The invention of wireless technologies and mobile gadgets has drastically altered our way of life. The majority of individuals rely on their smartphones for communication and work-related tasks as the number of smartphone users rises. Although we use our smartphones for good in our lives, criminals often use them as a medium for nefarious methods. As a result, there may be data on smartphones that can be utilised as digital evidence during an inquiry. However, it could be difficult for investigators to retrieve sensitive information and other important data from the Android phone. This paper aims to extract data from Android mobiles using forensic tools, compare the samples obtained, and determine the best tool out of it.
Mobile phones were initially established to connect people from different parts of the world. The first mobile phone developed was large and hefty and consisted of an antenna. They were introduced to provide communication facilities. Initially, the usage of mobiles was scanty due to its cost. In the present situation, the usage of mobiles is not limited to making calls but helps in setting the alarm, and time, sending emails, sending videos and photos through social media, online purchasing etc. As time evolved, its handlings also expanded. Hence, the data shared with others should be limited. Mobiles have become an inevitable component of our daily life. Therefore, it is the person’s responsibility to keep their personal information private. The massive increase in smartphones cannot be overlooked. The convenience provided by smartphones is also accompanied by data breaches.
Every mobile phone includes an operating system that allows it to execute multiple programmes and application software. Android is one of the operating systems based on the Linux kernel. Android Nougat, Android Marshmallow, and the newest Android 11 are examples of Android operating system versions. Manufacturers, including Samsung, Sony, Realme, Vivo, Huawei, HTC, Motorola, and many others, have been using Android in their products.
In September 2008, the first Android phone for sale was launched. Android revenues rose, reaching 150 billion devices sold in 2020. In 2020, there was an 11% increase, with 167–168 million units sold, and in 2022, 187–190 million units are anticipated to be sold. This makes it a difficult task for the investigator to gather pertinent information from the accused’s mobile for investigation. Another problem faced by the investigator occurs when using an incompatible mobile forensic tool or operating system for extraction and acquisition can cause the device to freeze on the starting screen, and data extraction cannot be done.
The purpose of mobile forensics, a burgeoning subject within digital forensics, is to gather digital evidence from mobile devices. It was used to retrieve any mobile data that has been classified by law as digital evidence. Since the usage of mobile phones has increased, people started misusing them in end number of ways. Forensic examination of mobile phones can be strenuous at both practical and evidentiary levels. Implementation and examination of mobile devices cannot be conducted without the required knowledge and skills and can menace the success of litigation.
Many memory acquisitions have been conducted with an emphasis on Android phones. The goal of the acquisition is to gather and retrieve relevant information, including erased data, for further analysis and presentation in court.
In mobile forensics, there are two acquisition methods: logical and physical. Physical acquisition is the copying of data, including erased data, bits by bits, from physical storage. Smartphone data are delicate as they can be overwritten, so physical acquisition is preferred.
Physical acquisition tools are further grouped as hardware-based and software-based tools. Android phones need to be booted in the custom bootloader, custom recovery or regular mode with root access for physical acquisition.
Some of the most commonly used mobile forensic tools are UFED, XRY, MOBILedit, and Oxygen Forensic.
A commercialized forensic tool called UFED can acquire passwords and execute physical, logical, file system, and file system operations on a variety of platforms and devices, including Android. Decoding, analysis, and reporting are further functions. Data from all Android OS versions can be obtained via UFED.
XRY safely collects data from a range of smartphones, including smartphones, tablets, routers, mp3 players, and global positioning systems. It is designed to work with the Os X. It has three variations. XRY-PinPoint, XRY-Physical, and XRY-Logical. The XRY- Viewer programme can be used to view secured XRY files. A license for the product is required. With its most recent update, it now supports 847 different apps.
This software can retrieve data from phone systems and other types of data, including contacts, SMS, and pictures. The contacts book, call data, text and multimedia messages, files, calendars, notes, reminders, raw application data, the IMEI, operating systems, firmware, and location data may all be retrieved and exhibited with MOBILedit.
With Oxygen Forensic, the acquisition may be made both logically and physically. Additionally, Oxygen Forensic has the capacity to offer comprehensive details regarding the cellphone and the connection it was linked to.
Also Read: List of Some of the Best Forensic Tools
The area of mobile device forensic analysis was first developed in the 1990s and the 2000s. Law enforcement organisations have long recognized the role that mobile devices play in crime. Due to the greater consumer market availability of these devices and the expanded range of communication channels they support.
Early mobile device forensics investigations used techniques similar to those used in early computer forensics investigations, such as looking at phone contents directly through the screen and capturing screenshots of significant content. As the number of handheld devices expanded, researchers recommended the development of faster techniques for data retrieval because this method has been shown to be long-delayed. Innovative mobile forensic examiners have occasionally used synchronisation software to back up data from a cell phone or PDA to a forensics computer for image purposes, or they have simply performed forensic investigations on the storage device of a suspected PC where data has been synced. This particular software, though, could write to the smartphone in addition to reading from it; thus, it was unable to restore deleted information.
OEMs were created by a flasher to flash a phone’s memory for debugging or updating; some forensic investigators discovered that they could recover even deleted data. On the other hand, flasher boxes weren’t intended to be forensic tools; therefore, they are intrusive, can alter data, can be challenging to utilize, and rarely provide hash verifications or audit trails. Therefore, better solutions are still required for physical forensic tests.
These demands led to the development of commercial systems that allowed examiners to easily extract phone memory and analyse it individually. With the advancement of these commercial solutions over time, it is now possible, using specialised software, to retrieve erased data from proprietary mobile devices.
1.2 Professional Application
Mobile device forensics is most commonly used in crime investigations, although it can also be helpful in other contexts, including business and private investigations, civil and criminal defence, special operations, and electronic discovery.
1.3 Types Of Evidence
The quantity and wide range of information that can be found on a smartphone are always growing as mobile phone technology develops. A mobile phone’s handset memory, SIM card, and any associated memory cards like SD cards are just a few of the places where evidence might be found on the device.
• Internal Memory
Today, smartphones primarily use flash memory of the NAND or NOR kinds.
• External Memory
Subscriber Identity Module, Secure Digital cards, Multi Media cards, Compact Flash cards, and the Memory Stick are examples of external memory devices.
• Service provider logs
Cellular carriers’ call detail data frequently serve as backing up evidence obtained after the mobile phone has been seized, even though they aren’t considered part of mobile device forensics. These are helpful if the phone’s call history, text messages, or both have been wiped or location-based services aren’t enabled. Cell site (tower) dumps and call detail records can reveal the location and movement of the phone owner. Together, carrier and device data can be used to confirm information from other sources, such as eyewitness reports or video surveillance footage, or to pinpoint the general area where a non-geo-tagged image or video was shot.
To assist police agencies in connecting this evidence to the case, relevant information can be isolated from unrelated data and analysed. The judge can then take into account this digital evidence. The data extraction techniques used by various Android handsets vary depending on their architectural models and producers.
3. Literature Review
Adam et al.  There were three devices utilised in this study Nokia Lumia, an iPhone, and a Samsung Galaxy Note. The tools utilised were UFED and Oxygen Forensic, and the WhatsApp versions used were 2.11.516.0 for Windows Phone 8.1, 2.12.109 for Android, and 2.12.3 for iOS. The goal of this study is to look at the data that is saved on the device but is not transferred over a network. Various techniques were employed to try and access particular sorts of data that might be particular to the user or any contacts the user has dealt with. According to the scenario, WhatsApp is used to transmit and receive illegal files or to organise illegal activities. The goal of the inquiry was to look at data that was saved on devices but not transferred across networks. A variety of technologies were employed to try and access particular types of data that might be specific to the user or any contacts the user had engaged with. The UFED and Oxygen suite was found to have successfully recovered all the evidence from the Android and iOS operating systems.
Taniza et al.  The Samsung Galaxy Note III is used for extraction. The purpose of this research is to provide data from the smartphone as a source of evidence in order to prove and support analysis. The chosen tool was UFED. Fixed digital information, changeable digital information, file system information (calendar, phone logs, emails, contacts, sms), and data files are among the data obtained following analysis (audio, documents, images and video). This study looks at extensive and priceless personal information that was taken from a smartphone and reveals details that forensic investigators could utilise to help them solve digital crimes. After analysis, a significant amount of personal information, including deleted data, is obtained.
Firdous et al.  In this research, physical acquisition is made from an Android phone to extract data using tools like UFED, Oxygen Forensic, XRY, Device Seizure (DS), LIME, MOBILEdit, viaEXTRACT, Mobile Phone Examiner Plus Android Physical Dump (APD), Android Digital Autopsy (ADA) Hawkeye, Android Memory Extractor (AMExtractor), Andropsy. The forensic tools were compared with respect to cost, user-friendly, data recovery with screen lock, data integrity, partition data recovery, ways to export data, forensic phases support and support of generic Android smartphones. After analysis, it is found that Commercial forensic tools (Oxygen and Cellebrite UFED) are reliable, easy to use, can be used on a wide range of Android smartphones across many Android versions, and support all forensic phases, but when the target phone is locked it is not applicable moreover it is an expensive tool. Open source tools are opposite to commercial tools but still reliable. The researcher has set benchmarks for any researcher who wants to compare the new tools with the available ones.
Nihar et al.  In this survey research, the researcher is extracting data from an android mobile with tools like Andriller, XRY, UFED, Oxygen forensic, MOBILedit, Droidspotter, Volatility, mobile phone examiner plus, viaEXTRACT/now secure. The survey analysed manual acquisition, physical acquisition and logical acquisition with their limitation. The result of this survey is shown in a tabular column which includes characteristics like free or proprietary, the number of devices the support is available, and the other platforms apart from Android where these tools can support. Volatility provides lots of existing APIs for forensic experts to use and extend the framework; OXYGEN Forensic is enriched with many features and reporting techniques, including GUI-based graphs, with the highest number of device supports.
Radhika et al.  This research was conducted using Autopsy, SIFT, MOBILedit, and UFED, and the mobile devices selected were Apple iPhone 5S, Apple iPhone 6S, Sony Ericsson Pro MK16i, Samsung Note N7000, XOLO Club A500, LG Nexus 5, Nokia Lumia 1320 and BlackBerry Curve 9320. This study’s objective is to evaluate the level to which particular forensic instruments are supported. All four of the chosen tools are used to examine the personal computer during implementation. Following the study, it was shown that commercial tools deliver the quickest and most precise outcomes. Additionally, it offers user-level encryption removal by physical extraction, the ability to retrieve deleted data via file data carving, increased efficiency for both dead and live analysis, and user identity disclosure. Future open-source and commercial tool testing will be possible in advanced environments.
Imam et al.  this research aims to evaluate the performance of some existing mobile forensics tools in acquiring data from LINE messenger applications, such as text, picture, audio, and video. The study was focused on the physical acquisition, so smartphones must be rooted to obtain data easily. The tools selected are MOBILedit and oxygen forensics.
Oxygen forensics was good at performing timeline analysis. This is useful for the examiner in an investigation. Oxygen Forensic succeeded in gaining text messages but failed to gain any picture or video files from LINE messenger acquisition. MOBILedit could gain text messages, pictures, and deleted contact data. MOBILedit failed to sequentially organize the conversations on LINE messenger during the testing procedure. The timestamp section in each text message makes it still useful, though. The upcoming task can be completed by examining various forensic equipment and mobile devices.
Mayuri et al.  In this research article, the researcher follows layered architecture for mobile forensics and the forensic tool used is MOBILedit. After the extraction of data, the information obtained about the devices is identifying device id, device name, model and manufacturer of the device, IMEI number, extraction of call logs, messenger, phone book, calendar and notes entries. The mobile forensic framework is of the utmost value for investigation purposes in order to identify the culprits and reason for committing a crime.
Tofan et al.  The purpose of this study is to analyze unsend messages that can be found on mobile phones. Three actors in this research are the sender, receiver, and law enforcer. The tools used are UFED and MOBILedit, and the mobile devices selected were Samsung J2 Prime OS (attacker) and Samsung J7 Prime OS (victim). The scenario is as follows the sender sends a message to the receiver that is prohibited by Laws in Indonesia, and he further deletes the message. After analysis, it is found that UFED tools are more powerful than MOBILedit because they can find an artifact of unsend messages on social media such as Viber, Skype, Telegram, Facebook, Instagram, and Whatsapp. However, UFED Tools has not been able to find an artifact of unsend messages on Line and Snapchat social media. MOBILedit couldn’t find any artifacts because the mobile phone wasn’t rooted.
Afif et al.  In this research, two suspected people interact using the IMO Messenger application from two connected smartphones. The scenario starts with the seller communicating with the buyer using the IMO Messenger application, and their conversations are stored on their respective device. The data stored were deleted by the perpetrator. The tools used are MOBILedit, DB Browser for SQLite, FTK Imager, and Belkasoft. The seller’s phone was rooted, and the buyer’s wasn’t. During the collection stage acquisition process was carried out using forensic tools and obtained evidence in the form of chat files, images, audio, video, the perpetrator’s account and chat time that had been deleted from a smartphone device in root condition. Smartphones with non-root conditions do not get the evidence they are looking for because the imaging file process cannot be carried out to extract data on the smartphone. This research is expected to provide insight into the general public about the mobile forensic process so that they can be careful in using social media to avoid crime.
Nuraimi et al.  In this research paper, the researcher performs the logical acquisition and follows the paper written by Sathe and Dongre (2018) and Dongre and Akbal (2017). The model starts with identification, isolation, acquisition, analysis, and reporting and is carried out in a forensically sound manner. The selected mobile device and tools are Wondershare Dr. Fone for Android, MOBILedit Forensic, and FonePaw for Android on Oppo F9 and Samsung S7 Edge are recorded. All the results are calculated based on the Equation capability = Number of extracted data/ Number of handset data x 100 and further analysis like contact acquisition, message acquisition, photo acquisition, video acquisition, and audio acquisition. In conclusion, if the number of handset data is higher and the number of acquisitions is lower, it will cause the percentage of the capability of the tools to decrease compared to other tools. From the result, the patterns of acquisition can be seen where Wondershare Dr. Fone for Android is able to acquire all handset data except messages and documents, while MOBILedit Forensic lacks in acquiring media such as photos and videos and FonePaw for Android may differ as the number of limits for acquisition has been reached based on the difference in the number of handset data. In conclusion, both Android phones have successfully undergone logical acquisition on Wondershare Dr. Fone for Android, MOBILedit Forensic, and FonePaw for Android. This research will help the law enforcement team to find suitable mobile forensic tools based on their Android features and the types of files acquired.
Trisna et al.  In this study, fabricated situations with smartphones, phone numbers, usernames, and other identities are used. The person (perpetrator) who shared the URL for the lottery was the first step in this scenario. When the victim fills out the URL, the perpetrator obtains all of the victim’s personal information before deleting the URL. This simulates the incident with 11 numbers, of which 1 is used by the criminal, and 10 are used for phishing. Then the victim’s phone and the perpetrator’s phone are examined. The tools used are MOBILedit and Belkasoft. Then the existing evidence will be analysed and reported. The mobile phones used in this case are Samsung Galaxy J3 Pro (smartphone1) and Samsung Galaxy J6 (smartphone2). The results obtained from smartphone1 obtain smartphone account numbers, contacts, text messages, images, and deleted text messages that have not been found. The Smartphone 2 did not get any results from the acquisition stage because storage was encrypted and was not rooted. This study was done in old Android versions. In the future, experiments can be carried out in the latest versions tested with paid and unpaid software.
To extract data from live Android smartphones
5. Problem Statement
What are the top forensic tools for analysing Android smartphones based on various evaluation criteria?
6. Proposed Methodology
The primary goal of this study is to recover deleted data, call logs, backup details and time, IMEI Numbers, text messages, model numbers, device IDs, versions, notes, documents, video, and audio from Android smartphones. Tools used are UFED, MOBILedit, XRY and Oxygen Forensic because these tools are most commonly used by investigators.
The phones included in this study were Samsung, Vivo, Realme, and Redme, based on their dominance of the market and the popularity of their respective operating systems. Before being employed in this study, real users extensively used the phones to verify that the study results were legitimate and as near to actual practice as feasible.
Physical acquisition is a method of data extraction. The smartphone must already be rooted in order to obtain info more easily.
6.1 Working Model
Collection: The Android phone is collected in a faraday’s day for network isolation if no overwriting of evidence occurs.
Extraction: the second step of examination, in this data from the mobile device, is extracted using forensic tools and helps to organise data easily.
Examination & Analysis: This process involves gathering digital evidence from mobile devices using scientific procedures, regardless of whether the evidence is obvious or concealed.
Results & Discussion
The results obtained are made into a report and used for further investigation.
7. Expected Outcome
This research is expected to find the best forensic tool for most Android smartphones and give law enforcement agencies an idea about mobile forensic tools.
Implementing digital evidence on proprietary and mobile phones that utilise various platforms is challenging for forensic analysts. Data can be extracted from Android-powered mobile devices using the proper tools and techniques. It is essential to understand the phone’s architecture, operating systems, computer forensic methods, and forensic tools before finishing data extraction and file recovery. The contact list, call history, calendar, photos, electronic- mail, short message service, and global positioning system are all handled for data extraction.
- A. Shortall and M. A. H. Bin Azhar, “Forensic Acquisitions of WhatsApp Data on Popular Mobile Platforms,” 2015 Sixth International Conference on Emerging Security Technologies (EST), Sep. 2015, doi: 10.1109/est.2015.16.
- Taniza Binti Tajuddin and Azizah Abdul Manaf, “Forensic investigation and analysis on digital evidence discovery through physical acquisition on smartphone,” ResearchGate, Oct. 2015. https://www.researchgate.net/publication/304409369_Forensic_investigation_and_analysis_on_digital_evidence_discovery_through_physical_acquisition_on_smartphone (accessed Jan. 06, 2023).
- F. Kausar and Tadani Alyahya, “Analysis of Physical Image Acquisition Forensic Tools for Android Smartphones,” 2016. https://www.semanticscholar.org/paper/Analysis-of- Physical-Image-Acquisition-Forensic-for-Kausar-Alyahya/ cc941fc9a32ef857d2dd8677303f951d84aef524 (accessed Jan. 06, 2023).
- N. R. Roy, A. K. Khanna, and L. Aneja, “Android phone forensic: Tools and techniques,” 2016 International Conference on Computing, Communication and Automation (ICCCA), Apr. 2016, doi: 10.1109/ccaa.2016.7813792.
- R. Padmanabhan, K. Lobo, M. Ghelani, D. Sujan, and M. Shirole, “Comparative analysis of commercial and open source mobile device forensic tools,” 2016 Ninth International Conference on Contemporary Computing (IC3), Aug. 2016, doi: 10.1109/ic3.2016.7880238.
- Imam Riadi, Sunardi Sunardi, and Ammar Fauzan, “Examination of Digital Evidence on Android-based LINE Messenger,” ResearchGate, Sep. 2018.
- https://www.researchgate.net/publication/326960991_Examination_of_Digital_Evidence_on_Android-based_LINE_Messenger (accessed Jan. 06, 2023).
- “Data Acquisition From Mobile Phone using Mobiledit,” International Journal of Innovative Technology and Exploring Engineering, vol. 8, no. 9S2, pp. 188–191, Aug. 2019, doi: 10.35940/ijitee.i1036.0789s219.
- T. Hermawan, Y. Suryanto, F. Alief, and L. Roselina, “Android Forensic Tools Analysis for Unsend Chat on Social Media,” 2020 3rd International Seminar on Research of Information Technology and Intelligent Systems (ISRITI), Dec. 2020, doi: 10.1109/isriti51436.2020.9315364.
- Afif Nur Ichsan and Imam Riadi, “Mobile Forensic on Android-based IMO Messenger Services using Digital Forensic Research Workshop (DFRWS)…,” ResearchGate, Feb. 16, 2021. https://www.researchgate.net/publication/349763597_Mobile_Forensic_on_Androidbased_IMO_Messenger_Services_using_Digital_Forensic_Research_Workshop_DFRWS_Method (accessed Jan. 06, 2023).
- N. Salimi, N. Bakiah, A. Warif, N. Nor-Syahidatul, and Ismail, “COMPARATIVE ANALYSIS OF LOGICAL ACQUISITION USING WONDERSHARE DR. FONE, MOBILEDIT FORENSIC, AND FONEPAW ON ANDROID PHONES,” Malaysian Journal of Computing, vol. 7, no. 2, pp. 1162–1177, 2022, doi: 10.24191/mjoc.v7i2.16968.
- Trisna Irawan and Imam Riadi, “Mobile Forensic Signal Instant Messenger Services in Case of Web Phishing using National Institute of…,” ResearchGate, Oct. 20, 2022. https://www.researchgate.net/publication/364597417_Mobile_Forensic_Signal_Instant_Messenger_Services_in_Case_of_Web_Phishing_using_National_Institute_of_Standards_and_Technology_Method (accessed Jan. 06, 2023).
This article is written by Gauri Manoj. She is pursuing her Master’s in Digital Forensic Science from Rashtriya Raksha University, India.