The largest obstacle facing examiners is the ability to circumvent locked devices. One of the common methods that is used to get around the locks on a device for the Android operating system is the use of a bootloader. Many of the tool manufactures have been using these bootloaders but the examiners using them have received mixed results.
There are a few inherent risks that come with using a bootloader. Some of the newer firmware versions of Android have changed what happens in the boot sequence. Part of that change is the check to see if any unsanctioned bootloaders on the device have been loaded. If one of those has been found, the device will no longer boot and be wiped. This is a new problem that forensic examiners not only need to be aware of, but go back to their tool manufacturers to ask the question “What do you do to keep my evidence safe?”
On the other side of risk is the reward that comes from being able to access data from the device despite the existence of passcodes and USB debugging being disabled. For the purpose of this review, the focus will be done on newer Samsung Android devices. Typically, Samsung Android devices have several bootable partitions. The devices can be used in the following modes:
- Download mode: A special mode intended to be used for flashing firmware into the device, including custom firmware.
- System mode: A standard everyday boot mode.
- Recovery mode: A boot mode used when some memory partitions required for the device to boot in the System mode are corrupted.
For each of the boot modes, System and Recovery, the device firmware contains a different recovery image. A recovery image is a memory partition which includes the operating system kernel and a file system with a minimum file set required for the device to boot.
Paraben’s methodology used in DS 7.6 and now E3:DS versions allow the creation of a model-specific custom forensic recovery images and the tool to flash them onto the device.
Once a device boots in the Recovery mode with our forensic recovery image, it allows the examiner to get full access to its memory for the physical acquisition of the file system and flash memory partitions. This method changes the device firmware but leaves the system and user data unaffected by the bootloader.
Details on the Paraben methodology in action can be seen in our YouTube video here:
Once the acquisition is finished, the user can boot the device in the standard System mode for normal use. The system and user data partitions of the device remain unchanged and the device is ready for normal operation. Although there is a risk that the flash of the forensic bootloader would cause the device to not function, the reward of a full evidence set including application data, contacts, call history, messages, media files, and recovered deleted data is enticing. The questions every examiner should be asking is “how their tool uses processes like a bootloader?” And “what’s the risk to writing to the user’s data with this methodology or the risk of loss of the device?”