PALAK MEENA

2K18/IT/080

Mobile And Digital Forensics

Assignment-2

Review Both the Physical and Logical techniques needed for Android Forensics in detail

A- The forensic techniques used on Android are either logical or physical. Physical Techniques,
on one hand, access data directly from the physical storage media rather than relying on the file
system. They are likely to allow access to huge volumes of erased data, which is one of the most
significant advantages of this strategy. File systems frequently just label data as destroyed or
outdated, rather than erasing the storage media unless it is required. Because physical forensic
techniques provide direct access to the storage media, both allocated and unallocated (deleted or
outdated) data can be recovered.

The physical approaches used in Android forensics may be divided into two categories:

Hardware: Methods for physically extracting device components or connecting hardware to the
device.
Software: Techniques that operate on devices having root access as software offer a physical
representation of the data partitions in their entirety.

The following are the two hardware-based physical techniques:

● JTAG -The JTAG was established in the 1980s to set a standard for testing wiring and
circuits.Printed circuit board interconnects (PCB). The standard had been completed by
1990.It was adopted as a standard by the Institute of Electrical and Electronics
Engineers(IEEE). TAPs (JTAG test access ports) allow access to the central processing
unit.(CPU).A JTAG TAP exposes various signals and most mobile devices include the
following:

● TDIdTest Data In
● TDOdTest Data Out
● TCKdTest Clock
● TMSdTest Mode Select
● TRSTdTest Reset
● RTCKdReturn Test Cloc

● Chip-off- Chip-off is a method of physically removing NAND flash chips from a device
and inspecting them externally. Chip-off enables the recovery of damaged devices while
also bypassing passcode-protected devices, This is a removal.The method is often
damaging, and reattaching the NAND flash is tough.The PCB and get the device to work.
There are three primary steps in the chip-off technique:

1. The NAND flash chip is physically removed from the device by either desoldering it, or
using special equipment that uses a blast of hot air and a vacuum to remove the chip. There
are also techniques that heat the chip to a specified temperature. It is quite easy to damage
the NAND flash in this process and specialized hardware, and even controlling software,
exists for
the extraction.

2. The removal process often damages the connectors on the bottom of the chip, soit must
first be cleaned and then repaired. The process of repairing the conductive
balls on the bottom of the chip are referred to as reballing.

3. The chip is then inserted into a specialized hardware device, so that it can be
read. The devices generally must be programmed for a specific NAND flash chip
and support a number of the more popular chips already.
A logical technique, which often involves accessing the file system, extracts allotted data. The
term "allocated data'' simply refers to material that has not been destroyed and is still accessible
on the file system. Some files, such as a SQLite database, can be allocated while still containing
deleted entries in the database, which is an exception to this concept. While recovering lost data
from a logical acquisition necessitates the use of specialised tools and procedures, it is possible
to recover deleted data from a physical acquisition.Logical techniques also have the advantage of
working in far more scenarios as the only requirement is that USB debugging is enabled. In other
words, Android forensics logical techniques do not require root access.

Some of the techniques are :-

● AFLogical -AFLogical is only free for active law enforcement and government agencies)
followed by a review of available commercial software.The app, developed by
viaForensics, extracts data using Content Providers, which are a key feature of the
Android platform.

● Compelson MOBILedit! - MOBILedit! Forensic collects all possible data from mobile
phones and generates extensive reports onto a PC that can be stored or printed. It is the
most universal mobile phone solution with software supporting most GSM phones and
open architecture allowing the support of any phone. The system allows you to customize
the output making it completely adaptable to the needs of your judicial system.

● ADB Pull

Unless an Android device has root access or is running a custom ROM, the adb daemon
running on the device that proxies the recursive copy only runs with shell permissions. As
such, some of the more forensically relevant files are not accessible. However, there are
still files which can be accessed.
As most phones will not have root access (at least by default), this technique may
appear to be of little value. However, it is a powerful utility to understand and there are
several scenarios ideal for this approach. These scenarios include:

-> On non rooted devices, an adb pull can still access useful files such as unencrypted apps,
most of the tmpfs file systems that can include user data such as browser history, and
system information found in “/proc,” “/sys,” and other
readable directories.
-> On rooted devices, a pull of nearly all directories is quite simple and certain files and
directories from “/data” would be of interest.
-> When utilizing the physical technique, it is not always possible to mount some acquired
file systems such as YAFFS2. If adbd is running with root permissions, you can quickly
extract a logical copy of the file system with adb pull.
-> As adb is not only a free utility in the Android SDK but also very versatile, it should be
one of the primary logical tools used on a device.