This writing will cover the basics of Android, Android forensics, and deleted text messages. The goal of this page is to educate the legal professional and client alike on the benefits of including mobile devices in your discovery process. Cellphones can play a vital role in various types of civil litigation. If mobile devices are not included in eDiscovery, we typically find cause for concern. We hope this page is not too technical, yet educational on the benefits of cellphones in the discovery process.
Android Inc. was founded in 2003, it was acquired by Google in 2005. It is based on the open-source Linux kernel.
Android has grown to the most popular operating system for mobile phones and tablets. Android is an open source project with many variations or ROMs from different development communities. They usually share many similarities from a forensics standpoint.
Android 5.x or Lollipop was released 11/12/2014. A major change was that devices with this version were supposed to come out of the box with “whole disk encryption”. This means that the entire operating system is encrypted. Since encryption takes system resources and can drain battery life Google has changed its position on all devices being encrypted out of the box and have left the decision up to the manufacturer. If a device is found to be encrypted, a password will normally need to be provided to gain access to the data. While previous versions of Android were compatible with encryption, the exposure of security concerns such as the NSA scandal and more powerful hardware and batteries that negate the drawbacks of encryption has made it more popular than ever. This has significantly changed the landscape of forensics for this operating system.
In previous versions of Android when data such as images or text messages were deleted, they were not actually erased. They were put aside and marked as available to be overwritten. As long as the data had not been overwritten, it could be retrieved through a process called “carving”.
Carving is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media.
With disk encryption, however, once the data is deleted by the operating system it is nonrecoverable. It is important to point out that this is the default of the operating system and not necessarily an application. In most cases, we run what is referred to as a “physical acquisition” can be obtained currently in Android versions 4.4.4 (Kit Kat) and older. Some versions of 5.0.1 and newer can obtain a physical acquisition through the rooting method. We simply need to know the make and model and software version of the device in question to know the capabilities of it. We currently can support 23,461 device profiles and 4,816 app versions.
As with most things in digital forensics, we always have exceptions to the standard rules. The exception is this. If you can “root” the device that has version 4.4.4 or later on it, you will more than likely be able to obtain a physical acquisition of the device. This is a rule of thumb and not a promise.
Rooting a device is simply gaining access to the root directory of the device and having the appropriate permissions to take developer level actions on the device itself. Sometimes rooting a device can be done in under a minute. At other times rooting, a device has required over two full days of work to gain root access. Every device is different when it comes to rooting.
If your case requires that you take the further steps of rooting a 5.0.1 device or newer, precautions should be taken and a warning given. Let me start with the warning. Attempting to root a device will void the warranty and you run the possibility of “bricking” the device.
Bricking is a term used in the electronics industry by software developers when updating a piece of hardware with a software update that renders the hardware useless after the update.
From a precautionary stance, you need to make sure that the device has been fully backed up to a computer. Doing this is simple insurance if, in fact, you do end up bricking your device. From a forensic point of view, rooting your device does change valuable metadata. I would highly recommend that a logical forensic extraction of the device also be taken before backing up the device or attempting to root the device. It is also a best practice to make sure you are documenting everything you do to the device as well when and why. Your changes to the device could come under scrutiny in the future in a deposition or while sitting on the stand. Making changes to any electronic device is a digital forensic no, no. As I said earlier though, circumstances do arise that require actions like rooting to gather all the evidence.
Applications on Android are run within what is called a “Sandbox”. This Sandbox feature is meant to quarantine an application from the larger part of the system so that if there is a security vulnerability it can be contained. This also helps to give applications the autonomy to create some of their own rules, such as choosing how to handle encryption and the deletion of data.
Luckily there is a growing movement toward the use of applications with multimedia features to send forensically useful data. This may include images, messages, contact information, call and chat logs, timestamps along with other info. These applications may not utilize encryption or may use encryption that is weak or has known exploits. Data is typically stored in a database and remains until space is needed, or the database cleans itself for maintenance.
So even with the move towards encryption of devices, some users may not be able or may choose not to use this feature do to hardware restraints.If the device can be accessed, there may be a wealth of information that can be obtained.
To learn more about recovering deleted text messages, please visit our cellphone forensics page.