1. Introduction
In recent years, our society has experienced an accelerated process of computerization, thus becoming highly interconnected. In May 2019, in Brazil alone, public records pointed to over 230 million smartphones in use. If we add up laptops and tablets to that number, there were then 324 million portable devices, i.e., approximately 1.6 portable devices per inhabitant [
1].
With the evolution of mobile devices, a large part of the population has been replacing the computer by the smartphone to perform most tasks involving technology, for example, exchanging messages, sending e-mails, making online payments, etc. According to the StatCounter (Web traffic analysis website) [
2], smartphones account for 51.69% of computing devices (smartphones, tablets, and computers) in use worldwide.
Mobile devices are used for a variety of tasks, such as sending or receiving text or voice messages, images, chatting by voice or video calls, watching videos, sending or receiving e-mail, making bank transactions, capturing and manipulating images, using applications for health care, relationships, social networks, monitoring of physical activities, mobility and traffic and even to store and display digital documents. In Brazil, we can mention as an example some government services applications of interest to the citizen, such as the Voter Card, the Vehicle Registration and Licensing Certificate, and the National Driver’s License.
With technological advances, it has become common for mobile devices to receive constant hardware and software improvements. With each new device launched, a new System on Chip (SoC) is employed, which is more modern, faster, and more energy-efficient, in addition to expanding storage capacity. New mechanisms to protect against unauthorized access are also frequently implemented or improved.
Numerous manufacturers already produced cell phones and marketed them globally before the appearance of the Android operating system (OS). After that, they started to invest in hardware development so that their devices started to run the new OS. New manufacturers have also emerged, focusing on the global market or the Asian market, whose consumer public has quite significant numbers. South Korean Samsung is the manufacturer that holds the largest share of the global mobile device market [
3] and runs the Android OS, making it the most widely used OS worldwide [
4]. Even before the Android OS became the most used OS, this system has been considered an important source of information. As remarked by Simão et al. [
5], Android OS constitute a large repository of information in a forensic perspective, both on-site as well as provided remotely.
Modern mobile devices are a rich source of data that can be forensic evidence in investigation processes and security analysis. Such devices increasingly have more storage space, connectivity options, and multitask ability, making them the first option for countless users. Currently, devices that run the Android OS and its variations are more accessible in the global market. That turns them into natural candidates in forensic analysis and investigation processes.
When it comes to security and digital forensics, analysts strive to acquire and analyze data from mobile devices. The diversity of technology used on mobile devices, the accumulation of digital evidence, the lack of standardized extraction methodologies, and the lack of necessary training characterize challenges that hinder or prevent data acquisition [
6].
Companies that develop technologies for digital forensics are also affected by the diversity of components and manufacturers of mobile devices, as they cannot be effective and efficient in all models or in all manufacturers. The gaps left by such companies are also a barrier to law enforcement forces.
Files stored in digital format are considered digital evidence, including audio, video, and image files, and even the software or the hardware itself. It is noteworthy that such files and devices can be part of the investigation of most crimes in the digital environment. Therefore, they must be adequately investigated and protected against alteration, maintaining protection under the chain of custody.
The Mobile Device Forensics is characterized by difficulties in accessing device data, the effort to unlock or bypass security mechanisms and obtain data, and often, by the inability to obtain the entire volume of data contained in the device. One is also feature by the fact that it is more complex than traditional computer forensics, requiring better-trained teams and specialized equipment to obtain legally acceptable results.
Unlike traditional Forensic Computing, where any intervention in the system must be avoided at all costs, in forensics on mobile devices it is necessary to perform access and make interventions directly on the hardware for possible attempts to bypass the access block mechanisms, and also install elevation of privilege applications. However, the correct use of techniques allows to preserve the evidence, and consequently, the legitimacy of the obtained evidence.
Figure 1 represents, in a summarized way, the steps of a methodology that can be applied to mobile forensics.
With regard to mobile device forensics, the scenario for obtaining evidence may also be different. We will briefly address each of the steps of the methodology, always aiming at obtaining the legality of the actions.
Evidence identification: As it is a mobile device, its identification may be more difficult, as the offender tries to hand over another device in place of the one who actually has the evidence. Therefore, it is essential to determine which fact needs to be clarified and which devices should be analyzed. It is important to record all details of the location and the seized items.
Preservation of evidence: The device to be analyzed must always be handled with gloves so that the fingerprints of the device user are preserved. Although it is not part of the acquisition and analysis of digital evidence, such evidence may be relevant to other forensic sciences. The device should be kept, whenever possible, in the state in which it was seized. If it is seized turned-off, it must remain off. Otherwise, it is also important to put the device in airplane mode, to prevent it from receiving new calls, SMS, creating new itinerary records by GPS, avoiding false positives during the analysis process, or even, that the data may be erased remotely. If this is not possible, a faraday bag must be used to transport the device to the laboratory where the data will be acquired. All features of the device must be documented.
Chain of custody: Chain of custody, in the legal context, refers to the chronological or historical register that records the sequence of custody, control, transfer, analysis, and disposition of evidence, whether physical or electronic, and is of fundamental importance in criminal cases.
Method for acquiring evidence: The forensic analyst should evaluate the best tool or methodology for data acquisition, preferably using the least invasive methods, and it may be used these according to the need.
Investigating questions: The authority responsible for elucidating the case must formulate the questions for which the forensic analyst must search the evidence for answers that satisfy the authority’s questions.
Analysis process: These are the processes, tools or methodologies through which the acquired evidence will be analyzed to answer the investigative questions.
Conclusive report: It is the document that includes all the records made in the previous steps, and mainly, answers the investigative questions asked by the competent authority.
It has become common to find public reports showing that the use of smartphones in the practice of illegal acts is growing. Increasingly, these devices are used to practice criminal activities, becoming digital evidence, relevant for criminal investigations. Due to a more significant market share, the acquisition and forensic analysis of data from Android devices have gained significant importance in the field of digital forensic investigation [
7].
One of the most recent examples of crucial evidence found on mobile devices can be seen in the case of the sniper Mohammed Saeed Al Shamrani, who on 6 December 2019, killed three American sailors at a military base in Florida. Authorities discovered contacts between Mohammed Saeed Alshamrani and Al Qaeda agents after being able to access the contents of the sniper’s mobile devices [
8].
In this work, a methodology was developed and named by the authors as Low-Level Data Acquisition ISPCF (LLDA-ISPCF). This methodology combines the use of In-System Programming (ISP) and Combination Firmware to bypass the lock screen, followed by specific procedures and through the use of proper tools for forensic analysis in both hardware and software.
As a way to validate the methodology, the device data was acquired by using the Universal Forensic Extraction Device (UFED) Touch 2, preserving the integrity of the data, and, finally, the acquired data were analyzed in the UFED Physical Analyzer. It is worth mentioning that the methodology developed is not limited to the tools used. That means that other tools, in the market, can perform tasks in the forensic analysis process for mobile devices forensics.
1.1. Main Contributions and Limitations of the Proposed Methodology
The main contributions of the proposed solution are the following:
Enable the lock screen bypass, regardless of the OS version;
Prove the effectiveness of the LLDA-ISPCF methodology on devices with File-Based Encryption;
Enable data acquisition from a wide range of mobile devices, regardless the manufacturer;
Enable device data acquisition using specialized, proprietary and open-source tools while preserving data integrity;
Allow the root user to be enabled without the risk of losing user data, which allows physical extraction on models whose acquisition process is only possible with the rooted device;
Allow the acquisition and analysis of data by any capable forensic tool, observing the compatibility of the analysis tool with the format generated by the acquisition tool.
Regarding the limitation of the methodology, it is considered that—to the best of the authors’ knowledge and until the elaboration of this work—devices that use Universal Flash Storage (UFS) main memory or that have hardware-supported encryption are not compatible with the tools employed in the proposed methodology. That future updates to the firmware by the manufacturers may make the methodology unfeasible. Also considered is the fact that Special Firmware, such as the Combination Firmware used on Samsung devices may not be available for a specific model or manufacturer, and its use combined with ISP requires a specific study of the device from which the data will be acquired to bypass the lock screen mechanism.
1.2. Motivation
The main motivation of this work is to develop a novel technique that is able to help law enforcement agencies (LEA) to conduct forensics in mobile devices that have security protections enabled, since these protections prevent LEA to properly collect evidence and analyze them in case of crimes.
It is important to remember that criminals all over the world use communication devices such as mobile phones with security measures applied to them. Such mechanisms make it very hard to forensics specialists to bypass them and acquire evidence that helps in the solution of criminal cases.
1.3. Article Structure and Organization
The remainder of this paper is as follows.
Section 2 presents some basic concepts for understanding the purpose of this work, as the state of the art reviews, and some related works. In
Section 3 we present the problem description and the proposed solution, and describes the new methodology created and its phases. In
Section 4 we present a proof of concept and results of the proposed methodology. We conclude this work in
Section 5 with some considerations about future work.
2. Related Works and State of the Art Review
This section presents notions about standard acquisition techniques, forensic life cycle, some tools and software for smartphone repair, a brief description of In-System Programming (ISP), Combination Firmware, data encryption applied to the forensic context, bootloader in Android OS smartphones. In addition, this section reviews the main related works and the limitations encountered.
2.1. Acquisition Processes
The acquisition process is divided into physical, logical, and file system acquisition. These processes are summarized below.
Physical Acquisition: Physical acquisition on mobile devices consists of copying information from the device by direct access to the internal storage memory. The process creates a copy of the entire file system bit by bit. Such an approach is similar to that adopted in computer forensic investigations. A physical acquisition can acquire all data present on a storage device, including deleted data that has not yet been overwritten, in addition to copying unallocated space [
9]. It is considered to be the most effective in forensic terms and is performed using specific tools. According to Mota Filho [
10], the least amount of information that an OS can read in a filesystem is a block that, at the physical disk level, is equivalent to a cluster. Copies and readings are made block by block at the filesystem level. The File Systems widely used by Android devices were Flash-Friendly File System (F2FS) [
11], and currently, Fourth Extended Filesystem (EXT4) [
12]. Both file systems adopt 4KB-sized logical blocks. Still, according to Mota Filho [
10], there are software such as
dd and
dc3dd that can read a physical sector, which has 512 bytes by default and is the smallest unit of information that can be read on an HD or pen drive by its controller.
File System Acquisition: The file system acquisition is technically seen as a type of logical acquisition [
9]. However, it is more abundant in data, as the entire file system of the device is copied. It contains files and directories that the device uses to populate applications, system settings, and user settings, along with user storage areas. It also includes files not directly accessible to the user through the device interface, which requires specialized tools to access such artifacts. However, unlike physical acquisition, this type of acquisition does not copy the unallocated space of physical memory.
Logical Acquisition: Logical acquisition is a copy of logical storage objects, such as file systems, directories, and files. Data is copied from the allocated space on disk, still accessible to the user in the file system. Such data includes the phone book, calls, messages, some application data, and other data that can be expected from a software backup with iTunes or Android itself, that is, what we can see if we manually examine the device [
13]. It is observed as the fastest and least invasive, but it is the most limited of acquisitions.
Figure 2 compares, in a summarized way, the different data that can be acquired by the types of acquisitions presented.
2.2. Digital Forensics Life Cycle
Ajijola et al. [
14] presented a comparative assessment between forensic guidelines from NIST SP 800-101 Rev.1: (Guidelines on Mobile Device Forensics) [
15] and International Organization for Standardization (ISO)/IEC 27037: 2012 (Guidelines for identification, collection, acquisition, and preservation of digital evidence) [
16]. The study resulted in the proposal for an integrated implementation of the two forensic guidelines.
Considering the standards mentioned, none of them deals with all processes of digital forensic investigations. There are forensic guidelines common to the two standards, and others that only one of the standards contemplates, exposing their limitations that affect more current issues of forensic processes. According to Neumer e Weippl [
17], another guideline that can be applied together is the RFC 3227 (Guidelines for Evidence Collection and Archiving) [
18], which also provides guidelines for proper digital forensics practices.
Figure 3 shows the typical life cycle or the main stages of digital forensics.
2.3. Tools and Software for Smartphone Repairing
According to Yang et al. [
20], companies that provide technical support or perform repairs on mobile devices use tools known as
Box. They are interfaces endowed with functionalities that allow reading and writing in areas of the mobile devices internal storage that are not accessible to the user and can also be used as forensic tools.
Among the various models used, we can mention Octoplus Pro [
21], UFI [
22], Easy JTAG Pro [
23], and their respective software. Although these boxes have resources to execute ISP, JTAG, and Chip-Off, they are rarely used for this purpose. They are widely used for mobile devices software repairs, considering that the companies focus that provide technical assistance is to return the user a functioning device without worrying about the data contained in it.
There are other tools and software used for repairs, both physical and logical, on mobile devices. For software repairs, we can mention the interfaces known as Dongles, which consist of a USB interface that serves to read a smart card and validate the software license. For physical repairs, the same tools are used to prepare the device for the execution of ISP, JTAG, and Chip-Off. The Chip-Off forensic technique uses a Soldering Station, Surface-Mount Device (SMD) Rework, antistatic forceps, antistatic mat, tin for soldering, soldering flux, stereoscopic microscope, electron microscope, PCB (Printed Circuit Board) holder, probes and spatulas, Multi-Purpose Rotary Tool, high precision digital multimeter, LCD Disassembly Machine, among others.
2.3.1. In-System Programming
In-System Programming (ISP) is a technique already used for forensic analysis of mobile devices. However, in this article, we will discuss its use not only for reading data from the device’s main memory, but also for writing data, changing partitions of the device’s main memory, it is considered that—to the best of the authors’ knowledge and until the elaboration of this work—it is a possibility not yet explored. Its use will not be as a main tool, but as a component of a methodology that combines the use of other tools for the successful acquisition of data.
According to Afonin and Katalov [
24], The forensic analysis using the ISP technique is a less invasive or destructive variation than the Chip-Off technique. The ISP technique involves an advanced acquisition process between the Joint Test Action Group (JTAG) and the Chip-Off.
According to Pappas [
9], ISP is an acquisition technique similar to JTAG, but faster because its connection is made directly to flash memory, bypassing the processor, through Test Access Points (TAPs), and can be used when the device is not compatible with JTAG. ISP acquisition applies to an eMMC or eMCP flash memory, not limited to smartphones only, and can be used on any device that uses these types of memories, such as SD cards.
In ISP, it is necessary to know the TAPs that connect to the flash memory. It is necessary to use the Box to connect the computer, where the software will run, with the device board. There are several Box models on the market with the ability to run ISP, the most well known being Easy JTAG Plus and Z3X Pro.
For the ISP technique, during the acquisition process, the contents of the internal memory are copied without removing the chip. To the best of the authors’ knowledge, to date, ISP acquisition is only available for devices that use flash memory as Embedded Multimedia Card (eMMC) or Embedded Multi-Chip Package (eMCP) with Ball Grid Array (BGA) encapsulation type.
In more detail, running the ISP is a process that requires several steps. First, connect the flash memory access taps to an adapter. Second, weld one end of a metallic conductor to the TAP and the other end to the adapter. Third, the TAPs are connected to the Box. The software of the Box provides the TAPs diagram for most smartphones. There are also specialized sites that make these images available.
Figure 4 shows the solders on the adapter and the TAPs on the board.
The use of the ISP technique allows another analyst to reproduce or repeat all steps of the process for data acquisition since the device remains functional and with all the components on the board. However, even when the Chip-Off technique is applied is possible to return the component to its original location and made to device run again, doing the component soldering process, known as reballing.
It is also possible to make use of an interface called VR-TABLE, which has articulated arms, equipped with high-precision metal probes, which dispense the welding of the conductors on the mobile device board, eliminating the possibility of damage caused by overheating.
Figure 5 demonstrates the use of a VR-Table.
The software of the Box is capable of performing reading/writing operations directly on the eMMC. After soldering all the necessary conductors, the Box is connected to the computer using a USB cable. After completing this step, it is necessary to select the correct software to be used and to configure the necessary parameters. When everything is connected and the software with the parameters correctly configured, the Box can then access or manipulate the content of the memory.
Running the ISP, it is possible to manipulate the data using 1 or 4-bit bandwidths. The most common is the use of the value “1 bit” because it is less susceptible to errors during copying and because it reduces the exposure of the board to heat since for execution with “4-bit” bandwidth, it is necessary to weld 3 more conductors.
In
Table 1, TAPs that must be connected for the execution of the ISP are described.
In
Figure 6, the TAPs on the card of a Samsung mobile device model GT-N8000 are identified. In this example, DAT1, DAT2, and DAT3, which make it possible to run an ISP with a 4-bit bandwidth, are also identified. The transfer rate can vary from 1.2 to 1.8 Kbps, according to the selected frequency. If the bandwidth is 4 bit, the transfer rate is multiplied by 4.
It is also possible to create a binary image of the device memory using the software of the Box. This image can be analyzed by forensic tools such as UFED [
26], XRY [
27] or AXIOM [
28].
The process of preparing the mobile device for the execution of the ISP also enables physical acquisition in devices equipped with SoCs, produced by Qualcomm. Using its Emergency Download Mode (EDL), a method proposed by Wu et al. [
7], it is necessary to weld a conductor in the TAP
CMD of the device for a physical acquisition using EDL. On devices from some manufacturers, such as XIAOMI, there is also the possibility to log into EDL mode logically by typing a code on the dial pad. For XIAOMI devices the code is
*#*#717717#*#*.
2.3.2. Combination Firmware
An Engineering Firmware or Special Service Firmware is a special type of code developed to read the device’s hardware, displaying complete information, in addition to allowing hardware testing and the execution of basic device applications and functionality. It is possible to obtain the Special Firmware for devices from various manufacturers, however, they are found with different nomenclatures. For Xiaomi devices, they are known as ENG Firmware or Engineering Rom and for Samsung devices, although they have the same functionality, this firmware is known Combination Firmware. It is important to clearness that the most common use of these Firmwares is the maintenance of mobile devices.
According to Morgillo and Viola [
29], Read-Only Memory (ROM) is a type of memory generally used in embedded systems to safely store all files that are part of the system core. The firmware that runs the Android operating system on mobile devices is stored in an area of memory whose permission is “Read Only”; that is why this firmware is popularly known as ROM. There is an effort by manufacturers to ensure the highest integrity of the system as possible, assuring that the primary system is fault-tolerant and remains intact during the device re-initialization. However, using specific tools, it is possible to manipulate this internal memory area and install its custom firmware.
It is considered that such customization is possible because Android is one of the most popular open-source projects and because, in general, the custom ROMs, which correct specific errors for specific scenarios, are optimized versions of the original system. In the latter case, they overwrite all areas of the internal memory when replacing the original firmware.
According to Parry and Carter [
30], the mobile devices firmware update can be performed over a wireless connection known as Over-the-air (OTA). Open Mobile Alliance (OMA) has developed firmware update techniques that may require tens, hundreds, or even thousands of files, and some solutions bundle all the necessary update files into a single file to be downloaded directly to the mobile device. The replacement of the original firmware with another, developed by third parties, requires a specific tool and is done through a computer.
For installing a Combination Firmware, it is necessary to use specific software that rewrites the firmware. Once the original firmware is replaced with the Combination Firmware, it is possible to check all the hardware resources such as rear camera, front camera, sensors, RAM, ROM, and also run a test that shows the diagnosis results.
Engineers and technicians widely use Special Firmwares and, although there is no official documentation on them, there are many topics in specialized forums, such as
XDA Developers [
31], about their use. The files can be downloaded from websites specialized in tools for mobile devices maintenance.
From a forensic point of view, other interesting features can be explored through a Combination Firmware. It allows bypassing and removing factory reset protection or Google account verification. However, the main point of interest is to allow full access to the device content since replacing the original firmware with Combination Firmware does not change the data partition. This preserves data integrity and allows physical acquisitions, file system acquisitions, and logical acquisitions to be made using forensic tools. It is also possible to enable the root user if necessary. According to Almehmadi and Batarfi [
32]—who investigated the impact on user data integrity by enabling the root user on an Android smartphone—, modifications to the device data do not affect the user data Such a process is, therefore, legally valid and evidence extracted from Android devices, as a result of the rooting process, is robust and reliable for sentencing in criminal cases.
It is noteworthy that a Combination Firmware is not intended for the end-user, but specialized tasks according to the need. Using such techniques without adequate knowledge can invalidate the use of a device in a criminal investigation process, eliminating substantial evidence for crime investigation. It is also necessary to note that the Combination Firmware always runs the same Android version as the original firmware.
When there is no Special Firmaware for the target device, it is possible to download the image file of the boot, recovery, and system partitions, also developed for repair mobile devices, and making adaptations so that they are similar to those found in the Special Firmware. However, this requires individual analysis for each device. This procedure will not be described in this article.
2.4. Using Encryption on Android
According to Loftus and Baumann [
33], Google has made available since version 3.0 (Honeycomb) of Android, the Full-Disk encryption (FDE) encryption model, which allows encrypting the
/data partition, also called “user data”. After turning on the device, all data in the
/data partition are inaccessible until the user provides authentication credentials. Even using such advances, this has not prevented attacks such as
Evil Maid Attack and
Cold Boot from succeeding against FDE. From a security and forensic perspective, there are still other drawbacks arising from the use of the FDE. For example, after rebooting, several critical functions of the device cannot be used without user interaction; as an example, we can mention the inability to receive calls after an unexpected restart.
Yet, according to Loftus and Baumann [
33], File-Based Encryption (FBE) was introduced to overcome this problem as part of the launch of Android 7.0 (Nougat). FBE protects user data by encrypting each file with a unique key, which consists of a hardware key with the user’s input (alphanumeric password, PIN, etc.) associated with the Secure Boot protection (Direct Boot). Nevertheless, it also has the convenience of not suffering limitations, correcting the mentioned flaw of the FDE, besides allowing a more refined control of what is encrypted.
Direct Boot can be set during the initial setup and while specifying the lock screen password. When the secure boot option is enabled, and the user informs their password, the data partition is mounted and decrypted during initialization, and some applications can start and access their data, even if the screen is not unlocked. The credential request occurs before most Android services and applications are allowed to start. The credential is required to generate the actual encryption key.
Some cases of apps that run in secure boot mode include apps with scheduled notifications (e.g., alarm clock, SMS) and that provide accessibility services, such as Talkback. According to Alendal [
34], this security mechanism can be circumvented.
On devices manufactured by Samsung, FBE encryption is present only on Samsung Galaxy devices with Android 9.0 or higher, or with Knox 3.3 or higher. In the others, the encryption is still FDE [
35].
According to Ribunov et al. [
36], the coexistence of critical and non-critical applications is becoming usual on mobile devices. Critical applications must be run separately in the Trusted Execution Environment (TEE) so that the code and associated data can be protected against malicious applications.
So as to Leignac et al. [
37], the Trusted Execution Environment (TEE) was created to improve security within the SoC based on the ARM architecture. It offers a compromise between the functionality of the Rich Operating System (Rich OS), such as Android, and the safety of a Secure Element (SE). ARM TrustZone separates SoC between two environments, one considered secure and the other not-as-secure.
The keys are derived from the information stored in the TEE, as well as the user credentials (PIN, password, etc.) used to unlock the phone. If file-based encryption is used, the phone can initialize and access data stored in the device’s specific encrypted area, protected with hardware keys. Most of the information, however, is stored in the encrypted area with various credentials. This area is protected with keys based on the user’s credentials.
Thus, an acquisition made through the software of a Box, either by ISP or by Chip-Off, will not bring satisfactory results, as the device is turned off and, consequently, encrypted.
2.5. Bootloader
To Hay [
38], there is a chain of boot loaders that originate from the Original Equipment Manufacturer (OEM) or the SoC manufacturer. The primary boot loader (PBL), written by the chipset manufacturer, triggers the Bootloader (ABOOT). There is still the TrustZone, which provides security mechanisms such as Secure Boot.
Android devices come with the bootloader blocked to ensure the integrity of the OS. To unlock the bootloader—which allows the installation of an alternative bootloader and custom firmware—some devices require an authorization code from the manufacturer. On some devices, the factory reset occurs. That is, the user data will be lost, which is not interesting from a forensic point of view.
2.6. Forensic Suites Specialized in Mobile Devices
There are numerous forensic tools and suites on the market aimed at acquiring and analyzing data from mobile devices. Studies of Rao and Chakravarthy [
13], and Khan and Mansuri [
39] point out some of them and those used by the National Institute of Standards and Technology (NIST) [
40]: SAFT, AFLogical, LiME Module, Nandroid Backups, Open Source Android Forensics–Tool Kit (OSAF-TK), Santoku Linux, Andriller, JTAG, Chip-Off, Cellebrite UFED, Mobile Oxygen Forensics, Paraben, Mobile Device Seizure, MOBILedit Forensic, MPE+, XRY, AXIOM, EnCase Forensic, X-Ways, XRY, UFED, Paraben, and Final Mobile Forensics.
We can also quote the IPED Digital Forensic Tool, which can be obtained free of charge on the website of the Federal Police Department of Brazil [
41].
According to Pappas [
9], any tool or software used for data acquisition and analysis must be tested and verified before its use in real cases to guarantee its performance and that the documents related to the software/hardware are periodically reviewed. The NIST provides validation reports for some tools on its website [
42]. The reports point out the features and limitations of these tools.
2.7. Related Works
This section presents some related works, in which efforts were undertaken towards data acquisition from mobile devices using methodologies and techniques different from those presented because they already exist in the market. Such works were grouped according to the techniques and methodologies used.
2.7.1. Acquisitions Based on Device Firmware Attack
Yang et al. [
20] proposed an acquisition method based on the analysis of firmware update protocols for Android smartphones from manufacturers Samsung, LG, and Pantech. They stated that it is possible to perform physical acquisition on Android smartphones using the flash memory read command, applying reverse engineering to the firmware update protocol on the boot loader. However, at the time of the work, the Android devices used were the models G3 (F400S, D851), Optimus G (F180S, E975), R3 (IM-A850S), Iron2 (IM-A910S), and Nexus 4/5 (E960, D821), which have not yet the main memory encrypted by default.
Li et al. [
43] presented a forensic tool based on the replacement of the Recovery Mode with a focus on NAND and eMMC cards. The possibility of data recovery was explored after uninstalling an application on Android devices with EXT4 file system. Of the devices submitted to data extraction, the most recent version of Android was 4.4.X, with kernel 3.4.39.
Wu et al. [
7] proposed a forensic acquisition for Android smartphones with Qualcomm processors in an approach using special modes. They addressed the special modes 9008 and 9006 of the Qualcomm processor to extract the data partition. This mode is also known as Emergency Download Mode (EDL). Acquiring the data image using Qualcomm 9008 Mode, there is no need to unlock the boot loader; start the device in fastboot mode and set the phone to Qualcomm 9008 mode. Mode 9006 is applied to cause intentional damage to the boot partition, after which a computer can read the device’s data partition. In the experiments, data integrity and the possibility of executing the proposed methods were also proven. However, the experiment was done on devices with Android OS Version 5.1.1, and the proposed approach reaches only devices using Qualcomm SoCs.
Alendal et al. [
34] exploited the Common Criteria (CC), which is a feature that increases the security level of Samsung devices and therefore makes it difficult for forensic acquisition for law enforcement. Due to the impossibility of gaining access to the project’s specifications, documentation, and source code, the authors reverse-engineered the implementation of CC mode, as Samsung’s secure boot manager protects it. They presented how this security mode is applied, its vulnerabilities, and how they can be used to bypass CC mode by increasing the attack surface for later forensic acquisition. However, the work is limited to devices manufactured by Samsung.
Dave et al. [
44] recovered 3500 AT commands from more than 2000 Android smartphone firmware images from eleven suppliers. The commands were tested on eight Android devices from four different suppliers via the USB interface. The authors identified the possibility to rewrite the device’s firmware, bypass Android’s security mechanisms, obtain sensitive device information, perform screen unlocks, and inject touch events using AT commands only. There are still other features that can be exploited by the AT command, which features an attack surface on Android devices. AT commands were written in the early 1980s, whose purpose was to control modems, but they can still be used on most Android OS smartphones. The technique proved to be effective only on Samsung devices up to the Galaxy S7 Edge model with Android OS up to version 7.0. Tested on a Galaxy S8 Plus model, the technique proved ineffective, as well as on Google Nexus 6P and Google Pixel models.
2.7.2. Acquisitions Using ISP, JTAG, and Chip-Off
Pappas [
9] conducted a study focused on JTAG and ISP physical acquisition techniques to prove that these forensic techniques are equivalent when compared to any other method. To this end, he proposed three tests. The first test showed the differences in the results of the forensic analysis when performing a physical acquisition, file system, and logical acquisition, using UFED Touch, and later comparing the results using the Physical Analyzer. The results revealed that the physical extraction is more potent and, in forensic terms, retrieves a larger quantity of evidence.
The second test [
9] aimed to prove that all physical acquisitions are equivalent, comparing the data acquired from the same device using UFED Touch and the “dd” tool. The result showed that there was a difference in the hash of two files; however, the author explains that the differences in “user data” are due to unallocated space and changes in the “File System” files, such as “inode table” and “superblock.”
The third test [
9] consisted of examining the content of an encrypted device to show whether it is possible to find evidence, which was acquired using the “dd” tool, verifying whether physical acquisition of an encrypted device can provide any useful information. It was concluded that if the device is encrypted, the physical acquisition will produce a complete encrypted code, useless for forensic analysis because no information that makes sense can be found.
In the case of old or outdated Android devices, there is the possibility of breaking the encryption. The author [
9] also describes a step by step guide to acquiring a mobile device using ISP and JTAG and its subsequent analysis in the UFED Physical Analyzer. The author [
9] also sought to highlight the diverse degrees of difficulty when using different tools, such as UFED Touch, which is easy to use, comparing it to ISP and JTAG, with which there is a risk of damaging the device. The main focus of the study was to provide an overview of the acquisition of JTAG and ISP, and present some information about these techniques and to show that the UEFD Physical Analyzer can read the extraction product.
In the study [
9], the device used for data acquisition in the experiment was a rooted Samsung GT-I9505 (Galaxy S4) with Android OS Version 5.0.1, with encrypted main memory, and a Nokia Lumia 635, with Windows Phone 8.1.
Sathe and Dongre [
45] conducted a comparative study of requirements, capabilities, and limitations of forensic techniques for the logical and physical acquisition of data from mobile devices, using a Samsung Galaxy Grand Duos GT-I9082 device to perform the comparative tests. The following suites and forensic tools were analyzed: UFED, MOBILedit, Oxygen Forensics and XRY, ADB Pull, Backup Analysis, AFLogical, Wondershare Dr. Fone for Android, JTAG, and Chip-Off. Although they address the use of JTAG and Chip-Off, the analyzed device was launched with Android OS Version 4.1.2 and was updated until version 4.2.2, both did not provide, by default, the main memory encryption.
Chanajitt et al. [
46] analyzed seven m-banking apps for Android in Thailand and described the forensic artifacts that can be recovered, as well as the results of the applications’ assessment concerning security. They describe JTAG as a physically invasive data acquisition method, but that allows access to data without the need for USB debugging enabled, or without the enabled root user (without root) and still circumvent password lock, bypassing the OS security mechanism. In the experiment, a rooted Samsung GT-I9500 (Galaxy S4) and a non-rooted Samsung GT-I9190 (Galaxy S4 Mini) were used, both with Android OS in Version 4.4.2 with unencrypted main memory.
On 28 January 2020, NIST released the results of tests performed using JTAG and Chip-Off to acquire data from damaged mobile devices [
47]. The objective was to test the validity of the methods; to see if they produce accurate results with reliability. After data acquisition, the following forensic suites were used for analysis: AXIOM, EnCase Forensic, X-Ways, XRY, UFED, Paraben, and Final Mobile Forensics, being identified locations, texts, photos, social media data, and others. The extracted data was compared to the one loaded initially on each phone, proving that JTAG and chip-off extracted the data without modifying it and that some of the tools used are more efficient for analyzing the data than others, particularly for social media application data. The devices analyzed were from different manufacturers, and the latest version of the Android OS was 5.1. The results are published in a series of free online reports [
40].
2.7.3. RAM Data Acquisition
Soares and Sousa Júnior [
48] presented a technique for analyzing Java objects data by the extraction of RAM from devices with ARM 32-bit architecture, but with the flexibility to be adapted to other architectures (including 64-bit). The authors disregarded the data of large objects or allocated by native code libraries present in the Android operating system, version 5.0, run in an emulator. For the analysis process, the Volatility framework was used. The authors also created a set of extensions for Volatility that enabled the retrieval of information about the execution environment and the recovery of allocated Java objects, as well as mappings for interpreting the data in the ART, OAT, and DEX files, which allowed the recovery of the execution environment data structures. For experimental validation, they emulated a Nexus 5 device with Android OS Version 5.01 using
goldfish. For data analysis, they used version 0.4 of the Linux Santoku Distribution, specialized in mobile device forensics. As a result, the authors were able to extract and analyze Java objects with an understanding of storage structures, overcoming traditional techniques based on detecting artifacts intrinsic patterns.
Soares and Sousa Júnior [
49] describe a transition case resulting from a new version of Android Runtime (ART). They improved the technique previously developed [
48], validating the tools proposed in emulated and real devices with Android OS version 5.0.1, with the physical device rooted, illustrating the difficulties related to forensic analysis due to the different specific implementations by several manufacturers of mobile devices.
In
Table 2 we present a summary of the different techniques and methodologies employed in related works.
3. Problem Statement and Proposed Solution
Although the studies do not point out explicitly, it is observed that the most significant difficulty encountered by digital forensics professionals, with regard to the acquisition of data from mobile devices, are the lock screens configured by the user. Such a restriction prevents the acquisition of data by the extensive list of forensic tools usually employed, with different models and manufacturers.
It corroborates the statement that Cellebrite (Cellebrite DI is an Israeli company founded in 1999 and headquartered in Petah Tikva, which manufactures data extraction and data analysis devices from mobile devices, mass storage devices, and drones. The company is a subsidiary of Sun Corporation, Japan. Cellebrite DI has two subsidiaries, Cellebrite USA Corp. and Cellebrite GmbH, based in Parsippany, New Jersey, USA and Munich, Germany, respectively.) [
50] already has 11 laboratories around the world, one of which is installed in Brazil, specialized in advanced unlocking and extraction services using UFED Ultimate [
51]. The service offered by these laboratories is called Cellebrite Advanced Service (CAS), whose main objective is to unlock the device by breaking the password by brute force attack. Such a technique can be used in Apple devices with iOS, Samsung, Huawei, and LG devices [
52] with an approximate cost of
$ 2500.00 (two thousand and five hundred dollars) per unlock.
Another company offering a similar solution is Grayshift, which has developed a product called GrayKey [
53], intended exclusively for unlocking iPhones. In addition to the removal or bypass of the lock screen, it is also necessary to make the physical acquisition of the device data, to have access to the content deleted by the user and that of instant messengers, such as WhatsApp, without contaminating the evidence and allowing the analysis by tools specialized, commercial or not.
In some cases, even with the device unlocked, it may not be possible to perform the physical acquisition, being necessary to enable the root user on the device to do so. In some models of Android devices, during the procedure performed to root the device, the internal memory is safely erased, which is not feasible from a forensic point of view.
In considering these aspects, this section describes the problem addressed in this article and its proposed solution. This solution will result in bypassing the lock screen, rooting the device (if necessary) without the risk of losing or contaminating the user’s data, subsequent data acquisition through a forensic tool for mobile devices, and analyzing the acquired data.
3.1. Problem Statement
Mobile device manufacturers have been improving security mechanisms to prevent or hinder unauthorized access to device data. Currently, the user has encryption mechanisms, lock screen mechanisms that automatically prevent other changes that could allow access to data, in addition to other security mechanisms.
The implementation and improvement of such mechanisms prevents or hinders the work of state law enforcement agencies. The judicial and scientific police find it challenging to acquire data from mobile devices that may constitute evidence, given that current forensic suites, both proprietary and open-source, fail to bypass the lock screen mechanisms of some models of mobile devices.
3.2. Proposed Solution and Justification
This work proposes a solution that combines the use of ISP and Combination Firmware aiming to bypass the device lock screen, allowing the physical acquisition (with the possibility of rooting the device if necessary), the file system acquisition, and data logical acquisition. After the respective acquisitions, the expert can perform his analysis using specialized forensic tools.
During the process established in the LLDA-ISPCF methodology, it is also possible to backup the partitions that will be changed to use the Combination Firmware. This backup is restored after acquiring the data, leaving the device exactly as it was before, with the current user lock screen.
This methodology applies to a wide range of devices, regardless of the OS version, model, or SoC manufacturer.
The forensic possibilities offered by the LLDA-ISPCF methodology is of great importance for the present work since it can retrieve data contained in mobile devices for the elucidation of the most various crimes. The ability to acquire and analyze data from mobile devices with the latest versions of the Android OS, since a small number of devices still runs android Version 10, represents a significant advance in mobile forensics in the current scenario.
After verifying that the devices collection phase has complied with the digital forensic life cycle stage presented in
Figure 3, for expert examination, the methodology proposed in this work is ready to be applied for physical, system, and data acquisition.
3.3. Description of the LLDA-ISPCF Methodology
The methodology is presented in
Figure 7, and its phases are detailed below.
3.3.1. Phase 1: Preliminary Check of the Device’s Security Mechanisms
At this phase, it should be checked whether the device has any lock screen mechanism. The most common ones found on Android devices are the standard PIN, alphanumeric password, biometrics, facial recognition, and iris scanning. There is also an unlocking screen mechanism by Near Field Communication (NFC) Token and USB, although they are less common. Although, if the lock screen mechanism protects the device, it will be necessary to start the device in Recovery Mode. By doing so, we will be able to get information about the status of its bootloader (locked or unlocked), USB debugging mode (enabled or disabled), FRP status (On or Off), and Firmware version, with special attention to the binary version of the Firmware.
With the device locked, it is necessary to use a combination of keys, which varies according to the manufacturer and the device model. The most common way is, starting from the situation in which the device is turned off, simultaneously pressing the Power and Volume Up keys, and keep them pressed for about 3 s. It is recommended to take note of all the information, including the version of the OS that runs on the device, as this data will be used in the next phases. If the device has USB debugging mode disabled when it is connected to the computer, although it is recognized, it will not be possible to access any file system partition; the smartphone will only recharge the battery via the USB port. If USB debugging mode is enabled, the technique of using the Android Debug Bridge (ADB) [
54] can be explored. This technique is a command-line tool that provides access to a Unix shell, is used to execute various commands on an Android OS device, but which will not be covered in this work.
If the device does not have a lock screen mechanism, other tools or even steps of the proposed methodology. However, this hypothesis will not be detailed in this work since it does not address the situation of the enabled security mechanism.
3.3.2. Phase 2: Disassembly of the Device
This phase consists of removing the display from the device and separating the components to access the board. Besides the display, it is necessary to remove the battery, cables, heat sinks, and anything necessary to perform the solder with adequate precision, without risk of damaging the equipment and making acquisition impossible.
For a display removal, it is ideal to use an LCD/Touch Screen Disassembly tool, equipment that evenly heats the screen at the correct temperature so that the glue used on the LCD is more easily released, reducing the breakage risk. In some devices, it may be necessary to remove segments of the metallic protection of some components to access the TAPs.
3.3.3. Phase 3: Verification of Compatibility with the Application of the JTAG Technique
At this stage, it is necessary to check if the device has the TAPs for the execution of the JTAG. This verification can be carried out visually. If the forensic analyst does not know how to locate the standard JTAG TAPs, he can consult the Box software to check the diagram of the TAPs of the device in question. It should be noted that the most recent devices do not include JTAG TAPs. If the device to be analyzed has a TAP, the JATG technique can be used, according to the works developed by Pappas [
9], Sathe, and Dongre [
45], in addition to the tests carried out by NIST [
47], whose devices were equipped with TAPs for JTAG.
3.3.4. Phase 4: Checking the Device’s Memory Type
The ISP, until the elaboration of this work, is only compatible with eMMC and eMCP memories. If the device is equipped with another type of memory, such as UFS, the Chip-Off technique can be used, according to the work of Sathe and Dongre [
45] and the tests carried out by NIST [
47].
3.3.5. Phase 5: Verification of the Encryption Mechanism
To check whether the main memory is protected with encryption and which model has been applied, it is necessary to consult the version of the OS running on the device, data already obtained in Phase 1 (
Section 3.3.1), and to seek technical information about it.
It is necessary to confirm that the use of the Chip-Off technique will carry out the acquisition of encrypted data, and that forensic suites may not be able to decrypt such data. If any encryption does not protect the main memory, it is possible to use the Box software to perform the physical data acquisition, without the need to use the Combination Firmware.
3.3.6. Phase 6: Combination Firmware Download
In this phase, in possession of the firmware version and the binary version of the device, obtained in Phase 1 (
Section 3.3.1), it is necessary to locate and download the Combination Firmware compatible with such a device. Some websites make these files available for free. However, it is advisable to download it from specialized websites, reducing the probability of getting files corrupted or infected by malware. One of the most popular websites that provide access to mobile devices maintenance tools is
Halabtech Support [
55].
3.3.7. Phase 7: Running the ISP
This phase begins with a search in the Box software to locate the diagram containing the TAPs location of the exact device model. After identifying the TAPs, it is necessary to weld the conductors. One end of the conductors is soldered on the TAPs, and the other end is weld on the ISP-dedicated connector.
The next step is to plug the ISP connector into the Box. At this point, it is possible to use the eMMC Tool Suite to make the physical acquisition of the device’s internal memory. However, the encrypted data acquired can only be analyzed if the forensic suite used for analysis can decrypt them. If it is not possible to decrypt the data, the JTAG Classic Suite software will be used to manipulate the data on the Persist partition, without changing the partition where the user data is located.
Android devices have multiple partitions that have different functions [
56]. However, because it is an
Open Source project, manufacturers can make changes or modifications at will. This way, we will have a varying number of partitions in the different device models running with Android OS. Consequently, partitions may vary depending on SoC, brand, OS version, and more.
To install the Combination Firmware, that is, overwrite the boot, recovery, and system partitions, it is necessary to previously overwrite with 0 (zero) the area where the FRP is recorded, and on newer devices, the FRP is usually on the Persist. While the FRP is active, it is not possible to overwrite these partitions.
All values for configuring the software required to run the ISP can be obtained in
Seeking the Truth from Mobile Evidence [
57].
3.3.8. Phase 8: Combination Firmware Writing
Following the phases proposed in this methodology, the Combination Firmware writing is the last phase that precedes the acquisition itself. It is necessary to rewrite the boot, recovery, and system partitions. Such partitions will have their original content replaced by the files contained in the Combination Firmware previously obtained. It is advisable to make a backup of the partitions that will be overwritten before performing the operation. It is also possible to extract the contents of the file with MD5 extension and generate a new compressed file with the same name as the complete file, overwriting it. Doing so will be easier to use the software for writing the firmware.
For the writing operation, both the
Box Octoplus Pro and the
Odin tools can be used. The necessary procedures for the Combination Firmware writing using the Box can be obtained in
Seeking the Truth from Mobile Evidence [
57].
After replacing the partitions mentioned above, the device will boot normally, without asking for the password or the mechanism imposed by the user.
The device on which the LLDA-ISPCF methodology was applied uses file-based encryption. When the device is initialized, the system accesses the data stored in its special encrypted area, protected with hardware keys. All data on the data partition is inaccessible until the user provides authentication credentials, as this area is protected with keys based on the user’s credentials. The user password is one of the cryptographic keys, and when it ceases to exist, only the system password, defined in the source code by the developers, remains. As there is only the default system key, no key exchange takes place, and the partition is automatically decrypted. The process is transparent, and as soon as the initialization process is completed, the system displays the home screen.
After of initialization, the device displays a screen with essential functions, being possible to view photos, explore files, record images, among other basic operations.
From that point on, the device is ready for data acquisition, being possible to activate the USB Debugging Mode, activate the option Stay Active, and also, if necessary for the acquisition, root the device. It is important to note that the firmware now installed runs the same Android version as the original firmware. Therefore, the acquisition methods must be compatible with the OS version if such a device is not rooted. The choice of the forensic acquisition tool is at the discretion of the specialist who will perform the procedure.
3.3.9. Phase 9: Device Data Acquisition
At this stage, the forensic analyst may select the most appropriate tool for the devices data acquisition. The need to root or not the device by the analyst has to be carefully analyzed. This action is due to his ability to manipulate the forensic tools at his disposal.
3.3.10. Phase 10: Data Analysis Using Forensic Tools
After data acquisition, this step marks the end of the previous phases proposed by the methodology. The forensic analyst will carry out the analysis of the acquired data, devices being able to use any available tools, as long as they are compatible with the data format generated by the tool that performed the acquisition. It is worth mentioning that, in a physical acquisition, it is possible to obtain files containing the user’s credentials for accessing online services and social networks, such as Google services (Keep, Photos, Google Drive, etc.), Facebook, Twitter, Instagram, among others. These credentials, when extracted and inserted in software for searching and analyzing data in the cloud, function as “tokens”, providing authorized access to such services, considerably increasing the volume of data obtained.
4. Case Study: Analysis of a Device
In this section, the actions in each phase of the proposed methodology will be detailed, from the preliminary verification of the security mechanisms to the acquired data analysis.
4.1. Choice of the Device to Validate the Proposed Methodology
For study purposes, we performed the physical data acquisition of a Samsung SM-A105M/DS smartphone (Galaxy A10). The choice for this device took into account four main criteria.
The first was the scope of the device and the global sales volume. According to (the market analysis and business consulting company Counterpoint) [
58], Samsung Galaxy A10 (A105M) was the best-selling Android smartphone in the world in the third quarter of 2019, and placed second in overall sales volume, just behind the iPhone XR.
The second criterion was the Android version on the device because the more recent the smartphone, the more layers of security are implemented, and the more secure the system tends to be. In this case, the SM-A105 model runs Android version 9.0 (Pie), which runs on most Android devices (41.9%) [
59].
The third criterion was the difficulty in carrying out the welds on the board, considering that the device has tiny components. Therefore, without using a VR-Table for the realization of an ISP, it is still possible to weld the conductors on the TAPs.
The fourth criterion is the fact that the SM-A105 data has device encryption enabled automatically (Direct Boot).
4.2. Application of the Methodology
Before using the proposed methodology, we performed all kinds of extraction methods available on UFED Touch 2 (software version 7.32.0.68). These methods are compatible with the characteristics of the SM-A105M/DS device (Galaxy A10), which had an activated lock screen (alphanumeric characters), bootloader blocked, USB debugging mode disabled, and FRP active. Unfortunately, we realized that none of these methods worked in the attempt of unlocking those smartphones. All steps illustrated in
Figure 8 will be applied to validate the proposed methodology.
Each phase of the methodology proposed in this work to analyze the device in question will be detailed below.
4.2.1. Phase 1: Preliminary Check of the Device’s Security Mechanisms
In the case study, the device had an activated lock screen (alphanumeric characters), bootloader blocked, USB debugging mode disabled, and FRP active.
Figure 9 displays information about the devices firmware version, OS version, device model, and binary firmware version.
4.2.2. Phase 2: Disassembly of the Device
At this stage, the devices display and battery were removed to allow access to the board. Flat cables and other connectors were disconnected so that no components were damaged during the welding process. Due to the difficulty in accessing the TAPs, it was necessary to remove metal parts that serve as protection for the components, as can be seen in
Figure 10.
4.2.3. Phase 3: Verification of Compatibility with the Application of the JTAG Technique
At this stage, we checked if standard TAPs were present on the device board before applying the JTAG. The execution of this phase was a mere protocol, as the device was launched in 2019 and did not have TAPs for a JTAG execution (present only in older devices).
4.2.4. Phase 4: Checking the Device’s Memory Type
The device used in the case study had eMMC type memory and was therefore compatible with ISP. If the device was equipped with another type of memory, other techniques could be employed, such as Chip-Off.
4.2.5. Phase 5: Verification of the Encryption Mechanism
The device used in the case study (SM-A105M/DS) uses FBE type encryption, and Android OS Version 9 (Pie).
4.2.6. Phase 6: Combination Firmware Download
After identification, a search was performed to obtain the Combination Firmware. After locating the firmware-related files, those were downloaded to the local computer.
Figure 11 shows the Combination Firmware serial number for download.
4.2.7. Phase 7: Running the ISP
In this phase, the research was managed in the Box software to locate the diagram containing the TAPs location of the exact device model. After identifying the TAPs, the conductors were soldered on the TAPs.
Figure 12 shows, with the help of a microscope, one of the conductors already welded.
Once the necessary conductors were soldered, the TAPs were connected to the corresponding points on the ISP connector, and then, connected to the Box. The
JTAG Classic Suite utility was started.
Figure 13 shows part of the
JTAG Classic Suite utility screen, showing the primary memory partition of the device and the values of each parameter to manipulate the
Persist partition. Such values may vary depending on the device and the eMMC manufacturer. The values referring to the parameters were obtained in
Seeking the Truth from Mobile Evidence [
57].
We then recorded an FRP in the smartphone as to manipulate its Persist partition. After setting the correct parameters, the Persist partition was overwritten. Nevertheless, it is safe to mention that the partition with the user’s data was not invaded, and therefore the data remained intact.
4.2.8. Phase 8: Combination Firmware Writing
For a Combination Firmware writing, only relevant files that correspond to the
boot,
recovery, and
system partitions should be preserved. The content of the file with extension
MD5 can be seen in
Figure 14.
Next, the
Box Octoplus Pro and
Octoplus Box Samsung Software were used for replacing the partitions specified in
Figure 14.
Figure 15 shows the
Octoplus Box Samsung Software tool home screen. All settings were obtained in
Seeking the Truth from Mobile Evidence [
57].
After replacing the boot, recovery, and system partitions, the device restarted without asking for the lock screen password, allowing the viewing of media files, installed applications, and all content (files) present on the device. It should be noted that the firmware newly installed, runs the same Android version that runs on the original firmware, in this case, version 9.
4.2.9. Phase 9: Physical Acquisition Using UFED Touch 2
In this phase, we selected the forensic tool suitable for physical data acquisition. As we understand that physical data acquisition can be carried out by other forensic tools specific to other mobile devices, the option for UFED Touch 2 was motivated by a Cellebrite announcement. They stated that starting with version 7.23, the UFED Touch 2, 4PC, and InField would be able to perform the physical data acquisition of “A” and “J” Samsung’s line-up equipped with SoC
Exynos, using a generic profile [
60].
With the device already unlocked, physical extraction attempts were made using UFED Touch 2, with software before version 7.32.0.68. We realized that it was not possible to perform the physical acquisition without the root user being enabled. Therefore, in this case, it was possible to perform the file system acquisition and the logical acquisition without rooting the device.
Figure 16 shows part of the UFED Touch 2 screen. Highlighted, is the method that allows the physical acquisition of the SM-A105M/DS, enabling the root user.
Using version 7.32.0.68 of the UFED Touch 2 software and selecting a generic profile, was possible to perform the physical acquisition without the need to enable the root user, in addition to the File System and Logic acquisitions. It is worth remembering that UFED Touch 2 was unable to bypass the lock screen in the experiments carried out before the methodology proposed in this work, although the tool promises to do so.
Figure 17 shows a part of the UFED Touch 2 screen and, highlighted, the aforementioned functionality, allowing the physical acquisition of the SM-A105M/DS.
4.2.10. Phase 10: Data Analysis Using UFED Physical Analyzer
In this phase, the data acquired with UFED Touch 2 were analyzed using the software UFED Physical Analyzer Version 7.32.0.16. The extraction was indexed without errors, and the results were consistent, including the credentials for services in the cloud, which can be used in applications with acquisition capacity specifically aimed explicitly for such services, such as the UFED Cloud Analyzer.
Although the objective of this work is not to compare the capabilities of forensic suites, the acquired data were also analyzed with the AXIOM Examiner and XRY XAMN tools, all presenting consistent results from the perspective of forensic analysis. It should also be noted that data acquisitions can be carried out with one tool, and the analysis with another, being limited only to the format generated by the acquisition tool.
Figure 18 shows the list of recovered files that were analyzed, including files deleted by the user, and that had not yet been overwritten. The files from instant messaging applications, such as WhatsApp, were also recovered.
4.3. Comparative Analysis and Discussions
After completing the execution of the proposed methodology in the case study, the results will be compared to related works. A discussion of the proposed methodology concerning its efficiency and limitations will also be presented.
The methodology proposed in this work expands the possibilities of extracting data from mobile devices and can be used in devices with different characteristics. The acquisition capabilities in relation to the characteristics presented by the devices are as follows:
Capability 1 (C1): Data acquisition from devices that have an enabled lock screen mechanism;
Capability 2 (C2): Data acquisition from devices with FDE disk encryption;
Capability 3 (C3): Data acquisition from devices with FBE disk encryption;
Capability 4 (C4): Data acquisition from devices with OS up to Version 9;
Capability 5 (C5): Data acquisition from devices with eMMC and eMCP memory types;
Capability 6 (C6): Data acquisition regardless of SoC manufacturer;
Capability 7 (C7): Data acquisition from devices with F2FS and EXT4 file systems;
Capability 8 (C8):Data acquisition from physical devices.
Table 3 shows the comparison between the results achieved using the proposed methodology and the results obtained by the tools and methodologies presented in the related works. Concerning the data acquisition from mobile devices, the capabilities were synthesized to ease the visualization of what is common to each referenced work.
By analyzing the related works, it appears that there is a great effort to improve tools, techniques, and methodologies in favor of data acquisition for forensic analysis. This effort is due to the highest difficulty to overcome or circumvent the security mechanisms that protect the devices data against unauthorized access. It is observed that such mechanisms also hamper law enforcement, as specialists encounter the barriers mentioned above, even when some legal devices and mechanisms support allow the analyst to access such data.
Among the mechanisms available on all smartphones running the Android OS, the lock screen, when activated, prevents access to the devices data and functionalities. It also prevents communication via the USB port, as the USB debugging mode is disabled by default. Although the forensic tools on the market promise to remove or bypass the lock screen on the overwhelming majority of smartphone models running the Android OS, this does not work in practice. In a wide range of models, the use of tools from various manufacturers, such as UFED, XRY, AXIOM, among others, is ineffective in extracting data when the lock screen is activated.
An example is the model SM-A105 and its variants, whose commercial name is Galaxy A10. The methodology proposed in the case study of this work used that device, which is sold globally, runs Android OS version 9 (Pie), and was the second best-selling smartphone in the world in the third quarter of 2019 [
58]. In this case, conventional forensic solutions can only extract data if the device is unlocked.
The application of the proposed methodology, which combines the use of ISP and Combination Firmware, made it possible to bypass the lock screen and the subsequent acquisition and analysis of the data. Also, it is emphasized that the data integrity was preserved, which is fundamental in forensic analysis. Taking into account that Samsung is the company with the largest market share of mobile devices [
3], we believe that its application is a worthy contribution to forensic analysts of law enforcement divisions, due to the abundance of devices and the number of security barriers that can be overcome.
5. Conclusions and Future Work
Given the results obtained in the case study, it is possible to ratify the efficiency of the proposed methodology, especially concerning the possibility of circumventing the lock screen mechanism, which constitutes one of the main obstacles to the execution of mobile devices forensics. The case study carried out to validate the proposed methodology proved that the combination of the listed techniques is feasible and presents satisfactory results. It was possible to bypass the lock screen, which is one of the main obstacles to mobile devices forensics. This characteristic allowed the device data acquisition.
Concerning encryption, with the FRP removal previously stored in the Persist partition, it was possible to change the partitions, boot, recovery, and system, and thus bypass the process of exchanging cryptographic keys, because the private key was removed, and the system understands that no blocking mechanism has been configured or was removed, so the data partition (/data) will be decrypted without any brute force attack or reverse engineering of the cryptographic algorithm, just bypassing the mechanism transparently.
It is important to note that the methodology has already been applied to other devices manufactured by Samsung, with Qualcomm, Exynos and MediaTek SoCs, and Xiaomi devices with Qualcomm SoCs. According to the studies that have been carried out, it is possible to apply the methodology on any devices that have TAPs for ISP and whose Special Firmware is available. However, we have not yet carried out tests with all devices, considering that the objective of the study is to address devices recently launched and that have a high volume of sales, which represents a greater attack surface.
It is crucial to confirm that the tool used for data extraction and analysis (AXIOM, XRY, among others) is at the analyst discretion or according to availability. Also, it is still possible to combine other tools to make additional acquisitions.
In devices with a security patch or latest binary firmware version, modifications in the architecture or system organization may occur. These modifications may also occur in the implementation of a new security mechanism that prevents the methodology from working precisely as detailed, requiring the analysis of specific cases that are beyond the control of the proposed actions.
Future Work
As future work, we intend to add to the set of techniques already applied, the
Chip-off technique, and the technique presented by Alenadl et al. [
34], aiming to bypass Samsung’s secure boot mechanism. A methodology for bypassing the lock screen password without using the Combination Firmware is also being studied, as well as a technique that deals with component swapping, including damaged smartphones. Finally, we intend to study techniques that allow data acquisition from smartphones that use the Universal Flash Storage (UFS) memory type.