Android Forensics: a Physical Approach Lamine M. Aouad, Tahar M. Kechadi Centre of Cybercrime Investigation University College Dublin - Ireland Abstract— There has been an exponential growth of An- memory imaging approach is the “holy grail” of any forensic droid systems in the last few years. However, the capability acquisition. Performing a bit-by-bit copy of the original to perform efficient and fast forensic analyses on these media was indeed always ranked the highest in terms of devices is still limited, due to the lack of standardized effectiveness and accuracy, such as in [2], [3]. The work processes along with the wide range of variants or versions presented in this paper focuses on a generalized method for in the operating system, the file system, the data storage, in physical acquisition and memory imaging and analysis on addition to the manufacturers specific customizations. In this Android devices. We specifically target the support of the paper, we present a generalized method for physical acqui- native file system used by Android, namely yaffs. sition and analysis of memory images of Android devices. The next section will present a brief state-of-the-art and It is known that the main advantage of acquiring physical overview of underlying systems. Section 3 will then present memory images is a more complete capture of the data, the proposed method, evaluation, and a discussion. Section including deleted items. In addition, physical acquisition 4 presents then concluding remarks. methods can work with damaged devices and generally make fewer alterations to the original device while being acquired. 2. Background Yaffs2 (Yet Another Flash File System) used in the majority In recent years, there has been an increasing interest in of existing devices is still not fully supported by forensic mobile devices forensic, and many studies and surveys (on commercial tools. We aim at covering this gap by presenting current methods and existing tools) have been presented, an easy end-to-end procedure for the acquisition of data including [2] [3] [5] [6], among others. Given the huge partitions on a range of Android systems using yaffs2, as variety of these systems and devices (the Android OS well as the mounting and analysis of these memory images for instance is compliant with 300+ different smartphone on a Linux workstation. models), it should come as no surprise that it is quite a large list of specifications. Indeed, no standardized or generalized Keywords: Android, Memory imaging, Yaffs2. methods exist, either software or hardware. An interesting fact to mention here is that most of the existing tools are 1. Introduction commercial, with unspecified implementation, and no or The number of mobile phone subscriptions worldwide little documentation of their architecture or the way they reached more than 5.6 billion last year (Gartner research do either logical or physical acquisitions. In this work, we - 2011). The technology and functionality present on these aim at setting up a general physical acquisition method and phones is continually evolving. Smart phones are now be- document the fundamentals of analyzing it. In the following, coming widely spread, and have certainly hugely contributed we will present the underlying systems and technologies. to the phenomenal increase in mobile phone subscriptions (700% in the last ten years!). Android is becoming the most 2.1 Android OS common platform for these phones, with 43% penetration in Android is an open source mobile device OS developed the US market (Q3 2011) [7]. by Google, based on the Linux 2.6 kernel. The Linux kernel The amount of information stored on these devices has was chosen due to its proven driver model, existing drivers, increased dramatically. These include emails, SMSs, browser memory and process management, networking support along history, bookmarks, messages, chat, network passwords, with other core operating system services [8]. It has also personal notes, contacts, call logs, geolocation information, developed its own Java runtime engine, optimized for the and much more. There is also a wealth of information in limited resources available on a mobile platform, called the third-party applications. These are all potentially relevant in “Dalvik Virtual Machine”. Lastly, the application framework a forensic investigation. However, the growing number and was created in order to provide the system libraries in a variety of devices and customized systems and interfaces concise manner to the end-user applications [9]. make it difficult to develop a single process or tool for effective data extraction and analysis. 2.2 Yaffs filesystem Low-level analysis of complete memory images can offer Android uses the yaffs flash file system, the first NAND a solution to this. The literature has also shown that the optimized Linux flash file system. For mobile devices, hard Fig. 1: Android system architecture Fig. 2: Yaffs embedded structure disks are too large in size, too fragile and consume too much power to be useful. In contrast, flash memory provides fast read access time and better kinetic shock resistance than addressed NAND flash in blocks that are divided into 64 hard disks. There are fundamentally two different types of chunks with each chunk containing 2048 bytes (so blocks are flash memory: NOR and NAND. NOR is low density, offers 128K) plus a 64-byte out-of-band/spare area (OOB) where slow writes and fast reads. NAND is low cost, high density various tags and metadata are stored, as we will see below. and offers fast writes and slow reads. Embedded systems are increasingly using NAND flash for storage and NOR for 3. Process overview code and execution [10]. The main idea here is to provide the user with a general- Yaffs was developed by Toby Churchill Ltd (TCL) as a ized method that can be carried out without the need of any reliable filing system with fast boot time for their flash mem- specific forensic tool. We present the setting up followed by ory devices . The authors initially tried to modify existing the overall process and discussion. flash file systems such as JFFS (used mainly for NOR) to add NAND support, but it turned out that the slow boot time 3.1 Setup and RAM consumption of existing flash file systems was The presented method runs under Linux. The Android unacceptable. Furthermore, there are too many fundamental SDK tools are to be installed, including the Android Debug differences between NOR and NAND to make performance Bridge [11]. As yaffs2 is not supported by default in Linux, optimal. For instance, since erasing NOR is much longer we had to incorporate it. Yaffs2 has been downloaded and than for NAND, garbage collection methodologies for NOR compiled to enable kernel support. Also, the mtd-utils are not suitable for NAND. This led to the development of package needs to be installed. Lastly, MTD is cross-compiled a different flash file system especially for NAND according to be used on the devices. to its features and limitations to optimize performance and ensure robustness. Upon completion yaffs performed better 3.2 The method than existing flash file systems and can still be used with We tested this method on a NexusOne with Android 2.1 NOR flash even though it was specifically designed for and kernel version 2.6.29. The phone has to be rooted. NAND. The description of yaffs is given in figure 2. In order to acquire access to the root directory, Universal Serial Bus (USB) debugging will have to be enabled on the 2.3 Memory Technology Device phone. Our target partition is the 5th, and it is mounted on Linux only understands character and block devices, such /dev/block/mtdblock5. Note that the process can be applied as keyboards and disk drives. With Linux on flash, however, to any other partition, or a set of partitions. a flash transition layer provides the system with device func- tionality. A Memory Technology Device (MTD) is needed to 3.3 Acquiring the memory image provide an interface between the Linux OS and the physical We extract the memory contents in their entirety through flash device because flash memory devices are not seen as the communication port. For MTD devices, nanddump can be character or block devices. The MTD system is simply “an used to collect NAND data independently of the higher-level abstraction layer for raw flash devices” that allows software filesystem deployed on the memory. For devices that do not to utilize a single interface to access a variety of flash employ MTD, other collection techniques can be employed. technologies. For most Android devices, the MTD subsystem For instance, the dd utility can be used. It is also important to note that not all the data is necessarily stored in on-board We also generate a dump without the OOB area as some of memory [12]. We used an empty sdcard, with respect to the the techniques that we are going to use work better without best practices in forensics. The linux shell command is the OOB: following: #./nanddump -f /sdcard/userdatapadbad.nanddump #cd mtd-utils-arm /dev/mtd/mtd5 --bb=padbad #adb push nanddump /sdcard ECC failed: 0 #adb push mtd_debug /sdcard ECC corrected: 0 #adb shell [here we are on the phone] Number of bad blocks: 1 #mount -o remount,rw /sdcard /sdcard Number of bbt blocks: 0 #chmod 755 /sdcard/nanddump Block size 131072, page size 2048, OOB size 64 Dumping data starting at Now we have a cross-compiled copy of nanddump and 0x00000000 and ending at 0x0c440000... mtddebug, executable on our device. We also take note of The resulted images are now on the sdcard: the version of yaffs that is running on our device (cat #ls -l /proc/yaffs).