Android Mobile forensics with custom recoveries

Android forensics and

Custom Recoveries Ibrahim M. El-Sayed

1

Outline

Introduction to Android

Custom Recoveries

Custom recoveries and Forensics

Challenges and Goals

Conclusion

2

Introduction To Android

Android ?

Robot with a human appearance

Open-source operating system currently

Developed by Google

3

Android Market Share (US)

Introduction To Android

4

Introduction To Android

Android Market Share (Else Where)

5

Introduction To Android

Android Architecture

6

Introduction To Android

Android partition layout

/system: mounted read-only system files

/data: user data and applications

/cache: partition used by the dalvik machine for

performance

/boot: the kernel of device

/recovery: minimal kernel + file system

/sdcard: removable sdcard

7

Custom Recoveries

What are Recoveries partition?

A mode on android devices that boots a minimal Linux

environment. (Similar to Safe-mode in Windows OS)

Why stock recoveries?

Update The Operating System

Backup and maintenance

8

Custom Recoveries

How do their architecture look like?

9

RECOVERY.IMG

Digital forensics

Digital forensics: is a branch of forensic science

encompassing the recovery and investigation of

material found in digital devices, often in relation to

computer crime.

Digital Forensics Process

10

Seizure Acquisition Analysis Reporting

Custom recoveries and

Forensics

What might be the relation between Custom Recoveries

and Forensics?

File system is not encrypted!

Boot-loaders!

Hypothesis: If we managed to develop a custom recovery

with forensics functionalities, we will be able to

forensically analyze mobile devices

What are the forensics functionalities?

11

Custom recoveries and

Forensics

Forensics Functionalities – Viaforensic!

Passphrase/pin/pattern bypass

Logical data acquisition

Physical data acquisition

Rooting

Adb Shell

12

Custom Recoveries

How to develop a Custom recovery?

1. Install Linux/Mac OsX to start building

2. Download Cyangonmod source code

3. Develop the forensics functions

4. Build your Custom Recovery

5. Flash it on the device if you have the correct device

configuration!!!

13

Custom Recoveries

Develop the forensics functions

Logical Acquisition

Physical Acquisition

Rooting

ADB

14

Custom Recoveries

Build Custom Recovery

Known devices in Cyangonmod source tree. (Samsung S3)

Let’s see the Build guide provided by Cyangonmod

website :)

15

Custom Recoveries

Build Custom Recoveries for new devices!

What is the needed information?

Partition info

BoardConfig

kernel

Information Gathering

1. Already built stock-ROMs

2. Pull from rooted devices

3. Mobiles are similar

How much possible you will get device configuration?

16

Custom Recoveries

Flashing your Custom Recovery

ODIN/Heimdall

Samsung devices

fastboot

Almost all other android devices

HBOOT

17

Testing

The technique have been tested with

Samsung Galaxy S2, S3, S4

Samsung Note I, Note II

Oppo N1

Theortically applicable with

90% of Samsung devices

Why Samsung is THAT bad?

It also possible with

Sony devices

Might work with

Nexus

HTC

18

Challenges and Goals

Challenges

Locked boot-loaders

Device configuration

Goals

Boot from SD-Cards

Bypass locked boot-loaders

19

Acknowledgments

Eng. Waleed Zakira

Eng. Mohamed Nasr

Eng. Mohamed Zaki

Eng. Mahmoud Raouf

20

Any Questions ?

21