The method for acquiring an Android device often depends on four variables:

  •  Is the device locked?

  •  Is the encryption Full Disk or File Based?

  •  Is USB Debugging enabled?

  •  To which tools do you have access?

If the device is unlocked, you can essentially access the device using the Logical, File System/Backup, or Full File System/Physical acquisition methods with your preferred smartphone forensic tool or simply using ADB. Make sure that you verify that all data is obtained, and that more than one method is used to acquire the data. If the device is locked and USB Debugging is not enabled, the Cellebrite UFED should be used to attempt to capture a physical acquisition. All Android devices are not supported with this feature. JTAG, ISP, and chip-off may work on locked Android devices where USB Debugging is not enabled, but the data may be encrypted.

Logical acquisition copies "some" of the data that the user can see. This includes active files that are accessible through the operating system. Logical acquisition does not capture deleted data in unallocated areas. What may be captured is data marked as deleted, yet residing in database files waiting to be recovered, as covered in Section 1.

File System acquisitions, by normal standards, provide a logical representation of the files on the device. Forensic tools, such as Cellebrite UFED or Premium, may provide access to the full file system of the device. The logical data is still obtained during a file system acquisition, but the examiner is also presented access to raw files and/or a backup stored within the file system. For devices that aren't supported by Cellebrite, the option to use Generic Android Methods works well. For Android knock-off devices, the Generic Android Method is a great solution! Additionally, I dump most of my Android devices using this method because Physical Analyzer runs all possible plug-ins against the device, which renders more parsed artifacts. It works really well when you can physically dump a device that was otherwise inaccessible!

To access this method, follow these steps:

1. Launch UFED.

2. Select Manually Browse for Device.

3. Select Smartphone.

4. Select Android.

5. Start with the recommended method and then try the other if it fails.

6. Attempt Physical, File System/Backup, and Logical if all are offered.

Several tools are available commercially that support Logical, File System/Backup, and Physical acquisition of Android devices. Each tool generally attempts to root the device for physical access and then reverts to creating a backup via ADB when all else fails. This means that you could really do all of the above acquisition methods for free if you are familiar with ADB and are comfortable interacting with roots and Android devices.

Regardless of how you create an image of an Android, always mount the image or parse the dump to ensure you obtained data in an unencrypted state. There is no worse feeling than obtaining a physical dump and not realizing it was encrypted until it is too late, and the device has been returned. In the next group of slides, we are going to set your expectations for each acquisition image and what data will exist for each method of extraction.