This article describes the main techniques to image Android for forensics analysis or for full backup purposes by using the free and open source tools RomDump and ADB (Android Debug Bridge, part of the standard Android SDK, available for Windows, Linux and Mac).
The first step consists in making sure that your device is rooted:
1. The rooting allows you to acquire super-user permissions to take control of the device.
2. Each device has its rooting procedure, so you have to search Google for the right procedure for your device brand and model and your Android version.
3. Once the device is rooted, you have to download RomDump from the link above and to install it by simply follow the installer procedure.
4. Once installed RomDump, download Android SDK from the link above and install the ADB: to install it, launch the Android SDK installer, deselect all of the entries except "Android SDK Platform-tools" and click "Install".
5. Then install the USB drivers by launching the SDK Manager from the SDK folder, clicking on "Available packages" in the left pane, expanding "Third party Add-ons" followed by "Google Inc. add-ons", selecting "Google Usb Driver package" and clicking on "Install" to start the installation procedure.
6. Now, on the device, go to home screen, press Menu, select Applications -> Development, and enable USB Debugging.
7. Connect the device to the PC via USB: new hardware installation should kick in, and it will start looking for the drivers.
8. Manually point the drivers to the folder suitable for your operating system and let them install.
9. Once drivers have installed, verify the successful installation by going to Device Manager: the device should be showing under "ADB Interface".
ADB Method:
1. Download RomDump from the link given below, extract the file named "install" from the downloaded zip archive to your computer and copy it to the "tools" folder of your Android SDK installation folder.
2. Connect your phone to your computer via USB and make sure USB debugging mode is enabled in Settings >> Applications >> Development.
3. Open a command prompt window and enter the following commands:
adb push install /data/local/
adb shell chmod 04755 /data/local/install
adb shell /data/local/install
4. You might see some output of the above command. Wait until it finishes
5. Enable and then disable Wi-Fi on your Android phone. If it was already enabled, disable, enable and then disable it again.
6. Type this command in the command prompt window on your computer:
adb shell romdump
7. Wait for the process to finish and you’re done: you may now exit the command prompt.
Terminal Method:
1. Download RomDump from the link given below, extract the file named ‘install’ from the downloaded zip archive to your computer and copy it to the root of your phone’s storage card.
2. Launch Android Terminal Emulator (or any other terminal app of your choice) on your Android phone and enter these commands:
su - cat /sdcard/install >/data/local/install
chmod 04755 /data/local/install /data/local/install
3. You will see some output of the above command. Wait till the output finishes.
4. After this last line has appeared, enable and then disable Wi-Fi on your phone. If it was already enabled, disable, enable and then disable it again.
5. Type this command in Terminal Emulator:
/system/bin/romdump
6. Wait patiently till the process finishes and you’re done. You may now exit Terminal Emulator.Once the above steps are completed for any of the two methods successfully, you will find a folder named "romdump" on the root of your SD card that contains a subfolder by the name of your device model.
7. This folder will contain the boot, system and recovery partition images.
dd Method (If The Above Does Not Work):
1. If the above methods based on the use of RomDump fail, the you can acquire the image of the Android device by using ADB and dd.
2. Do NOT attempt to backup the system partition using this method as the system image it produces this way will NOT be a valid system image to be used later to restore your system partition. Use it only for the recovery and boot partition images.
3. If you are using ADB, connect your device to your computer via USB, launch a command prompt window on your computer and enter the following command:
adb shell
4. If you are using Terminal Emulator instead, just launch it on your Android phone and enter the following command and agree to grant any permissions you’re prompted for:
su -
5. The remaining process will be the same for both ADB and Terminal Emulator.
Enter the following command:
cat proc/mtd
6. You will get an output similar to this (results may differ from the output below and you must proceed according to the output that you get):
dev: size erasesize name
mtd0: 000a0000 00020000 "misc"
mtd1: 00480000 00020000 "recovery"
mtd2: 00300000 00020000 "boot"
mtd3: 0fa00000 00020000 "system"
mtd4: 02800000 00020000 "cache"
mtd5: 093a0000 00020000 "userdata"
7. To dump the recovery image to your SD card, make note of the first word of the line which says “recovery” in the end. It is "mtd1" in case of this example but may be another entry for you. Now use this command, replacing "mtd1" according to the mtdN in your output, if different:
dd if=/dev/mtd/mtd1 of=/sdcard/recovery.img bs=4096
8. Similarly, to dump the boot image to your SD card, make note of the first word of the line which says "boot" in the end, which is "mtd2" in our case but may differ for you. Use this command now, replacing "mtd2" according to the "mntdN" entry in your output, if different:
dd if=/dev/mtd/mtd2 of=/sdcard/boot.img bs=4096
9. Now, the recovery.img and boot.img are backed up on the root of your SD card.
10. If you want to image all of the device (not only "boot" and "recovery"), repeat the dd command for each of the "mtdN" entries in the above output.
Dari tutorial tersebut, hasil yang dapat saya peroleh dapat dilihat seperti gambar berikut : (klik untuk memperbesar)
Namun dari beberapa device android milik kawan saya, saya belum mencoba melakukan full imaging terhadap device yang memiliki pattern, sehingga untuk menemukan user data kemungkinan tidak ikut tersimpan di eksternal memory, dan efek fatalnya, data yang seharusnya berguna ternyata tidak ditemukan. Device yang seperti itu nantinya hanya akan meninggalkan jejak saja, dan didalam analisisnya hanya tertulis slack / free space. Slack merupakan unalocated space dari bekas penggunaan sector yang terjadi akibat pengisian data tidak maksimal. Contohnya : ketika Anda menghapus data sebesar 5GB kemudian sector / space tersebut akan menjadi unalocated space, nah kemudian Anda ingin mengisi data sebesar 3GB, sehingga sisa kurang lebih 2GB, data 2GB tersebut lah yang dinamakan slack.
Data slack tersebut sebenarnya dapat dilakukan recovery, asalkan dalam proses imagingnya benar-benar berhasil menyimpan semua data di memory baik internal maupun eksternal. Ketika berhasil, maka semua data baik yang sudah terhapus dapat dikembalikan kembali, seperti yang saya lakukan terhadap device Android milik kawan saya.
Semoga bermanfaat.
Referensi :
Android Apps Security - Sheran Gunasekera
http://libgen.org/get?open=0&md5=bfa52f3aa4bd4ab27b3466f489717007
Ditulis
Aluna
—
Saturday, July 20, 2013
—
Add Comment
—
Android,
Digital Evidence,
Digital Forensic,
Forensic,
Imaging,
Investigation,
Live Forensics,
Smartphone
Belum ada tanggapan untuk "Imaging Android Smartphone for Forensics Investigation"
Post a Comment