• Register

How do I take a forensic image of an Android smartphone?

+2 votes
I'm trying to take an image of my smartphone since I just changed devices. However, Android phones do not mount as USB drives. The file system can be accessed through the Android Debug Bridge (ADB), but important directories such as /data (where app databases are stored) require root access. I haven't succeeded in grabbing an image with BitCurator. Is this possible? Are there other tools I should be using?
asked Apr 15, 2014 by nkrabben (1,990 points)

1 Answer

0 votes

This seemed interesting enough for me to spend a few minutes digging into and explporing. I haven't actualy done this, so if you do try some of these methods it would be great to report back on what works. The good news is that your problem is one that you know that law enforcement and other digital forensics users have had for a good bit. At this point there are a range of mobile spesific forensic applications. So you might check out, Oxygen Forensics or AFLogical. The results of this Masters Thesis Android Forensic Capability and Evaluation of Extraction Tools (2012) would suggest that you might get better results with Oxygen, but it also sounds like there is a lot of variability in how different devices perform.



answered Apr 22, 2014 by tjowens (2,360 points)
It looks like both tools require installing the app on the device, and his raw image was taken from a removable SD card. I'll experiment with these and see if there any archival implications from that.
Cool! Yeah, I'll be interested in the results of your experiment. Given that cultural heritage orgs are already getting smart phones (http://www.trevorowens.org/2013/11/historic-iphones-personal-digital-media-devices-in-the-collection/ ) this would really be something that it would be great to have some analysis on.
The android SDK comes with QEMU (http://developer.android.com/tools/help/emulator.html)  for emulating the phone hardware. I wonder how easy it would be to take an image from a phone and run it in QEMU?
I think our ability to get digital objects off of mobile devices without altering the device significantly would be a huge boon to acquiring a lot of really great material -- I'm really interested to hear how this works!
The problem is capturing the image from the device. From my attempts so far, I still can't find a method that can make bit-level copies because access is always moderated by the device's OS, e.g. you have to go through ADB to access an Android's phones memory.