wy International Research Journal of Engineering and Technology (IRJET) _ e-18sW:2395-0056 nt vol e: 07 Issue: 04 | Apr 2020 www.irjetnet p-SSN: 2395-0072 Android based Mobile Forensic and Comparison using various Tools Ms. Khyati Gajjar', Dr. Priyanka Sharma? *Student, School of Information Technology & Cyber Security, Raksha Shakti University, Gujarat, India Abstract: Evolution in wireless technology and mobile phones are having huge impact on many aspects of datly lives Number of consumers of this technology are increments and most of the individuals depends on it when correspondence and their uses are not only limited to personal but also in professional agendas. But long with appropriate use of smartphones there is room for its improper or illicit use by crooks as a tool of madus operandi. Consequently, there are canfidential and sensitive data stored in smartphones which has potential of being a digital evidence in a process of investigation, But on the other hand investigators may come across many difficulties in extracting critical and vital information contained inan Android-based smartphone. The last segment of the paper presents the factual results of the tools via MOBiLedit Forensic Express Dr.Fone, XRY, and Magnet AXIOM. To evaluate information and methodology of an extracting from an Android-based smartphone is the main aim of this work Keywords: Investigation. Forensics, Forensic Tools, Forensic 1. INTRODUCTION As Mobile Device turns out to be inereasingly far reaching, Mobile phone forensics ends up being a consistently expanding number of critical as mobile phones are routinely found in crime scenes, Android- based Mabile phones and mobile’s networks interface are becoming used for crime frequently. With the technological progression, forensic science has developed to an excellent extent. Forensic investigation processes usually as a rule consider the evidence gathered by the authorities and these confirmations are frequently inside the digital information and this procedure of analyzing the digital information is known as digital forensics. Forensics is utilized through sorts of states from inside during a corporate reviewing case to a criminal investigation case regularly observed inside the enforcement world. Numerous crimes and different unfortunate activities make forensics essential as a method for making the world a far superior position. Advanced crime scene investigation is turning out to be significant in light of the fact that our general public is getting increasingly dependent on different computers and media transmission devices and technologies. Smartphone crime scene investigation, being a lot af crime scene investigation, centers around the recovery or 2Director, Research & Development, Raksha Shakti University, Gujarat, India gathering ofinformation and evidence from smartphones and similar devices utilized in way of lifestyle, Nowadays digital device is boundless to ‘computer’. Today digital device incorporates mobile phones, PC, tablet or any electronic gadget. The measurable investigation process doesn't rely on the kind of advanced device utilized, rather the procedure of investigation is that the equivalent for each sort of digital devices, The investigation procedure mostly creates three states Data Acquisition which needs to gain the data from the device ifit’s inside the reliable condition and through a damaged condition the impression of the deviceis given which is utilized to information recovery. Followingstage is that the Analysis during which the data gained is investigated for proof assortment and the last stage is safeguarding which includes having the data and the evidence assembled in secure conditions which further should be possible for the presentation of evidence within the court of law. The Android-based PDAs are getting the most well- known devices for the latest decade. They're increasing even a progressively conspicuous bit of the pie with the exponential pace of improvement. The technique for thinking for the affirmation of those devices is that they're conservative, cost effective, acceptable and simple toutilize, Andrvid-based mobile phones give a collection of features and data driven information like data records, contact numbers, install applications, games and lots of something different. This data from these devices are as often as possible removed using a couple of measurable devices, Which are both open source and commercial source. In any case, there's nobady comprehensive technique that may be utilized with 100% surety to get data from Android-based smart phones during a forensically strong way. Affirmations from the Android smartphones have accepted an incredibly fundamental activity starting late. The set up approach to manage forensic crime scene investigation is regularly off-base for Android PDAs. In this way, gathering evidence of the Android-based smartphones by set up structures of forensic confirmation is unpredictable and testing. ‘The present android world can be named as Android World Numerous devices run on Android, however Android is extensively utilized on PDAs. Around 90% operating system of the mobile phones is running on Android, and the vast majority are utilizing Android operating system in a few or the other way. Essentially ©2020,1RJET | Impact Factor value: 734 | ISO 9001:2008 Certified Journal | Page 1399Ww International Research Journal of Engineering and Technology (IRJET) _ e-18sW:2395-0056 TET Volume: 07 Issue: 04 | Apr 2020 three kinds of portable based mobile forensics. For example, Android, i0S, and Windows mobile crime scene investigation, Be that as it may, discussing about mobile forensics legitimately takes us to Android mobile forensies since itis the most famous operating system in the android endeavour. Subsequently, Investigators should know about all the strategies and procedures are utilized for extricating information from Android device. One could extract information like SMS, contacts, installed applications, GPS information and Electronic mails, deleted information, ‘The purpose of a Mobile Device forensic toal is to assemble data from a Mobile Device without altering the information, The tool should provide crucial updates in time to stay moving with the rapid changes of Mobile Device hardware and software. The tools are often either forensic or non-forensic, all of them providing various challenges also as allowing different solutions, ‘The purpose for a mobile phone legal instrument is to assemble information from a mobile phone without adjusting the data, The apparatus ought to give essential updates so as to remain moving with the fast changes of mobile phone equipment and programming. The apparatuses are frequently either legal or non-legal, every one of them giving different difficulties additionally as permitting various solutions. 1.1. MOBILE FORENSICS Mobile phone forensic is a domain of gathering digital evidences from cellular and mobile phones for an investigation or analysis purpose. Mobile Forensics isn't just limited to android based smartphone, but it also covers GPS location traces, tablets and other smartphones. The major objective in Mobile Forensics is recovery and analysis of information from external memory cards, SIM, internal memory with control and integrity of information, Mobile forensics is considered one important partamong the advanced crime scene investigation and also known, as digital forensics. Generally regular civil and eriminal investigations include a computerized part. Mobile phones become important evidence all over and play such a curious role for data analysis, there's a large chance those mobile phones have footprints and dara relevant to the case . There are four different ways a mobile is regularly attached to crime scenes: + It is majorly utilized as a device in the way of performing a digital attack. + It's regularly a tool giving evidence and footprints related to crime. + It will contain vital information regarding the crimeand vietim. + It's regularly a method for carrying out a crime. www.irjetnet p-SSN: 2395-0072 1.2. ACQUISITION & ANALYSIS OF THE EVIDENCE AND DATA ‘The Android operating system is based on Linux 2.6 that acts like a middle person between the device and the rest of the device stack. The Linux bit manages the arrangement of various administrations, for example, process, memory, execution and organize convention stack, drivers, and security. The structure and processes utilized in android uses objectsituated methodology and permits reuse of existing Framework, Java and C/C++ libraries 1.2.1. ANDROID ARCHITECTURE ‘The architecture of the Android system depends on Linux. 2.6 kernel. Linux is that core of the android which livesat the android's foundation outline. Controlling the association, relationship of memory and different jobs are there that Linux is capable and is equipped for getting characters. The local libraries Is another catalyst to Linux like $QLite is patch for the database. Free type library is utilized for appreciating the sound and media recording, Android runtime comprises of differed libraries. The android structure is additionally perfect because of applications 1, Acommon forensics crime scene investigation process must be applied in all legal forensics investigation. The cellular phones or a computer which comprises of recognizing the potential evidence are identified with the case. ‘The investigators will obtain details in a legal and proper way with its appropriate strategies. The evidences and data obtained should be kept in a legitimate cover and location using proper chain of custody. . CHAIN OF CUSTODY 1.2.3. TYPES OF ACQUISITION All the data required for a digital forensic case today is present in the memory modules and hardware of the device, ‘The smart devices uses two memory types and storing mechanisms. For example, non-volatile or the secondary storage and volatile or the unstable memory additionally perceived as the RAM, Investigators and the Acquisition of certain two sorts of memory will contribute forensicagentsa decent measure af conceivable praof. Logical acquisition: ‘This data extraction is done primarily to get basic device data, this extraction do not extracts the unallocated space’s data, Without any root of the device it extract’s the data which is a main advantage but in this deal with only presented data do not deal with the deleted data. The investigator should know the issue with connection the device then they have to deal with the data extraction in another way. ©2020,1RET | Impact Factor value: 7.34 | 1S09001:2008 CertifiedJournal | Page 1400wy International Research Journal of Engineering and Technology (IRJET) _ e-18sW:2395-0056 nt vol e: 07 Issue: 04 | Apr 2020 wwwal Physical acquisition: Physical acquisition techniques of evidence extraction is used to extract the information with the help ofaccess ofthe flash memory of the device. Itcreatesa mobile device bit-by- bit copy. It further supports the extraction of a deleted record. The local devices that are available in the market usually not support this type of extraction method without the user being accessed to root, to eradicate these problems two different techniques are used ie, JTAG also known as Joint Test Action Group and Chip-off. These twa types of acquisitions can be performed on both rooted and non. rooted mobile devices ta fetch the data and information, Manual Acquisition: Manual acquisition is an easy method to retrieve data from an Android-based smartphone. The investigator uses the mobile keypad to get the mobile device content. The main advantage ofthat itis the most convenient and it does notrequire any training for the investigator to know how to retrieve phone content. It operates with all mobile models and does not require any cables to perform data acquisition, It does not extract all data on the Android-based smartphone such as deleted and hidden files. 2. TOOLS AND METHODOLOGY ‘The amount in usage of cellular based mobile devices are increasing rapidly. The main challenge to forensic investigation is the change of development and technology at rapid pace. The tools developed today may not be compatible with the devices developed later, soa continuous process is required to update the database and technology used in forensic analysis. The following are a two experimental cases using various mobile devices and forensic tools: ‘Two physical cellularandroid based mobile devices Samsung Galaxy }4 plus (unrooted) and VIVO1812 (unrooted) were taken and tested with the different data extraction tools. The results and processes explained in the next section are gathered from MOBILedit Forensic and Drone for the device Samsung Galaxy }4 plus. Also utilized from XRY and Magnet AXIOM for VIVO1812 Mobile phone. ‘The following table describes the data that can be fetched from the listed hardware systems: Table: | List of Mobile forensics Tools rjetnet p-SSN: 2395-0072 Mobile Forensics Tools (Free) MOBILedit Lite, Bitpim, Autopsy, dr.fone MIRACLE THUNDER andriller-master 2.4. PRE-REQUISITES ‘The primary step far unlocked phones, to get into develaper mode and USB Debugging is mentioned below": Go to Setting>> About Phone >> Software Information >> 7 ‘times tapon Build Number >> On the Developer Optionand display in Settings. Go to Developer Option >> Allow Development Setting >> Stay Awake >> USB debugging. USB debugging should be turned ON. "The steps may change as per different manufacturer and mobile phone model. 2.2, SETUP FOR THE EXPERIMENTS In order to understand the data extraction techniques used in this project an experimental setup was created. Two physical devices with Android based smartphone Samsung }4 plus (version 9) and VIVO 1812. The works being carried ‘out to do a comparative analysis of the forensic data extracted from the commercially available tools with open source tools. 2.3, EXPERIMENT 1: In this Experiment, tools used are MOBILedit Forensics Express and Dr-Fone for the device Samsung Galaxy [4 plus. 2.3.1. ANALYSIS WITH MOBILEDIT FORENSICS EXPRESS MOBILedit Forensic Express is an open-source tool for mobile device forensics which can be used to fetch deleted data, contact details, chats, Graphic files, call details, IMEI, multimedia messages, calendar items, data files, passwords, and data from various installed application such as Skype, Dropbox, Facebook, WhatsAppete. The extracted files can be analyzed through analyzers. A backup of the seized mobile device can be created for further investigation as experimental basis and to maintain the integrity of the Mobile Forensics Tools (Commercial) ‘MOBILedit Forensics MSAB XRY,Oxygen Forensic Cellebrite UFED, Magnet AXIOM Examine device seized. Features like lock bypass, backup, decryption, Cloning SIM Card and retrieval of Application data are provided in the commercial version tool. ©2020,1RJET | Impact Factor value: 7.34 | 180 9001:2008 Certified Journal | Page 1401wy International Research Journal of Engineering and Technology (IRJET) TET Volume: 07 Issue: 04 | Apr 2020 Fig 1: Device Information in MOBILedit Forensic Express ‘An Android phone can be connected to a PC by USB cable, which transfers data secure and faster. In this Practical We choose the Full content of the Mobile device for extracted and generated report in MS Excel and PDF Format. Preparing port data. OF Jacauing number of phonebook contacts... OX (4592 found) JAcgulting numberof organizer Itema. OX (153 events found) [acing numer of messages... OX (2383 found) lacing rumber of cai OX (S00 found) Processing appicaton cescipoone... OK (319 apps, 682 Ales copied) Reading phoneocok contacts OK acing messages. OK Fig 2: Displays Information about the ongoing extraction process Ifyou select the Data Extraction Log, you will get a brief resume of the extraction tab in File: Fig 3. Display information about the extracted data 2.3.2, ANLAYSIS WITH DR.FONE Dr. Fone is an opens source application that, allows you to get back photos and videos are deleted. After investigating your mobile device for photos and videos, it shows the results show in below figures. With ease, data can be recovered all the media content. Available features are Recover, Transfer, Unlock, Root, Erase in paid version of the application. www.irjetnet eISSN: 2395-0056 p-SSN: 2395-0072 Fig 4. Display information of the Recover Data 2.3.3. COMPARISON OF MOBILEDIT FORENSICS EXPRESS AND DR.FONE ‘The proposed work in this project has introduced a unique method to extract data from a smartphone in a forensically sound manner which can be produced as evidence. The extraction of data from mobiles is majorly dependent onthe available commercial software and tools. In the absence of these expensive commercial tools, it becomes difficult for a forensic investigator to extract data from the mobile based devices. Following are the results of the open source software used for data extraction of the evidence device: Table-II The result of test data Experimental | Data extraction Data parameters | by:MOBlLedit | extraction by :DrFone IMEI Number _| Yes No Phonebook Present(4570) | Present(4592) Contacts Unknown(22) Call History | Present(S00) __| Present(500) Messages Present(2341) _ | No Documents Present(147) | No Audio Present (303) | Present (190) Videos Present(721) | Present(498) Images Present(11337) | Present(6913) 2.4, EXPERIMENT 2: In this Experiment, Tools used are XRY and Magnet AXIOM for the mobile device VIVO1812 2 |. ANALYSIS WITH XRY XRY is acommercial mobile forensic tool. t providesa rapid extraction method to analyses and recover information from smartphones, GPS navigation system and tablets. It is a powerful and efficient system that runs on windows based ‘operating systems which high performance hardware. It ©2020,1RJET | Impact Factorvalue: 7.34 | ISO 9001:2008 Certified Journal | Page 1402Ww International Research Journal of Engineering and Technology (IRJET) TET vo helps to extract more data in less time duration with a great support towards different chipsets. Following is the result** of extraction of a mobile phone vivo1si2, atocs i on m rate 2 Fig 5: Display information of the Recover Data “The image here only contains artifacts sections due to copyright protection. 2.4.2. ANALYSIS WITH MAGNET AXIOM Magnet AXIOM is an intense digital investigation software allowing investigators and agencies to acquire, analyze and report data and evidence files. Image files can also be analyzed as evidence from mobile phones. Following is the result** of extraction of a mobile phone vivois12, Fig 6. Display information of the Recover Data "The image here only contains artefacts sections due to copyright protection. 2.4.3 COMPARISION OF XRY AND MAGNET AXIOM Table-III The result of test data Experimental | Data extraction | Data extraction parameters | by by XRY ‘Magnet AXIOM Media and Files | 189935 36682 Phonebook | Present(917) _ | Present(917) Contacts “Calls Present(723) _ | Present{(723) Messages: Present(64) | Present(64) Documents | Present(48790) | Present(1532) Audio Prosent (277) _| Present (277. ©2020,1RET | Impact Factor value: 7.34 | e: 07 Issue: 04 | Apr 2020 www.irjetnet Vitleos Present(7B) eISSN: 2395-0056 p-SSN: 2395-0072 Present(78) Images Present(75118) Present(75118) 3. COMPARISON OF OPEN SOURCE TOOLS Table-IV The result of open source data Parameter | MOBILedit Dr.Fone Operating Windows XP/ | Windows XP/ System 2003/ Vista/ 2003/ Vista/ platform Windows7/8/10_| Windows? /2/10 Supported OS | 10S, Android 105, Android symbian, Symbian, Windows Windows (Limited to (Limited to contacts and contacts and media files) media files) Connection via | USB Cable, Wi-Fi, | USB Cable Bluetooth, Infrared IMEI Number | Yes No Physical Data | No Yes Acquisition Logical Data | Yes No ‘Acquisition Deleted Data | Yes No Recover ‘Type of | Fullcontent of | Contacts, Photos, evidence mobile device _| Videos recovered Output format _| MS Excel, PDF ‘Table-V The result of commercial 4. COMPARISON OF COMMERCIAL TOOLS source data Parameter | MOBILedit Dr.Fone Operating | Windows XP/ | Windows XP/ system 2003/ Vista/ | 2003, Vista/ platform Windows7/8/10_| Windows? /8/10 Supported 05 | 10S, Android 10S, Android Symbian, Symbian, Windows Windows (Limited to (Limited to contacts and contacts and media files) media files) Connection via | USB Cable, WiFi, | USE Cable Bluetooth, Infrared IMEI Number_| Yes Yes Physical Data | Yes- for rooted Yes — for rooted 1SO 9001:2008 Certified Journal Acquisition | devices devices Logical Data | Yes Yes Acquisition Deleted Data | Yes Yes Recover Type of | Contacts, Contacts | Page 1403Ww International Research Journal of Engineering and Technology (IRJET) _ e-18sW:2395-0056 TET Vo e: 07 Issue: 04 | Apr 2020 evidence Graphics, Graphics, recovered messages, System | messages, System files, Web files, | files, Web files, Location history ere MS Excel, PDEHTML Location history etc. ‘MS Excel, PDE HTML Output format 5. CONCLUSION With the help of open-source and commercial digital forensic tools like MOBILedit Forensic Express, DrFone, XRY, Magnet AXIOM aspects such as SMS, Calls, Images, Audio, Videos, Contacts, IMEI Number and Documents can be stored for further examination, MOBILedit Forensic Express comes by a write blocker (read-only) feature to ensure the integrity of the mobile phone is maintained and the evidence is not infected. Realizing digital forensics on mobile phone devices that are in different platforms and proprietary is really a challenge for forensics analyst. Data staying on Android-based smartphones can beextracted using the right tools and processes. It is necessary to recognize the phone architecture, operating systems, Mobile forensic process and forensic tools before doing the data extraction and recovery of data. Data from the Contact List, Call, Images, Videos, Audio, Document and SMS are managed to be extracted, Relevant data can be singled out and analysed for law enforcement to relate those evidence to the case. Such digital evidences can then be produced to the court. The data extraction for several android smartphones changes based on their architecture, models and their manufacturer established pattern, REFERENCES: [1] Ahmed, Rizwan & Dharaskar, Rajiv. (2008). Mobile Forensies: the study of collecting digital evidence fram mobile device. [2] Aziz, N.A. & Mokt, Fakhrulrazi & Nadhar, Mohd. (2015). Mobile Device Forensics: Extracting and Analysing Data from an Android-Based Smartphone. 10.1109/CyberSec.2015.32. [3] Lohiya, Ritika & John, Priya & Shah, Pooja. (2015). Survey on Mobile Forensics. International Journal of, Computer Applications. 118, 6-11. 10.5120/20827 3476. [4] Agrawal, Animesh & Khatri, Pallavi & Sinha, Sumitra, (2018). Comparative Study of Mobile Forensic Tools. 10.1007/978-981-10-8360-0 4. [5] Hazra, Sudip & Mateti, Prabhaker. (2017). Challenges in ‘Android Forensics. 286-299. 10.1007/978-981-10- 6898-0_24. [6] Ahmed, Rizwan, "Mobile Forensics: An Introduction from Indian Law Enforcement Perspective’. Retrieved 2 January 2014. [7] Ahmed, Rizwan & Dharaskar, Rajiv. (2008). Mobile Forensics: an Overview, Tools, Future trends and Challenges from Law Enforcement perspective. www.irjetnet p-SSN: 2395-0072 [8] https://resources.infosecinstitute.com/category /compu terforensics/introduction/mobile-forensics/the-mmobile- forensics-process-steps-types/ [9] Aldolah, Abdulalem & Shukor, Abd & Razak, Shukor & Othman, Siti & Mohammed, Arafat & Saved, Faisal (2017). Ametamodel for mobile forensics ©2020,1RET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 1404