Contents

1. Introduction.............................................................................................................................................2

2. Digital Forensics Model..........................................................................................................................2

2.1 Investigation Preparation...................................................................................................................2

2.2 Seizure and Isolation.........................................................................................................................2

2.3 Acquisition........................................................................................................................................3

2.4 Examination.......................................................................................................................................3

2.5 Analysis.............................................................................................................................................3

2.6 Reporting...........................................................................................................................................4

3. Learning outcomes..................................................................................................................................4

4. Lab Setup.................................................................................................................................................4

4.1 Oracle VM VirtualBox Install...........................................................................................................5

4.2 SIFT Install & Configuration...........................................................................................................11

4.3 Connecting Real Device to SIFT WORSTATION..........................................................................18

4.4 ADB Connection.............................................................................................................................20

4.5 Android Device Directory Structure................................................................................................22

4.6 Install android emulator on Sift Workstation...................................................................................24

4.7 File Extraction & Uploading – File System Acquisition..................................................................34

4.8 Logical Acquisition.........................................................................................................................37

4.9 Physical acquisition.........................................................................................................................40

5. Conclusion.............................................................................................................................................42

6. References.............................................................................................................................................42
1. Introduction
With the advancement of technology mobile phones have become part of any criminal activity
committed in the whole world. The analysis of the data in the mobile phones is crucial for the
investigation of the criminal activities. This paper introduces the digital forensics modules and
also demonstrates how to use SIFT workstation to acquire and examine the android phone.

2. Digital Forensics Model

Digital forensics model refers to the methodology used to uncover the digital artifacts that can be
relied on in a court of law as evidence to punish the cybercrime offenders. The model defines the
procedure to be followed by the forensic examiners.

2.1 Investigation Preparation

Investigation preparation involves the potential evidence assessment to be classified as

cybercrime. The investigator needs to understand the case details for effective processing which
will aid the investigator to classify the case. The investigator must then identity what could be
the potential source of the evidence.

2.2 Seizure and Isolation

Once the case has been reported and the forensic examiner determines and classifies the
cybercrime case. The examiner will get to the scene of crime take control and secure the crime
scene from contamination by not allowing any person to interact with the digital equipment or
device. According to ACPO guidelines the forensic examiner should photograph the digital
devices in the crime scene or site and keep a record of the device status including the on-screen
details/information. The device should then be powered off if it’s on to isolate it from the
network and prevent any usage of the device that can temper with the data in the device. The
forensic examiner should seize chargers, cables manuals, phone bills and packaging if possible,
the packaging material may have some information for the forensic examiner. The digital devices
must be packaged well and carried in specialized carriers and only handled by authorized
personnel.
2.3 Acquisition
Acquisition entails the digital media collection for forensic examination. Acquisition process
consists of creation of duplicate/ copy of the original digital device and the maintenance of the
records of the actions taken. This step includes the review and generation of digital evidence for
analysis. Evidence collection is the first part of digital forensics, and at this stage evidence must
be identified, processed and documented. Two precautions are necessary in this phase of the
investigation: the alteration and the loss of evidence. If these precautions are not taken, data can
be subscribed or even lost. A collection made incorrectly and without care can completely
compromise the investigation.

2.4 Examination
In the process of digital forensics, the examination phase is the most important and the most
laborious for the professional. Nist advise that a copy of all information collected in the data
collection phase should be made, so as not to alter the original state of the evidence, preserving
the integrity of the evidence found. In the exam, one should extract, locate and filter the
information found so that only the most important information remains, which will really help in
solving the crime. The forensic professional must examine the devices found during the
collection, and extract files that were eventually used in the crime, or that were purposely
excluded or hidden. The filtering work is important to speed up the expertise process.

2.5 Analysis
The analysis aims to examine the information collected in search of evidence, so that at the end
of the process the conclusion regarding the crime that originated the investigation can be
formulated. In the analysis, all sources of information should be investigated, so that it is
possible to identify criminal practices by the suspect or suspects.

It is important to recognize the way in which the criminal acted, this is essential for the
efficiency of the analysis stage, since it gives the expert a better ability to recognize evidence in
the collected material and draw a specific line of investigation.

After the work of extracting the data that are understood as important in the investigation
process, the professional in expertise must pay attention to his knowledge in the interpretation of
the information in order to identify suspects, places, events and observe the relationship between
them. It is usually necessary to correlate information that is from several different sources of
information. At this stage, attention is needed so that the professional does not make mistakes, as
it depends on his knowledge.

2.6 Reporting
The last step of the investigation is the elaboration of a report where the expert is free to describe
the incident, since he is solely responsible for the document and everything that is written in it.
There is no standard model for preparing the report, but guidelines for its preparation, and it must
be done with the greatest clarity so that it is easy to understand.

3. Learning outcomes
The following are the benefits upon completion of going through this paper

1. Be able to setup and configure a virtualized environment

2. Be able to use and administer Linux operating system
3. Be able to install applications on Linux system
4. Learn using Linux terminal commands
5. Under file system
6. Learn usage of ADB
7. Learn different forensic collection methods
8. Learn the android file system security in android and weaknesses in android operating
system

4. Lab Setup
VirtualBox Installation

This section details the steps and procedure to be taken to set up a forensic lab. The paper will
first give the procedure for setting up Virtual box which is an open source hypervisor.

SIFT workstation installation

Then we will follow with the setup of SIFT toolkit which is an open source collection of forensic
tools. SIFT workstation is a virtual preconfigured appliance that contains all the necessary tools
for performing forensic examination. The workstation is built on Ubuntu.
The paper will finally describe how you can use Sans Sift toolkit for mobile forensics.

4.1 Oracle VM VirtualBox Install

VirtualBox Installation procedure:

Step 1

Access https://www.virtualbox.org/ and you will see the button name “download virtual box 6.1”
clink click on it

Step 2:

You will be directed to the following link https://www.virtualbox.org/wiki/Downloads with

different hosts to choose from, chose windows since this paper will be using the windows
platform for the practical.
Step 3:

Once you click on the chosen host the download will start automatically. Once the download is
complete locate the downloaded file in your download destination.

Step 4:

Double click on the file and click on install, you will be prompted by the computer for the
installation permission click on run.

Step 5:

The following window will open click on next

Step 6:

The following window will open, leave everything with the default settings and click on next
Step 7:

You can choose your preference like create a desktop icon and click on next make sure register
file associations is marked.

Step 8:
The following window will open up asking about resetting network connection click on yes since
its needed.

Step 9:

You will be prompted with an install window as shown below click on install

Step 10:
The installation will begin please be patient as the installation will take some time

Step 11:

The following window will open indicating the installation is complete please click on finish.
4.2 SIFT Install & Configuration
Now that we have successfully installed VirtualBox we can now install SIFT Workstation.

Access the following link https://digital-forensics.sans.org/community/downloads the following

link will open click on Download SIFT Workstation Virtual Appliance (.ova format).

The following link will open for registration, enter your details and click join
Once you join the download link will be sent to your email, click on the link and the following
will open. The registration will allow you to receive sans white papers and access to open-source
tools. Enter your details and Click on login.

Once you login, click on digital forensics and incident response the following window will open,
click on download now.

The following window will open click on download arrow, Click on sift-worstation.ova
Once you click on the download will start the file is 4.7 GB so be patient

Once the download is finished, you can access the file in your download location

Open the installed VirtualBox by double clicking on it.

Virtual box will open like the following

Click on file then import appliance as shown below

Once you click on import appliance the following window will open, click on the arrow as
shown below
Once you click on the arrow the following window will open, locate the folder of the downloads
and then select sift workstation and click on open. Then click enter

The following window opens displaying the features of the appliance to be imported click on
import.
The importation will start please be patient it will take sometime

Once the importation is complete click on the Sift workstation in VirtualBox to start.

Workstation will start booting as shown below.

Once it is done use the following credentials to login

Login: sansforensics

Password: forensics

And click enter

The workstation will display the following after login

4.3 Connecting Real Device to SIFT WORSTATION

To connect an android device to SIFT work station, first connect the device through the USB
cable and click on debugging mode.

It will indicate in the host operating system that it setting up the device once done follow the
following procedure.

While in Sift workstation click on the devices Icon then on USB then choose the device as
shown below
Once you click on it the device will be synchronized and it will be added and an icon of a phone
will be shown on the task bar as shown below after successful add
4.4 ADB Connection
Android Device Bridge (ADB), is the tool that allows communication between android devices
through the shell. The tool allows the device directories to be traversed, pushing files to the
device, getting files from the device, image backup of the device directories and files. The ADB
connection components include client, Daemon and server.

 Client sends commands to the android device

 Daemon it runs the commands on the device
 Server its responsible for connection management between the daemon and the client.

Some of the ADB commands are used below to demonstrate the objective of the lab

To start working with the commands starting the terminal in Sift workstation

Enter adb devices command to show the connected adb devices, it shows the device is available
as shown below.
Adb shell command

The adb shell command is used to connect to the devices, since only one device is listed, we used
the adb command direcly but if several devices are listed you specify the device name to be
connected to.
4.5 Android Device Directory Structure
This section will discuss the android operating system structure and show how its structured
through the use of adb shell, which will allow us to view how its displayed.

The following are the listed directories

adb shell

shell@TECNO-W3:/ $ ls
acct
cache
charger
config
custom
d
data
default.prop
dev
enableswap.sh
etc
factory_init.project.rc
factory_init.rc
file_contexts
fstab.mt6580
init
init.aee.rc
init.common_svc.rc
init.environ.rc
init.lovelyfonts.rc
init.modem.rc
init.mt6580.rc
init.mt6580.usb.rc
init.nvdata.rc
init.project.rc
init.rc
init.trace.rc
init.usb.rc
init.xlog.rc
init.zygote32.rc
meta_init.modem.rc
meta_init.project.rc
meta_init.rc
mnt
nvdata
oem
persist
proc
property_contexts
protect_f
protect_s
Since the phone is not rooted I cant access the root files and hence I have to use an android
emulator.

4.6 Install android emulator on Sift Workstation

Follow the following procedure to install android emulator on SIFT

Install android SDK, it needs jdk to run

sudo apt-get install openjdk-7-jdk

For running the android emulator, it needs android virtual device which makes android to be
emulated. To create the android virtual device, we use the following command to launch SDK
manager.

~/android-sdks/tools/android

Use wget http://dl.google.com/android/android-sdk_r24.4.1-linux.tgz to install the android SDK

on Linux
Once the download is done extract all the files and move them to a new location.

Use sudo tar -zxvf android-sdk_r24.4.1-linux.tgz command to extract the files

once its done locate to where the extracted file is and open in the terminal cd into tools

Start android emulator by entering the following commands, chmod allows the file to be
executable.

sudo chmod +x android

Then followed by the following command to run the emulator

./android command to run the eumaltor

The emulator will start running as shown below

Click on the install 10 packages tab

Installation will start after accepting the terms and licence

Once its done you can launch it.

Once sdk download packages are done click on tools and create a device

Click on create and enter the confugurations

After there you will get the following as confiermation for succeful addition of the device

Click on ok
To start the emulator, select in on the AVD manager and click on start

Launch options will be displayed as shown below just select the default
The emulator launch process will start as shown below

After the successful launch the device will be powered on as shown below

Booting up of the device will be slow depending on your hardware be patient

Once the device is powered on open the terminal and enter the use adb commands to
communicate to the device.

Add some contacts, messages and phone calls as shown below

You can make some calls by clicking on the phone icon

The messages added are here

Adb devices lists the connected devices.

To get into the device use the command adb shell

To get the super user please use su so that the access cant be denied
4.7 File Extraction & Uploading – File System Acquisition
After gaining the shell and getting the root access this section, we will describe the important
android file structure that is important to a forensic investigator.

Use the command ls to view the file systems. The android operating system root file structures
are listed below.

The following is the description of the important folders to the forensic examiner

 dev – this defines the devices available to the installed applications as it contains
global device files accessible by all devices and a mount point for the temporary file
system.
  acct – Acct control group mounting point, acct control group provides user
accounting.

• cache – Frequently used data is stored here just like on common OS’s to save access
time, so it may contain personal info recently accessed by apps, files, images or browser
viewing information. It also contains a “lost + found” folder which contains recovered
files.

• d – Debug filesystem and debug kernel mount point.

• data – this contains general data pertaining to applications that are installed

• data/data – a sub folder of data that contains an applications private user information,
the type of information that might be worth investigating.

• init – contains the initialisation kernel that is launched at boot

• mnt – this is the mount point for all media internally and external such as SD cards
and external HDD’s connected via OTG.

• proc – this is a virtual or pseudo directory containing runtime system information.

• root – root accounts home directory.

• sbin – binaries for all the systems main daemons are contained within this folder.

• sdcard – directory for the mounted SD card

• System – the vendors preinstalled apps are contained in this folder along with the
systems libraries and binaries.

The folders can be accessed using the Linux commands like cd to change to a directory and ls
which lists the contents of the directory and also cp which copies contents.

The folder /data/data is the concern area for a forensic examiner while investigating android
phones, this folders stores the private user data, the data that is created by applications is stored
in this folder, the forensic examiner examining this folder will be able to get browser details,
contacts, emails, messages and camera.

To access the folder, enter the command cd /data/data

The above lists the private user data we will be checking the messages and contacts

To view the contacts in the phone we cd into

/data/data/com.android.providers.contacts/databases

When your cd into the databases you will see contacts2.db, call log.db and profile.db

Profile.db contains phone owner details while contacts.db shows the contacts we created and
calllog.db
4.8 Logical Acquisition
For logical acquisition we have to mount the device so that it can be attached to the file system.
Use the “mount” command.

The disks will be mounted as shown above

The data block is listed as shown below, the data partition occupies /dev/block/vdc

Df can be used to check the space occupied by each block see the following screenshot
Once mounting is done type exit to exit the adb shell

Adb pull command is capable of helping the forensic examiner pull folders and files to the
forensic workstation for further analysis. Logical acquisition entails the opening of files through
the file browser.

To pull a directory use the command adb pull

We used adb pull command as shown below to extract the data partition to the desktop of the
forensic workstation
The directory has been pulled as shown above

To pull messages we access the folder named adb pull /data/data/

com.android.providers.telephony and the desitnation of the extracted content.

We can access the files by using sql light tool right click on it and choose open with The
database tables will look like this
Query messages and you will get the messages displayed as below

4.9 Physical acquisition

Use cat /proc/partitions command to check if the partitions will be displayed

Available partitions

Thw physical disk is vda block 0

Use blkid to find the physical disk and its path

Set out the connection route

Used the TCP port 8888 to connect a route between the Sift workstation and the phone

adb forward tcp:8888 tcp:8888

Netcat command was used to read the data and send the same through port 8888 over the
network.

The phone is listening using the listed above port

Forensic workstation was used to connect to the phone and the dd command was used to direct
the phone data into android.dd output.

The acquired image Is shown below

android.dd

Used mmls command in sift and was able to see the

Result of mmls of android.dd

5. Conclusion
Sift workstation is an open-source forensic workstation containing a collection of different
forensic tools. As shown above in this paper SIFT tool kit can be used to acquire and analyses
the android phone just as the commercial tools. Through this practical was able to understand the
android file architecture tools and forensic process. The paper presented a logical and physical
extraction of data from the android phone and data analysis. With SIFT tool kit the forensic
examiners can use a freely available tool to examine and extract data for further investigation
freely.
6. References
https://digital-forensics.sans.org/

DFIR, S. (2017). SANS Investigative Forensic Toolkit (SIFT) Workstation.

Hawthorne, E. K., & Shumba, R. K. (2014). Teaching digital forensics and cyber investigations
online: Our experiences. European Scientific Journal