Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Learning Android Forensics

You're reading from   Learning Android Forensics A hands-on guide to Android forensics, from setting up the forensic workstation to analyzing key forensic artifacts

Arrow left icon
Product type Paperback
Published in Apr 2015
Publisher
ISBN-13 9781782174578
Length 322 pages
Edition 1st Edition
Languages
Tools
Concepts
Arrow right icon
Toc

Table of Contents (10) Chapters Close

Preface 1. Introducing Android Forensics FREE CHAPTER 2. Setting Up an Android Forensic Environment 3. Understanding Data Storage on Android Devices 4. Extracting Data Logically from Android Devices 5. Extracting Data Physically from Android Devices 6. Recovering Deleted Data from an Android Device 7. Forensic Analysis of Android Applications 8. Android Forensic Tools Overview Index

Challenges in mobile forensics

With the increased usage of Android devices and the wider array of communication platforms that they support, demand for forensic examination has automatically grown. While working with mobile devices, forensic analysts face a number of challenges. The following points shed light on some of the mobile forensics challenges faced today:

  • Preventing data alteration on the device: One of the fundamental rules to remember in forensics is to not modify the evidence. In other words, the forensic techniques that are applied to a device to extract any information, should not alter the data present on the device. But this is not practical with respect to mobile forensics because simply switching ON a device might also change certain state variables that are present on the device. With mobile devices, background processes always run and a sudden transition from one state to another can result in the loss or modification of data. Therefore, there is a chance that data may be altered either intentionally or unintentionally by the forensic analyst. In addition to this, there is a high possibility that an attacker can remotely change or delete the content present on the device. As mobile phones use different communication channels (cellular, Wi-Fi, Bluetooth, infrared, and so on) the possibility of communicating through them should be eliminated. Features such as remote data wiping would enable an attacker to remotely wipe the entire device just by sending an SMS or by simply pressing a button that sends a wipe request to the Android device. Unlike computer forensics, mobile device forensics requires more than just isolating the device from the network.
  • Wide range of operating systems and device models: The wide range of mobile operating systems available in the market makes the life of a forensic analyst more difficult. Although Android is the most dominant operating system in the mobile world, there are mobile devices which run on other operating systems, including iOS, Blackberry, Windows, and so on, which are often encountered during investigations. Also for a given operating system, there are millions of mobile devices available that differ in OS versions, hardware, and various other features. For example, within the Android operating system, there are around 10 versions, and for each version, there are different customizations made by different manufacturers. Based on the manufacturer, the approach to acquiring forensic artifacts changes. To remain competitive, manufacturers release new models and updates so rapidly that it's hard to keep track of all of them. Sometimes within the same operating system the data storage options and file structures also change, making it even more difficult. There is no single tool that can work on all the available types of mobile operating systems. Therefore, it is crucial for forensic analysts to remain updated on all the latest changes and techniques.
  • Inherent security features: As the concept of "privacy" is increasingly gaining importance, mobile manufacturers are moving towards implementing robust security controls on devices, which complicates the process of gaining access to the data. For example, if the device is passcode protected, the forensic investigator has to first find a way to bypass the passcode. Similarly, full disk encryption mechanisms that are implemented on some of the latest devices prevent law enforcement agencies and forensic analysts from accessing the information on the device. Apple's iPhone encrypts all the data present on the device by default, using hardware keys built into the device. It is very difficult for an examiner to break these encryption mechanisms using techniques such as brute force.
  • Legal issues: Mobile devices can be involved in crimes that span across the globe and can cross geographical boundaries. In order to tackle these multijurisdictional issues, the forensic examiner needs to be aware of the nature of the crime and also regional laws.
You have been reading a chapter from
Learning Android Forensics
Published in: Apr 2015
Publisher:
ISBN-13: 9781782174578
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime