Android data collection can be quite complex as there are many options available within the Cellebrite UFED product line. Moreover, the vast number of manufacturers and models of devices running the Android operating system may control the data collection methods available.

This blog post will help you make educated decisions when attempting to collect data from any Android device. The various levels of encryption will play another role in what possibilities exist for each device.

While this blog is focused on data collection options, the differences between full disk encryption (FED), file-based encrypting (FBE), and secure startup (SS) were covered in the webinar, “Help to Understand Android Data Collection” 

Let’s look at how we can make the whole Android data collection process easier.

Getting Started

Make sure you prepare the Android device per the instructions provided by the UFED. The state of the device matters. If the device requires special cables, download mode, etc., you must enable that setting or mode prior to starting the data collection. Most devices require that “USB debugging” be enabled, so make sure to read the screen to properly prepare your device for data collection.

Once connected, you can either “Browse Devices” and select your model or you can leverage “Auto Detect.”

Pro tip: If your device gives you communication errors when you manually select it, use the Auto Detect Feature.

Once the device is detected; you may see a screen providing information about the device as shown below.

Pro Tip: Use “Insights” from Installed Apps to have a peek at what you can expect on the device.

If the device fails to be detected, you can select “CONSOLE” to see what device details can be provided, if any. If nothing is detected, we recommend proceeding with a generic option, which is discussed later in this post.

Make sure the device is unlocked and has USB debugging enabled and that the trust with your forensic workstation or UFED is selected on the device. The CONSOLE results for a device are shown below. This can give you an idea of the type of chipset, operating system, security patch level, and encryption type you are dealing with.

Now that we have information about our device, we need to collect the data. Below are some acquisition options available.

Android Backup

Generally speaking, this method involves using the ADB backup protocol. Since Android 7.0 was launched, less information is included in a backup data collection. You may be able to collect some application data, but with newer versions of Android OS, less and less comes out. Backups get you some third-party applications, and media, but not native call logs, or SMS messages.

Android Backup APK Downgrade

APK Downgrade is a method where we downgrade the application version. This method is always a bit risky and will modify the phone. UFED will back up the application and the data and pull it off the device. Next, UFED will push a lower version of the application, which is available to be pulled via a backup and push the data to it.

This method should be used as a last resource, which is stated when you press the “i” for additional information. Try all other methods first. If this process fails, don’t panic! There is an easy way to recover your app data via the Tools Menu. The support team can also assist in the recovery process if needed.

Android Logical

The quick data collection method sometimes uses an agent to pull the data. Media files, calls, SMS/MMS, and some third-party applications are available via logical extractions. Call logs and text messages usually have a limit on the number of entries that can be collected (generally limited to 500 calls), with no deleted data.

On newer devices with newer operating systems, you will not have access to web browser history, third-party applications e.g., Facebook, Snapchat, and WhatsApp). With Samsung devices we have some other methods to utilize that are covered later under “Magic Data Collection.”

Advanced Logical

This technique combines the logical and file system extraction (the ADB backup one). This saves you time from doing a logical and a file system separately and combines them into one flow.

File System

This data collection method generally pulls file system data via ADB, or backup. This is limited to what the user can access, so without elevated privileges, you are not going to get too much data.

Partial File System

This method pulls a partial extraction—even locked devices. There are some limitations, but this method can be useful when working with older devices where you can parse/decode the passcode and then use it to unlock the device.

Keep in mind the ability to lawfully access a screen lock password using external tools like HashCat, stopped working in Android 6 as additional security implementations were added. 

File System Boot Loader (Recommended)

This little hidden gem is often overlooked. This type of data collection lets a user selectively pick and choose which applications they wish to collect. We need elevated privileges, which is why a Bootloader is needed.

This could be very useful when you need actionable information right away, like giving the investigator the incriminating WhatsApp conversation as they are interviewing the suspect. However, it is recommended to always follow up with a full data collection procedure afterward to make sure you get the remainder of the data.

Full File System

This method is preferable for the full active file system, generally from file-based encrypted (FBE) devices. On FBE devices, you need to know the passcode to obtain an FFS. When dealing with FBE devices, this is the richest, most complete type of data collection available. Theoretically, physical extractions of FBE devices are possible, but the way the encryption works, it is very difficult to recover any usable information in unallocated space.

Physical Extraction

This method covers the full memory range of the device. There are several methods to obtain a physical extraction. It can be done via Bootloader, Decrypting Bootloader (for encrypted devices), Rooted device, and others. Keep in mind that depending on the methods being used, there are certain limitations that exist (OS, Security Patch level).

      • Physical (Rooted): The unicorn of forensics, where you get a device that is set up in a way that already has full elevated privileges. If you encounter a rooted device, you can assume that you are dealing with a more advanced user. Grab a lottery ticket on your way from the office while you’re at it.

      • Bootloader: Temporarily flashes custom files to the device to grant elevated privileges to be able to collect the data. Most bootloaders are specifically designed for certain chipsets (Kirin, Exynos, Qualcomm, etc.). With newer devices, encryption comes into play, so you need to use the Decrypting Bootloader Option.

      • Smart ADB: This method was viable on lawfully accessed older devices, requiring OTG. It gives you the option to write to a MicroSD card or a USB drive connected via an OTG Cable.

      • Advanced ADB: This option is another way to get elevated privileges of lawfully accessed devices. This method is also dated, but still available on some older devices.

      • Other advanced methods such as Emergency Download Mode (EDL)

Now that we have covered the general ways to acquire Android devices, let’s dive into some other built-in features that may provide access to additional information.

Android Generic:

Android Generic will attempt to collect data from any Android device trying physical, advanced logical, and file system extraction. For a physical extraction, the device must be rooted for the collection to succeed.

“Magic” Data Collection – Yes, it’s magic:

During a logical extraction of a Samsung, you might be presented with the option to collect additional application data (files). If this option shows up, use it! This removes the limitations set by the operating system and developers.

Suggested Profile

There are times when you may be looking for a specific model, and a suggested profile will come up. UFED has a records database of various devices and their processors. This way it can suggest a profile to use.

For example, let’s say you have an LG K4 M151 device and you searched this profile. This device is running an MSM8909 Qcomm chip, which is a widely supported chip, so it will suggest the data collection options of EDL. Keep in mind that these are just suggested profiles and not ones that were confirmed to work.

In this case, since the MSM8909 is widely supported, you should have no problem doing EDL data collection on that device.

Generic Profiles

Sometimes, you need to take the generic approach. There are some generic data collection methods that might be tied to a specific chipset type or a vendor rather than a specific model. Many options for data collection were viable for many years, but with the abundance of encryption, this is becoming more and more difficult.

MTK and Qualcomm Live:

Even in the craziness of 2020, it has been a pretty incredible year for our R&D group at Cellebrite. We released MTK Live and Qualcomm Live. These provide the ability to either obtain a full file system or physical extraction of devices running those chipsets.

For these processes to work, the device needs to be unlocked or the passcode needs to be known. It will not bypass a screen lock. As of this writing, Qualcomm Live does not support Samsung or Huawei, but stay tuned…

Other Advanced Data Collection Methods

EDL – Emergency Download Mode. Certain Qualcomm processor chipsets have a vulnerability within them that can be exploited to gain physical extractions of the device. This is an advanced level of data collection and reviewing the documentation and webinars done by Scott Lorenz is highly suggested.

Webinar: Safely Collect Digital Evidence with Advanced EDL Methods

Webinar: Accessing Encrypted Mobile Device Evidence Using EDL

Conclusion

Use the reference guides available to you. UFED has a great data collection workflow guide you can view if you need some help. Knowing the device you are dealing with, what chip it uses, and the type of encryption you’re up against will help you organize and execute your plan of data collection.

Share this post