Introduction
Android, Google's mobile device platform, is growing quickly in its share of the smart phone market share. For the period ending February 2010, Android grew 5.2% and now has a 9% share of the smart phone market. In October 2009, a report released by Gartner predicted that by 2012, Android will be the second largest smart phone provider (totaling 94.5 million units sold), second only to RIM.

And you will not only find Android in smart phones but in tablets, e-readers, net books, home appliances, and more. The first Android device was released in October 2008 and currently there are about 35 smart phones available on the market. There are also 6 tablets, 3 e-book readers, and one net book. In 2010, a large number of new devices will be released, including 20+ smart phones, 23 tablets, 2 e-books, and 4 net books. Clearly, forensic examiners need to prepare for Android devices now. Already, we receive weekly calls from law enforcement agencies seeking assistance on Android devices.

Android Overview
Android is an open source mobile device platform based on the Linux 2.6 kernel and managed by the Open Handset Alliance—a group of major mobile device, hardware, and software vendors. The open source nature of the project has not only established a new direction for the industry (forcing behemoths like Nokia/Symbian to open source their platform) but enables a developer or code savvy forensic analyst to understand the device at the most fundamental level. As the core platform is quickly maturing and is provided free of charge, carriers and hardware vendors alike can focus their efforts in customizations intended to retain their customers.

Applications for Android are developed in Java and run in a separate Dalvik virtual machine (DVM) with a unique user id and process which is a key mechanism used to enforce data security. Applications can only access the data within their DVM unless another application and the phone owner specifically allows the data to be shared. As a result of this secure architecture, forensic examiners do not have a built-in mechanism we can use on the phone to extract core user data. Instead, new techniques must be developed which require some interaction with the device.

Forensics Strategies for Android Devices
There are four primary ways to approach forensics on an Android device. They are:

• SD Card analysis
• Logical acquisition
• Physical acquisition
• Chip-off

Before exploring these techniques, a brief discussion on the challenges of mobile phone forensics is warranted. A fundamental goal in digital forensics is to prevent any modification of the target device by the examiner. However, mobile phones lack traditional hard drives which can be shutdown, connected to a write blocker, and imaged in a forensically sound way. The end result is that Android forensic techniques, short of chip-off, do alter the device. Examiners must use their discretion when examining a mobile device and if the device is modified, they must explain how it was modified and, as important, why that choice was made.

SD Card Analysis
Nearly every Android device comes with an external SD Card for storing data. Upon receiving and securing an Android device (as you would any other mobile device), an examiner should remove the SD Card and process it in the standard way. The card is formatted with a FAT32 file system.

Logical Analysis
The logical acquisition of an Android device is the technique we recommended first. This technique involves copying a small (~25k) Android Forensics application to the device, running the application, and then removing it from the device. An application, written by viaForensics and distributed for free to law enforcement and government agencies charged with digital forensic responsibilities, currently acquires the following information:

1. Browser history
2. Call Logs
3. Contact Methods
4. External Image Media (meta data)
5. External Image Thumbnail Media (meta data)
6. External Media, Audio, and Misc. (meta data)
7. External Videos (meta data)
8. MMS
9. MMSParts (includes full images sent via MMS)
10. Organizations
11. People
12. SMS
13. List of all applications installed and version
14. Contacts Extensions
15. Contacts Groups
16. Contacts Phones
17. Contacts Settings

And new data sources are being developed weekly. The data is written to an SD Card the examiner placed into the device. The files are currently written as CSV, however we will likely change this to an XML format. Also, there are some challenges when interpreting this data and we are currently developing viaExtract, a reporting application for the data. The application will be released in the next few months and sold at significant discount to active law enforcement.

If you are active law enforcement, you can register for free access at viaforensics.com/wiki/doku.php using your agency e-mail address. After verification, your access will be enabled, generally within 24 hours. It should be noted that several commercial platforms have support for a logical acquisition of Android devices however they are typically limited to basic information.

Physical Analysis
In some cases, a more significant analysis is required. To this end, we have developed a technique to physically acquire a “dd” image from support Android devices (currently any Android 1.5 devices and Motorola Droid 2.0 and 2.01). This technique requires root privileges on the device and can yield a significant amount of information.

This technique will provide a forensic image of the various user data partitions. These partitions use the open source file system YAFFS2 (Yet Another Flash File System 2) and is one of the significant challenges with the Android platform.

YAFFS2 was built specifically for the growing NAND memory devices and has a number of important features which address the stringent needs of this medium. It is a log-structured file system, provides built in wear-leveling and error correction, is fast, and has a small footprint in RAM. However, since its usage was limited prior to Android, no commercial forensic product supports the file system.

For the brave, you can download the YAFFS2 source code, grab a forensic image of a partition, open it up in your favorite hex editor and start digging. However, we are making progress in the development of some tools. The tools allow an examiner to forensically acquire the NAND data (you cannot use dd for this…we’ve developed a special nanddump program for this purpose), mount the image in Linux (using nandsim) and extract the data. Traditional techniques such as file carving and strings also work. However, the real potential is in the development of a program which will provide a “point-in-time” version of any file on the YAFFS2 file system; this is a very fortunate (for the forensic examiner) byproduct of YAFFS2 being a log-structured file system.

Chip-off
For those with full lab facilities, there is always the option of using chip-off techniques on the NAND memory. The scope of this is well beyond this article…but those of you who have such facilities certainly need to read about it!

Conclusion
The Android platform is emerging as a significant force within the fast paced smart phone market. Like other smart phones, the device holds an enormous amount of information about the owner. There are also several methods which a forensic examiner can use to extract information from the phone.

However, the platform presents several challenges, including a fairly effective security model, entirely new file systems, and a wide range (and ever growing) of hardware and software leveraged. While we are beginning to understand the details of the Android platform, significant research is still needed. The only way our community can effectively address the Android platform is by pooling our collective knowledge and resources into this complicated device.

An upcoming training is being offered at Mobile Forensics World 2010 in Chicago on May 5. If you are interested in the training or other resources including updated research, mailing lists, or our Android Forensic Wiki, please visit us at viaforensics.com/services/android-forensics/.

Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, former adjunct professor (assembly language), and owner of viaForensics, an innovative digital forensics, security, and e-discovery firm. He divides his energies between investigations, research, and training about the computer and mobile forensic discipline. He writes computer/mobile forensic how-to guides, is interviewed on radio programs and lectures, and trains both corporations and law enforcement agencies. As the foremost expert in Android Forensics, he leads expert level training courses, speaks frequently at conferences, and is writing a book on Android forensics.