag Technologies, n.d.)

Andriller is a software utility with a collection of forensic tools that performs, read-only, forensically sound acquisitions, and has powerful lock screen cracking capabilities for pattern, PIN, or password protected Android devices. Andriller is also capable of decrypting encrypted databases, as well as decode and merge multiple databases. (Andriller, n.d.). With the likelihood of examiners coming into contact with Android devices that are locked by the user, it is necessary to utilize a forensic tool that has lock screen cracking capabilities.

One type of data extraction method that differs from utilizing a forensic tool is utilizing the command line. Android Debug Bridge (adb) is a command-line tool that communicates with the device to retrieve information. The adb command facilities a variety of device actions, such as installing and debugging apps, and provides access to a Unix shell that you can use to run a variety of commands on the device. An examiner can pull the data present in a particular partition using the adb pull command for further analysis. This type of data extraction only works on rooted devices, which means the shell user has permissions to access the files. This command allows investigators to browse through the necessary files to gain access to the information and analyze the pertinent data that is relevant to the case. (Bommisetty, Skulkin, & Tamma, 2018)

Although Android and iOS are both smartphones, they are vastly different device types in the way data is stored. For a forensic examiner to properly examine an iOS device, the internal components must be understood, as well as how and where data is stored, before data can be successfully extracted. Hierarchical File System, HFS+, is the default file system used in iOS devices and handles the storage of data files, apps, and files associated with the operating system. Apple File System, APFS, has now replaced HFS+ as the default file system for iOS 10.3 and later. The filesystem is configured into two logical disk partitions, the system partition and the user data partition.

The system partition contains the OS and all of the preloaded applications used with the iPhone but contains little useful evidentiary information. The user data partition contains all of the user-created data and provides most of the evidentiary information pertinent to examiners. User-created data ranges from third-party application data, contacts, text messages, images, audio, and much more. Understanding where data is located, and the specific data that iOS devices hold that will provide evidentiary value to assist examiners in choosing the types of forensic tools and data acquisition methods to be utilized during an investigation. (Bommisetty, Skulkin, & Tamma, 2018)

The ultimate goal in a forensic examination is to obtain the bit-by-bit, physical image of the original data, whenever possible. Since this is not always possible with newer iOS devices, it is important to understand the different data acquisition methods available for iOS devices. The objective of a physical acquisition is to perform a bit-by-bit copy of the non-volatile (NAND Flash) memory, which holds a plethora of data. NAND flash is the main storage area which contains the system files and user data and retains stored data even after the device reboots. Physical acquisition can also recover deleted and hidden data, which is why it is an ideal acquisition method for examiners.  Data available from physical acquisition includes images, videos, applications, location information, emails, logs, and more. (Bommisetty, Skulkin, & Tamma, 2018).

Logical acquisition captures what is accessible to the device user, such as the type of data that is included in an iTunes backup. With logical acquisitions, deleted data will not be recovered, and the device must be unlocked. Forensic tools communicate with the OS to specify how software components interact and request the data from the system, which then outputs into a readable format. Data available from logical extraction includes call logs, SMS, MMS, images, videos, audio files, contacts, calendars, and application data. (Bommisetty, Skulkin, & Tamma, 2018).

File system acquisition is useful for examining the file structure of the device but can only be obtained if the device is unlocked. The file system data is stored in the NAND flash memory within the network such as the iCloud and iTunes back up files. Direct access to the file system allows tools to extract all files present in the internal memory including database files, system files, default application data such as calendars, voicemail, messages, photos, contacts, internet history, geo-tag locations, iTunes synced data and more.

Examiners can find a wealth of information from the iOS backups. Users can select to back up their data to their computer using the Apple iTunes software, or backup to the iCloud storage service. Every time an iPhone is synced with a computer or to iCloud, a backup is created by coping the selected files from the device. These files are of great importance to examiners and of importance as evidence to an investigation. The types of data that is created during a backup includes contacts, SMS, photos, calendar, call logs, configuration files, documents, the keychain (which is the password manager), cookies, offline web application cache, application data, and much more. The backup also contains the device details such as the serial number, Unique Device Identifier, SIM details, and phone number. This information proves the relationship between the iOS device and the backup data. (Bommisetty, Skulkin, & Tamma, 2018).

There are several tools for reviewing the backup data of an iOS device. iPhone Analyzer by Crypticbit is a free, java based, multi-platform that provides access to the file system and a simple viewer into selected files. The evidence provided by iPhone Analyzer is forensically sound due to no changes being made to the data. (Hsamanoudy, 2017). 

All of the mentioned data acquired from an iOS device could serve to be of evidentiary value in either a civil or criminal case. Geographical locations can provide examiners with the exact location, date and time a suspect was in a specific location as well as the users habits and could be used to corroborate other evidence in a case. Location data could be used to align with a timeline of events. Calendar entries could provide proof of intent of being in a location on a certain date and time. Voicemails and messages provide verbal and typed proof from the device owners, as well as who the device owner was communicating with, which could prove a suspect was speaking with someone or about something beneficial to the case. 

Since physical acquisition provides the recovery of deleted data, this type of data is especially vital to an investigation and provides extreme value to a case. Examiners could use deleted data to prove that the device owner was looking to hide something and/or get rid of evidence that could be linked to a crime. Deleted data should always be carefully extracted and analyzed. Images provides great value to cases, where the Exchangeable Image File Format, (EXIF) data of an image provides examiners with information about the device’s camera, date, time, camera settings, and the GPS coordinates of where the photo was taken. Also, the image provides photographic proof, even after the user deletes it from their device.

Browser history, bookmarks, URLs and cached data provides examiners a look into the device owners internet usage and habits, even long after being deleted. An individual’s web browsing, along with the time stamped data, can be analyzed in order to prove or disprove suspicion and further leads in an investigation. Application analysis could provide investigators with valuable evidentiary data from apps such as Facebook and Whatsapp, which are leading social networking applications used for sending messages, images, audio, and video. Again, the data from these applications and data sources provides examiners a look into the device users everyday life. iOS devices collect and store a tremendous amount of evidence about the user’s life, lifestyle, and habits, whether the user realizes this type of data is being stored or not

Data extracted from iOS devices can be acquired utilizing different commercial and open source forensics tools, as well as different methods and techniques. One of the leading commercial forensic tools on the market is Cellebrite Universal Forensic Extraction Device (UFED). “This tool empowers examiners to capture forensic evidence from iOS devices utilizing forensically sound data extraction, decoding, and analysis techniques to obtain live and deleted data, decipher encrypted data, and overcome password locks and SIM PIN numbers.” (Bommisetty, Skulkin, & Tamma, 2018). UFED Physical Analyzer performs physical and advanced logical acquisitions as well as access to the filesystem data. UFED extracts device keys required to decrypt raw disk images as well as keychain items and reveals device passwords which is beneficial to examiners when they come across a password protected item that could be of evidentiary value. UFED supports advanced analysis and decoding of extracted application data, which is extremely beneficial to an investigation when applications contain vast amounts of evidentiary value.

Physical and logical extracted data is provided in the same user interface, making analysis easier and quicker. UFED also has the capability of dumping the raw filesystem partition to import and examine with another forensic tool, also creating a binary image file for ease of importing into another forensic tool for verification. “Cellebrite is the market share leader for mobile forensics worldwide, continually responding to the evolution of digital data and its increasing relevance to a wide range of investigations.” (Cellebrite, n.d.).

MSAB is another global leader in forensic technology for iOS examination and offers XRY software that is used by investigators to quickly and effectively retrieve data from iOS devices. MSAB offers XRY Logical with enables a quick extraction method of recovering live and file system data from the device right on the crime scene, by communicating with the OS of the device. XRY Physical is also offered to allow examiners to bypass the OS to dump all the raw data from the device to include protected and deleted data. Also, allowing examiners to overcome security and encrypted data on locked devices. With digital security being more important than ever to device owners, examiners need access to a tool that provides the capability of bypassing and recovering passwords on iOS devices. (MSAB, n.d.).

MSAB also offers XRY Cloud which recovers data from the cloud-based storage, which is useful when looking for social media data and app-based information services such as iCloud, Facebook, Instagram, and WhatsApp. XRY Cloud allows investigators to recover cloud-based data without actual physical possession of the mobile device. (MSAB, n.d.). 

SQLite is an open source, in-process library that implements a self-contained database. SQLite databases contain vast amounts of data storage, such as many built-in applications, as well as third-party applications that were installed on the device. Data in SQLite files are broken up into tables and a forensic tool is required to access the data stored in these files. RazorSQL provides SQLite GUI and visual tools for easily querying, browsing, editing, and managing SQLite databases. “The SQLite database query tool provided by RazorSQL includes such features as a custom SQLite database browser tailored to SQLite, an SQL editor with SQLite specific features and syntax highlighting, custom SQLite visual tools, and SQLite specific database administration tools”. (RazorSQL, n.d.). SQLite databases store deleted records within the database itself and its possible to recover deleted data such as contacts, SMS, calendar, email, voicemail, and more by parsing the corresponding SQLite database. (Bommisetty, Skulkin, & Tamma, 2018). It is important to utilize different forensic tools to examine the different files to recover and extract deleted data, since not all forensic tools will recover all of the data from all the databases.

iOS devices are known for their security and reliability, making them the second most popular smartphone on the market. If examiners have an understanding of the iOS file systems, folder structures, how and where data is stored, they can then make an informed plan of action as to where and how to extract data pertinent to the case, as well as the best forensic data extraction tool for the particular device and its limitations put on examiners, such as a passcode protected iPhone.

Before examiners begin analyzing and extracting data from applications, reverse engineering the applications is a necessary first step to take. Reverse engineering is the process of extracting source code and resources from an executable. (Bommisetty, Skulkin, & Tamma, 2018). Android and iOS apps can be reverse engineered in order to understand their functionality, operation, structure, and data storage, the security mechanisms in place, malware analysis, as well as reading the code and finding vulnerabilities in the code. (Srinivas, n.d.). Reverse engineering applications would be beneficial to examiners during an investigation where in certain cases the examiner would want to better understand an application and how it stores data, which then gives examiners a full understanding of how the application functions and where to look for data pertinent to an investigation.

On Android, everything that the user interacts with is an application, whether it was preinstalled on the device, or installed from a third-party app. These applications handle a lot of valuable and available data, which examiners need to be able to convert into useable data. Once an app is reverse engineered and the code is obtained, the app permissions are obtained which is beneficial for examiners to understand which apps were permitted access to with areas of the phone. 

For Android being the leading OS, the risk of malware affecting the system continues to rise. According to Pulse Secure, 97% of mobile malware is focused on the Android OS with over 8,000 new Android malware samples every day. (Bommisetty, Skulkin, & Tamma, 2018). Unlike Apple’s App Store, which is tightly controlled by the company, Google’s Play Store, which is the app store for Android users, is an open ecosystem without any detailed upfront security reviews. Malware developers can easily move their apps here to distribute their apps, therefore once the app is downloaded on the Android device, it becomes infected. Examiners need to understand that just because iOS does not allow for unsigned apps in the iTunes store, does not mean that iOS devices are not susceptible to applications containing malware. In 2015, Apple removed over 300 infected apps from its app store after malware that targeted developers managed to create infected iOS apps. (Cox, 2015). This is why examiners need to be able to identify the presence of malware on the device, whether its Android or iOS, prior to performing analysis as malware could alter the state of the contents and the device itself, making the analysis and the results and evidence inconsistent, negatively affecting the outcome of an investigation. (Bommisetty, Skulkin, & Tamma, 2018).

Malware on a mobile device is capable of performing dangerous actions that could negatively affect the outcome of a forensic examination. Malware could steal sensitive data, manipulate files or data present on the device, which would alter the data types that an examiner is analyzing and extracting. Malware can also infect the browser, and change its settings, which would affect pertinent data in an investigation. The most dangerous action that malware could perform on either an Android or iOS device is wiping all the data that is present on the device. This is why it is vital that examiners take the time to properly assess the applications for malware before performing any extractions and analysis on its data. Data present on a device is sensitive and will without a doubt serve as pertinent evidentiary value in a case, and examiners need to protect the quality of evidence, as well as protect the mobile device the evidence is being acquired from.

Due to Android and iOS devices popularity in the smartphone market share, along with the security features, variety of applications, and customizations, mobile forensic examiners will inevitably come across either Android or iOS devices during an investigation. Which is why it is important for examiners to understand the inner functions of both devices, as well as where and how data is stored, how data can be extracted, along with the available data extraction tools and techniques. Smartphones are capable of storing a plethora of data that is of great potential evidentiary value, and examiners need to make themselves familiar with Android and iOS devices as their popularity is only growing.

Bibliography:

• Andriller (n.d.) Andriller – Android Forensic Tools. Retrieved from https://www.andriller.com/ Android (n.d.) Android Debug Bridge (adb). Retrieved from https://developer.android.com/studio/command-line/adb
• BlackBag Technologies (n.d.) Mobilyze. Retrieved from https://www.blackbagtech.com/mobilyze.html#Features
• Bommisetty, Skulkin, & Tamma (2018, January 23) Practical Mobile Forensics – Third Edition. Retrieved from https://proquest-safaribooksonline-com.cobalt.champlain.edu
• Cellebrite (n.d.) UFED Ultimate. Retrieved from https://www.cellebrite.com/en/products/ufed-ultimate/
• Cox, Joseph (2015, September 21) Apple Removes 300 Infected Apps from App Store. Retrieved from https://www.wired.com/2015/09/apple-removes-300-infected-apps-app-store/
• DB Browser for SQLite (n.d.)  The Official home of the DB Browser for SQLite. Retrieved from http://sqlitebrowser.org/
• Hsamanoudy (2017, September 27) How to use iPhone Analyzer for acquiring backup data? Retrieved from https://infosecaddicts.com/iphone-analyzer-acquiring-backup-data/
• Magnet Forensics (n.d.) Magnet Acquire. Retrieved from https://www.magnetforensics.com/magnet-acquire/smartphone/
• MSAB (n.d.) XRY. Retrieved from https://www.msab.com/
• Newman, Lily Hay (2017, September 22) How Malware Keeps Sneaking Past Google Play’s Defenses. Retrieved from https://www.wired.com/story/google-play-store-malware/
• Proffitt, Tim (2012, November 5) Forensic Analysis on iOS Devices. Retrieved from https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092
• RazorSQL (n.d.) SQLite Databases Query Tool Features. Retrieved from https://razorsql.com/features/sqlite_features.html
• Rossignol, Joe (2017, May 17) Google Says There Are Now More Than 2 Billion Monthly Active Android Devices. Retrieved from https://www.macrumors.com/2017/05/17/2-billion-active-android-devices/
• Shaikh, Hashim (2017, July 21) Practical Android Phone Forensics. Retrieved from https://resources.infosecinstitute.com/practical-android-phone-forensics/#gref
• Srinivas (n.d.) Introduction to Reverse Engineering. Retrieved from https://resources.infosecinstitute.com/android-hacking-and-security-part-18-introduction-to-reverse-engineering/#gref
  Statcounter (2018, September) Mobile Operating System Market Share Worldwide. Retrieved from http://gs.statcounter.com/os-market-share/mobile/worldwide