Android Phone Forensic Analysis – Unleash Hidden Evidence
ANDROID FILE SYSTEMS
There is no singularly defined file system for Android. Android is developed on the Linux kernel and Linux supports many file systems. However, each file system is the implementation of a VFS (Virtual File System). VFS is the abstract layer of Kernel through which an application’s file and directory operations flow. Also, each of the file systems has a separate Kernel module that supports operations. Hence adding a new file system means adding a new kernel module. This implies that the Kernel configuration file defines which all file systems should be compiled and hence files systems that are supported by Android vary with devices.
The Android File Systems that Android Phones support can be classified as flash memory file systems and media-based file systems. So now, let’s proceed with Android Phone Forensics:
FLASH MEMORY ANDROID FILE SYSTEMS:
- YAFFS2 (Yet Another Flash File System V2)
It was the default AOSP (Android Open Source Project) flash file system for kernel version 2.6.32. the newer kernel version does not support This file system. But mobile vendors continue to support this file system. - JFFS2 (The Journal Flash File System V2)
Since Ice Cream Sandwich it is the default flash file system for the AOSP kernels. - F2FS (Flash-Friendly File System)
An Open Source file Linux system introduced by Samsung - exFAT (Extended File Allocation Table)
It’s the proprietary file system of Microsoft for flash memories. It is not a part of the standard Linux Kernel due to licensing requirements.
MEDIA-BASED ANDROID FILE SYSTEMS:
- EXT2 / EXT3 / EXT4 (Extended File System)
It is the standard Linux File system. Moreover, it is often used as an internal memory file system instead of YAFFS2 & JFFS2. - MS-DOS
The FAT12, FAT16 & FAT32 file systems - VFAT
It is not actually a file system, which are extensions to FAT12, FAT16 & FAT32
ROOTING ANDROID DEVICE
Rooting is the process of attaining privileged control of android devices. It gives you root permission on your device. However, the rooting Android device helps to overcome the limitations of the devices put by the manufacturers. With a rooted phone, we can run apps that require certain system access and flash custom ROMs which add more features. So the rooting becomes possible through command prompt development interface ADB or using special rooting applications. However, we can’t access the system files and database files of an un-rooted device as they are encrypted. So the analysis of Android systems files is possible only if the device is rooted.
ANDROID FILE SYSTEM STRUCTURE: PARTITIONS
Android uses more than one file system and multiple partitions to organize files and folders in the device. In the file system, directories represent the partitions. There are mainly six partitions the android devices use. So, they are boot, system, recovery, data, cache, and misc. Each of these partitions has its own functionalities. There may be other partitions that differ in each model such as sd card, and sd-ext.
Also, we can check which partitions are available in a device along with its total, used and free size using adb command in the below image.
- /boot
It is the boot partition of the android device which includes the android kernel and ramdisk. However, the device cannot boot without this partition. If we wipe this partition we need to install a new ROM which includes /a boot partition to boot the system again. - /system
This partition contains the entire OS including Android GUI and pre-installed system applications. We can enter the recovery or boot loader mode even if we wipe this partition. - /recovery
This partition is specially designed for backup purposes. Moreover, it considers an alternative boot partition that lets the device boot in a recovery console. - /data
This partition is to store user data. It contains all the user data like SMS, contacts, settings and all data related to installed applications. When you are doing a factory reset, it actually wipes out the data partition. - /cache
Cache partition stores frequently accessed application and data components. Even if we wipe this partition, it gets automatically rebuilt as you continue using the device. - /misc
This partition contains miscellaneous system settings. It includes hardware settings, USB configuration etc. If we wipe this partition, the device’s features will not function normally. - /sdcard
This partition is for the SD card, not for the internal memory. However, it is used to store any type of data such as media, documents, ROM etc. The SD card can be an internal or external SD card depending on the device. - /sd-ext
Custom ROMs use this commonly and it is not a standard Android partition. Moreover, it is an additional partition on an SD card that acts as a data partition in some custom ROMs that have the features like app2sd to get additional storage for installing their apps.
ANDROID LOGS: File Location & Related Artifact Forensic Analysis
You can find the default location of the Android log file at /dev/log. And we can see the logs if we execute logcat command from the terminal inside Android. So, the logcat command executed using ADB.exe and dumped into the text files are shown below. The command to export logs into PC using adb.exe:
adb logcat -v time > E:\log.txt
ANDROID COMMON APPLICATION ANALYSIS
A few of the most commonly using android applications selected here for analysis are:
- Google Chrome
- Android Contacts
- Telephony
- Bluetooth
- WiFi
GOOGLE CHROME
Location: \data\com.android.chrome\app_chrome\Default
DB FILE: COOKIES
- Table: cookies – Contains cookies
DB FILE: HISTORY
- Table: keyword_search_terms – Contains keyword searched
- Table: urls – Contains URLs of visited pages
DB FILE: TOP SITES
- Table: thumbnails – Contains URLs of websites that are directly entered in the tab
WHATSAPP
Location:\data\com.whatsapp\databases
DB FILE: AXOLOTL.DB
- Table: identities – Contains the contacts (phone number) to which the chat is done
DB FILE: MSGSTORE.DB
- Table: messages – Contains all messages (both group and individual)
- The status column indicates message status values (applicable if there at least single contact in a group satisfies these):
- 0 – received message
- 13 – the sent message is seen (blue tick)
- 5 – sent message unseen (double tick but not blue tick)
- 4 – send message to Whatsapp server, but not received in recipient Whatsapp app(single tick)
- 6 – sent/received calls (key_from_me column specifies whether sent or received the call)
- key_from_me column has values 0 or 1:
- Value 0 – Not from me (contacts)
- Value 1- From me (WhatsApp current user)
- recipient_count column has 2 kinds of values: value 0 for individual chats or shows group member count if it is a message in a group
- read_device_timestamp is empty if the message is not seen by everyone in a group
- media_name column contains the name of the media that it stores in the Whatsapp folder, which is sent.
- media_name column contains the caption of the media provided during sending while the media_url gives the location of the media in the WhatsApp server
- The status column indicates message status values (applicable if there at least single contact in a group satisfies these):
- Table: chat_list – Contains all contacts (subject column is empty) and groups (has value in the subject column) where chat has been done (both sent & receive).
- Group has column creation showing the creation date
- message_table_id column field values map to docid column values in the messages_fts_content table (contains all messages), which says last message (sent/received).
- Table: group_participants – Contains participants in the group
- gjid column contains group id
- jid column contains group participants’ id (creator does not have this field)
- admin column has values 0 or 1:
- Value 0 – user
- Value 1 – admin
DB FILE: WA.DB
- Table: wa_contacts – Contains contact’s name display name, phone number and their status
Whatsapp stores profile pictures in the location\data\com.whatsapp\files\Avatars
with an extension[.j]
. And these can rename with extension [.jpg], and the images will appear. The files are identified by a name which is phone numbers.
CONTACTS
Location: data\com.android.providers.contacts\databases
DB FILE: CONTACTS2.DB
- Data – Contains phone number and name
- Table: sync_state – Contains which all accounts have been synced with the phone
- Table: calls – Contain full call log details.
- The column ‘duration’ stores the duration of the call in seconds.
- ‘type’ column:
- 1 for incoming call
- 2 for outgoing call
- 2 with ‘duration’=0 for outgoing missed calls.
- 3 for incoming missed call
- Table: contacts – Contain contact details in the phone and SIM
- times_contacted indicates how many times contacted that number and last_time_contacted is the timestamp of recent contact.
- has_phone_number field will be 1 if the phone number is provided while saving the contact and else it will be 0.
- photo_file_id value indicates which photo is given to the contact. So, the user can obtain the photo with that filename from
com.android.providers.contacts\files\photos
. - Can find the photo file details in table photo_files.
- custom_ringtone indicates the URI of the ringtone for contact if assigned.
- indicate_phone_or_sim_contact column will be -1 if the contact is saved in phone memory and will be 1 if it is saved in SIM memory.
- Table: raw_contacts – Contains a person’s data coming from a single account type and account name.
- The column deleted will be 0 for non-deleted contacts and 1 for deleted contacts.
TELEPHONY
Location:data\com.android.providers.telephony\databases
- The column deleted will be 0 for non-deleted contacts and 1 for deleted contacts.
DB FILE: TELEPHONY.DB
- Sim info in Table – Contains sims that have been inserted
DB FILE: MMSSMS.DB
- The Sim info table – Contains service provider, messages, phone numbers and roaming status
- Table: accounts – Contains which all accounts are created – Local phone acc., SIM acc., Google, Whatsapp, Viber etc
- Canonical_addresses – Contains all numbers through which SMS contact took place
- Sms in Table – Contains phone number, size timestamp, message body, service centre etc.
BLUETOOTH
Location: data\com.android.bluetooth\databases
DB FILE: SHARE.DB
- Table: btopp – Contains information about Bluetooth transfer.
- Column URI shows the URI of the transferred files.
- The hint column shows the name of the file transfer.
- Column _data shows the location of the received file stored.
- The direction column says whether the file is sent/received and it has 2 values – 0 and 1:
- Value 0 – Sent
- Value 1 – Received
- Column destination shows MAC address of Bluetooth device connected
WIFI
Location: \data\misc\bluetooth
FILENAME: DYNAMIC_AUTO_PAIRING.CONF
The dynamic_auto_pairing.conf file contains basic information about the phone and also it requires the details about the WiFi networks which are connected. WiFi details include:
1. SSID name
2. PSK in plain text
3. Connection/ encryption type
4. Connection priority