Recovering Data: Saving Marriages Using Android Digital Forensics

Once upon a time, a co-worker approached Tom with a dilemma: A software update on his wife's phone had failed, resulting in the apparent loss of all data on the device. He asked if there was anything Tom could do to help, and Tom took this as the perfect opportunity to leverage computer forensics to do something good and hopefully recover some precious memories.

Leveraging Forensics to Recover Precious Memories: The Intro

Once upon a time, a co-worker approached me with a dilemma: a software update on his wife's phone had failed, resulting in the apparent loss of all data on the device, including many irreplaceable family photos. He asked if there was anything I could do to help. To me, it was the perfect opportunity to leverage computer forensics to do something good and hopefully recover some precious memories.

Note:

I cannot emphasize the importance of regular backups for any data that is important. Please do not rely on the techniques described in this post as a backup alternative.

The phone in question was an older Android phone that had already been rooted. This allowed for USB debugging to be enabled on the phone, and accessed through a program called Android Debug (adb), which can be used for Android debugging through a Linux workstation.

An Opportunity to Use "Traditional" Forensics Techniques

Since this wasn't a formal forensics investigation, and our primary goal was data recovery, I could be more flexible with my data acquisition techniques. Ultimately, I needed to find a way to make a disk image of the phone's internal storage, which I could then analyze using traditional forensics techniques.

With the phone in USB debugging mode, I was able to list out the connected devices using the Android debugger:

~$ adb devices
List of devices attached
002a9e28dc1a9a → device

Once I confirmed that the device was detected, I could use the debugger to execute the shell on the Android device over the USB connection, and explore the internal system structure, including the list of devices.

~$ adb shell
root@android:/ # su
root@android:/ # ls /dev/block/

loop0        loop7        mmcblk0p12   mmcblk0p8    ram12        ram5

loop1        mmcblk0      mmcblk0p2    mmcblk0p9    ram13        ram6

loop2        mmcblk0boot0 mmcblk0p3    platform/    ram14        ram7

loop3        mmcblk0boot1 mmcblk0p4    ram0         ram15        ram8

loop4        mmcblk0p1    mmcblk0p5    ram1         ram2         ram9

loop5        mmcblk0p10   mmcblk0p6    ram10        ram3         vold/

loop6        mmcblk0p11   mmcblk0p7    ram11        ram4

After some exploration, I was able to determine that /dev/block/mmcblk0 was the device that contained the majority of the system storage space, and was most likely the location I would want to image and analyze.

It was now a matter of determining how to transfer the contents of this block device to my laptop using the debug connection. Fortunately, the Android debuggers support the forwarding of a TCP port form the phone to the debug machine: 

~$ adb forward tcp:5555 tcp:5555

Once this forwarding was established, I could execute a shell to the phone again and leverage the power of netcat (which, according to the description in its man page "is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets"), to transfer the contents of the flash memory from the phone:

~$ adb shell
root@android:/ # su
root@android:/ # /system/xbin/busybox nc -l -p 5555 -e
/system/xbin/busybox dd if=/dev/block/mmcblk0

To my machine (I used pv to provide a status bar, but it's not absolutely necessary):

~/Downloads/androidphone$ nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0.raw
14.7GB 0:59:40 [ 4.2MB/s] [
<=>                  ]

At this point, I had an image of the phone that I could run through traditional forensics tools. Since the filesystem was corrupt, I decided to leverage a file-carving tool called SFDUMPER (selective file dumper) to recover image files from the disk image.

Success!

While the end result wasn't perfect, I was able to recover quite a number of images from the phone. Crisis averted, and my co-worker's marriage was saved. I must say that I was somewhat surprised by the sheer number of images that were recovered from the phone using this technique - hundreds of thousands.

Essentially, it appeared as if any web images downloaded by the phone, as it was used, were cached in the phone's flash memory and therefore recoverable using these techniques. While this wasn't what we intended to recover, it was interesting to see how much information ultimately is stored in the flash memory of a phone as it is used.

Don't Underestimate the Power of Forensics Tools

While we typically look at forensics tools as a method for gathering evidence for legal and law enforcement purposes, we cannot underestimate the power of leveraging these tools for other uses. I am a strong proponent of integrating forensics techniques into a variety of processes where they are practical, and this case was no exception.

That being said, I don't foresee Hurricane Labs creating a forensic marriage saving department in the near future.



Close off Canvas Menu