The procedure of imaging an Android device using dc3dd; introduction to the typical data storage and partition layout of the Android Os, concept of rooting on Android and the difference between a logical and a physical data extraction, physical imaging of the internal and external storage using dc3dd.
2. DATA STORAGE ON ANDROID
• Two storage locations: internal and external.
• Internal storage is the device flash memory that stores the kernel,
system libraries and binaries, apps data and more.
• External storage is usually a removable micro-SD card and
mainly contains user data.
3. PARTITION LAYOUT
• Main internal storage partitions:
- Boot
- Recovery
- Data
- System
- Cache
• The data partition is the most relevant to a forensic investigation
as it contains the apps and user data.
4. ANDROID ROOTING
• To access all the partitions and data we must have root
permissions on the device.
• The procedure to obtain root privileges is called rooting.
• It is usually required to unlock the bootloader to root the device.
• A very useful resource is the XDA Developer Forum:
forum.xda-developers.com/
5. ANDROID DEBUG BRIDGE (ADB)
• The Android Debug Bridge (ADB) is a CLI tool, part of the
Android SDK Platform-Tools, to communicate with and control
USB connected Android devices.
• It allows to list connected devices, pull and push files from and to
the device, execute a shell and install apps on the device.
• If the device is turned on, the USB debugging option must be
enabled under “Developer options” in the system settings.
6. LOGICAL AND PHYSICAL
ACQUISITION
• Two types of acquisition: logical and physical.
• Logical acquisition involves the copy of all or part of the
files and directories at the file system level.
• Physical acquisition involves copying the device storage bit by bit
at a raw level, like on computers.
7. PHYSICAL ACQUISITION
OF EXTERNAL STORAGE
• Physical imaging involves acquiring both the removable micro-SD
card and the internal memory.
• To image the micro-SD, we must remove it from the device,
connect to the forensic workstation using a hardware or software
write-blocking technique and then acquiring it directly with dc3dd,
like with a hard drive.
8. PHYSICAL ACQUISITION
OF INTERNAL STORAGE
• Imaging the internal storage is trickier, as we have to execute
dc3dd directly on the device.
• So it must be an ARM statically cross-compiled binary,
which we can download at:
https://github.com/jakev/android-binaries/blob/master/dc3dd
• We should not copy it on the internal storage, as it could
overwrite possible evidence
• We instead copy the dc3dd binary on a clean micro-SD card, with
the sufficient capacity to store an image of the internal memory,
and insert it into the device.
9. PHYSICAL ACQUISITION
OF INTERNAL STORAGE
• We connect the device to the forensic workstation and spawn a shell
on the device with adb shell
• We have to identify the input for dc3dd to image but dc3dd doesn’t
accept directories as input.
• We need to list the block device files, associated with the various
partitions, with the command: ls –l /dev/block/
• The internal flash memory is usually associated with the mmcblk0
device file and all the files with this name followed by “p” and a number
represent its partitions.
10. PHYSICAL ACQUISITION
OF INTERNAL STORAGE
• Before doing so, we must remount the sdcard to run dc3dd, as by
default Android mounts SD cards with the -noexec option, that
doesn’t allow to run applications on the SD card itself: mount -o
remount,rw,exec /storage/sdcard1/
• Then we cd to /storage/sdcard1 and execute the command:
./dc3dd if=/dev/block/mmcblk0 of=mmcblk.img hash=sha512
log=mmcblk.log
• Note that the image and log output files are written on the micro-
SD card