Running head: MY ANDROID ANALYSIS

My Android Analysis
Marie Whiting
University of Advancing Technology

MY ANDROID ANALYSIS

2
My Android Analysis

Physical Examination of the phone

Before using any forensic tools, simple examination of the phone yields some
information. Moving through the menu to the About tab shows the Status (battery status,
battery level -- 98%, factory data reset -- unknown, network --Verizon Wireless , signal strength
-- -107 dBm 33 asu, mobile network type -- LTE, service state -- voice: in service/Data: in
service, roaming -- not roaming, mobile network state -- disconnected, my phone number, MIN,
PRL version, ERI version, IMEI, IMEISV, ICCID, IMS registration status, IP address, Wi-Fi
MAC address, Bluetooth address, up time, phone status.
Clicking on Legal Information opens up Open source licenses (see screenshot Open
source licenses), Google legal (which lists languages), and
License settings -- DivX VOD. Other information listed
includes the phone name, model number -- SCH-1545, Android
version --5.0.1, Baseband version, Kernel version, Build
number, SE for Android status, Secure boot status, Hardware
version, Security software version, KNOX version, and
Configuration version.

Acquiring a Physical Image of the Android Phone

Forensic tools were used in order to acquire a physical
image of the data on the phone. The first step was to download
MOBILedit forensic lite on my computer using the download

MY ANDROID ANALYSIS

URL at http://www.mobiledit.com/downloads.htm?show=8. Once this was completed, I could

then proceed to establish the environment on my phone for the tool to be effective.
On my phone, I went to settings, chose the last tab labeled more, selected developer
and turned on USB debugging. I then downloaded the drivers for the phone labeled the
Android device driver pack. (See the figure below -Welcome to the Compiled Driver Disk (Android)
Setup Wizard.

Once this process was

finished, I had completed the
first two steps as listed on the
MOBILedit dialog box (1)
Install drivers for your
phone, (2) If connecting

MY ANDROID ANALYSIS

Android, turn on USB Debugging. I was now prepared to continue to (3) Now connect the phone
to a computer.
I used a mini-USB cable to connect the phone and the computer. MOBILedit cautioned
that (4) If prompted, choose connection mode to PC Sync or COM port (NOT to Mass Storage),
however, this message did not appear. See the screen shot below that shows these MOBILedit
steps.

After connecting the phone, I received a pop-up that said that the software could not
detect a phone. I wiggled the USB cable to ensure that the cable was securely connected to both

MY ANDROID ANALYSIS

the computer and the phone. I did not receive any further response or prompt from the
MOBILedit program, so I initiated the trouble shooting button, Why is my phone not listed?
After checking each step below in the list below, and then clicking on next -- my phone was
found!

MY ANDROID ANALYSIS

The model, manufacture, and

port of the phone was listed in
the new dialog box with the
message Cable connected
phone detection. Im not sure
why the model is stated as
unauthenticated device. The
manufacturer is listed as
Android, and the port as
Android 895585D7.

MY ANDROID ANALYSIS

With the proper steps taken and the device now recognized by MOBILedit, I was now
ready to run the software in order to collect the data on the phone.

MY ANDROID ANALYSIS

With the click of a button on next, MOBILedit was ready to find and record the
phonebook, organizer, messages, files, user files, call history, text messages, multimedia
messages, calendars, notes, reminders, and raw application data. It can also acquire the IMEI,
operating system and SIM details. I instructed the program to collect the whole file system.

I then clicked on Yes indicating I was ready to continue and interact.

MY ANDROID ANALYSIS

The next step was to click on the Case which was labeled at Case 1.

MY ANDROID ANALYSIS

10

Clicking on Case 1 gave me a dropdown menu where the

information was stored in a list of files.
The information listed in the phonebook gave me who the recipient
was, the mobile number, an email address, and password username
and login in the note section.

MY ANDROID ANALYSIS

11

Opening up the different files gives more information. For example the phone log shows
the number of missed calls, outgoing calls, and incoming calls. In addition, the name, number,
date, and time of each call is logged.

Here is a sample of the music log with some information redacted.

MY ANDROID ANALYSIS

12

FTK Imager
With the data saved on the computer, I can now use FTK Imager to analyze the
information. In an investigation, normally I would use a write blocker to make sure the
information doesnt change as I investigate the data. However, I did not use one for my phone.
The phone, of course, has to be connected to the computer. Then, I had to mount the image on
the FTK Imager, then click on create image in the drop down menu. I also clicked on Add
Evidence. To the right of this there is a drive selection where I chose the image I had saved to
the computer. I then chose the physical drive with the image and saved the image using the
option labeled File, Export disk image.
The Drive/Image results were verified as can be seen in the chart below. The phone name
is listed, the sector count, and the MD5 Hash and the SHA1 Hash computed, compared, and
verified. The FTK Imager can also image the entire physical drive as well as logical drives.

MY ANDROID ANALYSIS

13

Any bad sectors were also listed. In this case, there was none.

This shows some of the data that was available.

MY ANDROID ANALYSIS

The image summary below gave me more information about the phone.

14

MY ANDROID ANALYSIS

15

MY ANDROID ANALYSIS

16

Autopsy
Another tool I used was Autopsy as can be seen in the tool below. Images displayed on
the left hand side were categorized into -- Documents and Settings, Program Files, System
Volume Information, Windows, and Orphan Files. Under Views, the file types listed were
images, videos, audio, and documents. Another view was recent files and results including
bookmarks, cookies, web history, downloads, recent documents, installed programs, and devices
attached. Autopsy also added more information that I was able to gather about my phone by
identifying the different partitions and file systems.

MY ANDROID ANALYSIS

17

The list above is pretty extensive as to the type of data that I retrieved on my phone -recent activity, hash lookup, file type identification, embedded file extractor, exif parser,
keyword search, email parser, extension mismatch detector, E01 Verifier, Android analyzer,
interesting files identifier, an photoRec carver.
My mobile phone as with many other people, has become a device I always have with
me. This miniature computer is powerful in that it captures data from phone calls to messaging to
images and much more. For those using their phone for criminal purposes, investigators with the
knowledge of the forensic tools available to capture the phone data will have a wealth of
information to take to the courts. In addition, knowing what is on our phones as this exercise
showed is valuable. The increase in exploiting network systems has a new avenue in the mobile
phone market, especially since many people are unaware of how susceptible their private
information is to hackers. Bluetooth, GPS, social media like Facebook are tools criminals can

MY ANDROID ANALYSIS

18

use to hack into someones personal information which may include passwords, usernames, and
bank account information. In addition, these features allow someone with the expertise to
possibly install a rootkit on someones phone and control the device leading to even more
damage.
Forensics like I performed on my phone are time intensive but can provide vital
information to a case. The data needs to be collected both manually and through a forensic tool.
Then the information needs to be identified and analyzed for its value. Finally, the important
information needs to be pulled out and documented in an organized fashion.
To summarize, I began the phone extraction using a manual method where I physically
examined the phone. I gathered a lot of information this way, but I am sure there could be critical
data I would miss if I were to only use a manual examination. I then used a forensic tool,
MOBILedit to examine a physical image of the phone. Every bit of data in storage can be viewed
with this type of tool -- pictures, files, phone logs, messages, and any other database present on
the device. Finally, I used both FTK Imager and Autopsy to view and then save the image to my
hard drive if I wanted to.