38 IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.

11, November 2016

Analysis of Physical Image Acquisition Forensic Tools for

Android Smartphones
Firdous Kausar† and Tadani Nasser Alyahya††

Computer Science Department, Al Imam Mohammad Ibn Saud Islamic University, Riyadh, KSA

Summary physical acquisition instead of logical acquisition to extract

Mobile phones play an important role in our lives, especially and maintain deleted data [1].
smartphones. With the tremendous growth of the mobile device Physical acquisition tools are classified into hardware-
market, the possibility of using them in criminal activity will based and software-based tools. Hardware-based method is
continually increase. Android is one of the highly competitive
to bypass the operating system by means of a physical
platform in the market. Android used by many manufactures to
run different models, causing a strong diversity. Thus, the
device. A dedicated communication port will be opened by
difficulty of physical image acquisition of android based a dedicated hardware to copy the internal memory [2]. In
smartphones arises, especially, when the source code of latest Android smarphones, JTAG test pins can be used to
Android version is released too late. As a consequence, the retrieve the internal memory of a device [3]. However, not
available smartphones with latest versions memory cannot be all Android smarphones have JTAG test pins. Software-
acquired using available smartphone forensic tools. This paper based method is the use or design a tool for acquiring the
gives a comprehensive perspective of some of the mobile device internal memory [2]. In Android smartphones, one option
forensic tools that offer physical acquisition. A comparative is to acquire data from /dev/mem devices [3].
analysis of these tools is performed based on different parameters
Unfortunately, this method only works for smartphones
which includes: cost, integrity, data recovery, usability, ways to
export data forensic phases support, and supporting generic with at most 896 MB RAM [4]. Kollar [5] developed a
android smartphones. loadable kernel module named fmem, that crates /dev/mem
Key words: device for acquisition purpose. However, it does not work
physical image; physical acquisition; Android forensic; forensic for all Android smartphones [4].
tools To acquire data from Android smartphones physically,
usually the smartphone is required to be booted in either
custom bootloader, custom recovery mode, or normal
1. Introduction mode with root access [6]. Then, execute code on the
smartphone to send a copied data to hardware device or
The utilization of mobile devices has increased, especially server (e.g., laptop or desktop) [6].
smartphones, and at the same time digital crime has also The process of physical acquisition can be time-intensive,
increased. The advent of the smartphones has completely due to smartphone processor speeds, cable types used, and
revolutionized the way people live, work and play. the amount of data transferred. Sometimes it takes hours to
However, there is a dark side of using smartphones in complete the physical acquisition. Most commercial tools,
committing crimes. Investigators use suspects smartphones such as UFED and Oxygen, send data over USB. However,
to derive evidence and then use them in courtroom against the transmission rate of the copied data does not utilize the
them. The smartphone derived evidence should be reliable maximum transmission rate of the USB. For illustration,
in order to be accepted in a courtroom as no different from USB 2.0 has a maximum transmission rate of 480 Mbps
other forms of evidence. but it receives at most 320 Mbps [7]. In 2016, the largest
In the last few years, there has been a substantial amount of Android smartphones available on the market are 128 GB.
memory acquisition researches targeting Android As smartphones continue to grow in size, the times to
smarphones. The acquisition aim is to extract and collect physically acquire them will increase as well [6].
useful information including deleted data to be further In this paper, we analyzed many different physical
analyzed and presented to courtroom. There are two main acquisition tools for Android smartphones and compared
acquisition methods for mobile device forensic: physical their cost, integrity, data recovery, usability, ways to
and logical. Physical acquisition is a bit-by-bit copy from export data forensic phases support, and supporting
an entire physical storage including deleted data. Logical generic Android smartphones. This paper is organized as
acquisition extracts logical storage such as portion of a file follows: Section 2 describes Android architecture, Section
system. Data stored in smartphones are fragile, as the data 3 shows different scenarios of data acquisition procedure,
can be overwritten or deleted. Therefore, the need to use Section 4 discusses some of the available physical forensic

Manuscript received November 5, 2016

Manuscript revised November 20, 2016
IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.11, November 2016 39

tools, Section 5 provides comparative analysis of selected

physical forensic acquisition tools, Section 6 concludes
with summery and some proposed future work.

2. Android Architecture
Understanding Android internals and architecture is at
most important in forensic investigation, due to the
flexibility of Android. Android platform is changing over
time with new versions. According to the differences
between versions, so does the architecture differs.
However, the main core components of Android
architecture are the same. Android architecture has four
main layers, as shown in Figure 1:
Fig 1. Android architecture.
2.1 Linux Kernel
Understanding Linux kernel is the most important, as it is
the basic of Android architecture [8]. It supports the core
3. Data Acquisition Procedure
services, such as memory, network, and process
Different scenarios of data acquisition process from
management, and security. It also maintains various drivers
Android smartphones which forensic examiners may adopt.
for almost all of the hardware [8, 9].
By using the proper procedure, forensic examiners may
retrieve maximum information from the smartphone, so
2.2 Library and Android Runtime
that the acquired data can be further analyzed and
Android includes a set of libraries written in C/C++ [8].
documented in the safest and least intrusive manner as
Libraries, such as Standard CSystem Library, Media
possible. The forensic examiner must follow the
Libraries, 3D Libraries, are used by the components of the
procedures in order to preserve the stored data on the
system through the Application Framework layer [9].
target smartphone [11].
The Android runtime section provides a key component
called Dalvik Virtual Machine (DVM) which is a kind of 3.1 Data Preservation Procedures
Java Virtual Machine specially designed and optimized for
The forensic examiner should check the status of the target
Android [8]. It also provides as set of core libraries which
smartphone, on or off. When the smartphone is powered
enable developers to write Android applications using
off, the forensic investigator checks its memory card. If the
standard Java programming language [8]. A set of core
memory card cannot be removed (i.e. internal memory),
libraries and DVM compose an Android runtime, where
the data can be copied using standard USB card reader. If
every running application holds its own instance of the
the memory card can be removed, then remove the
DVM and executes in its own process [9].
memory card and copy it into a forensic memory card to
ensure its preservation. The data can be copied using the
2.3 Application Framework
same approach used with pen drives. Another, use forensic
This layer provides many higher-level services to Java
tools to copy the data and then generate hash values of the
applications that can be exploited [8, 9]. Application
duplicate data. At the end of the procedure, the forensic
developers can consume and provide services through of a
memory card with the copied data should be returned to
wide set of Application Programming Interfaces (APIs),
the smartphone.
always respecting the security constraints enforced by the
framework [9]. 3.2 Network and Connection Isolation Procedures
It is important to isolate the smartphone from the network
2.4 Application
to prevent any alteration of data. The smartphone can be
The highest layer includes a bundle of programs (e.g.,
isolated by using a room with physical insulation from
contact manager, calendar, SMS program, web-browser, an
electromagnetic signals, or simply set the smartphone to
email client) written in Java Programming Language [10].
flight or offline mode. As the forensic examiner turns the
smartphone on, he must immediately configure it to such
connectionless mode, to avoid data transmission, receiving
calls or SMS. Whenever the smartphone receives an
information, such as incoming call, SMS, or email, the
40 IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.11, November 2016

examiner should document and describe it in the final access the smartphone. This method request support
report. from manufacturers and authorized service centres.
When the smartphone is isolated from telecommunication 3. Software access methods, are usually the easiest
networks, the examiner should check if the smartphone has way even though it depends on the handset model
been configured to provide an authentication mechanism and Android version.
(e.g., password or pattern). After that, the examiner should The examiner must use the least intrusive method to avoid
complete the data acquisition procedures depending on the compromising the evidence. If the password or the pattern
access control mechanism which is configured on the has been obtained when the smartphone was seized, it
device. should be tested. If the examiner not succeeded, he should
check if the smartphone is configured to accept USB
3.3 Data Acquisition of Smartphone without Access debugging connections using a ADB tool. If he succeeds,
Control Procedure he attempts to gain super user access control privileges to
One situation, which is the simplest, is to have an unlocked resume the acquisition process, as mentioned earlier in the
smartphone with removable memory card. As mentioned last section. Even when there are no privileges to super
earlier, the examiner should extract data from memory user access control to the smartphone, the examiner can
cards at first and then reinstall into the smartphone the install applications through the ADB tool to bypass the
forensic cards that have received the copies. The examiner access control system. In case where it is not possible to
should now check the status of super user privileges in bypass the access control system or USB debugging access
Android smartphone. If it is enabled, the examiner can gain is disabled, it is left to the examiner to acquire the data
access to all stored data in the smartphone without any from the removable memory card that may be installed on
restriction by using USB debugging tool ADB and make a the smartphone.
copy of its internal memory.
However, if the super user privileges are disabled in the 3.5 Acquisition Documentation
smartphone, in this case some Android smartphones can be All the techniques and procedures that have been used
acquired using bootloader mode or recovery mode. The must be documented by the examiner, in order to facilitate
examiner should evaluate the possibility to apply those the analysis of the extracted data. The better documenting
techniques on that kind of smartphone. Some of the the data acquisition procedure, the more trust will be given
available mobile device forensic tools that can be used by to the examination results. The examiner should register
examiners do not use user privileges to acquire data, such the hash codes of data generated and extracted during the
as Cellebrit UFED and Oxygen. Instead Cellebrit UFED acquisition process carefully. He must also document any
uses bootloader mode. It is up to the examiner to choose an caveats that he faced during the acquisition process, such
efficient mobile device forensic tool to recover a complete as receiving an e-mail or SMS before the smartphone have
copy of the internal memory. been isolated from telecommunication networks.

3.4 Data Acquisition of Smartphone with Access

Control Procedure 4. Physical Forensic Tools for Android
The Android runtime section provides a key component
called Dalvik Virtual Machine (DVM) which is a kind of
4.1 Linux Memory Extractor (LiME)
Java Virtual Machine specially designed and optimized for
LiME tool was introduced in 2012 by J. Sylve et al. [4]. It
Android [8]. It also provides as set of core libraries which
is an open-source forensic tool for acquiring a complete
enable developers to write Android applications using
volatile memory from devises powered by Linux, such as
standard Java programming language [8]. A set of core
Android. LiME is based on a new loadable kernel module,
libraries and DVM compose an Android runtime, where
named dmd, that is able to acquire the memory pages in a
every running application holds its own instance of the
forensically sound manner. It supports dumping memory to
DVM and executes in its own process [9].
either the SD on the smartphone or via the network. The
Android smartphone can be locked using access control,
dmd module works as follows: parsing the kernel structure
such as a password or pattern. According to NIST [12],
for learning the ranges of the physical memory address of
there are three ways of gaining access to locked
system RAM, translating physical addresses to virtual
smartphones:
addresses on every memory page, reading all memory
1. Investigative method, where the examiner seeks
pages and writing them on SD of TCP socket. LiME tool
possible valid passwords.
offers significant features [13]: only dmd module is needed
2. Gain access via hardware, where the examiner
to transfer to target device for acquisition, very few kernel
should perform a non-destructive procedure to
functions are required for memory dumping, loading of
IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.11, November 2016 41

dmd module requires a minimal footprint, and minimal 4.4 Android Memory Extractor (AMExtractor)
interactions are required with userland. The authors AMExtractor [3] is a tool for acquiring volatile memory
showed that about 99.46% of pages correctly captured from Android devices. AMExtractor uses the /dev/kmem
over TCP connection, and 99.15% of pages correctly device to execute code in kernel space. This will avoid the
captured to SD card. The proposed module supports all restriction of loadable kernel module and provide the
Android devises, but it is still not considered to be a ability to work on the latest stock ROMs without any
generic module. Moreover, Wächter [14] concluded that modifications. AMExtractor does not need the source code
LiME tool in not feasible for memory forensic in law of the target smartphone and it is compatible with most
enforcement for several reasons: identifying the model, Android operating system versions. Unlike other tools,
identifying Android version, lock screen, root exploit, AMExtractor runs in kernel mode, which makes the tool
availability of sources, kernel configuration, and evidence forensically sound, as it has minimum impact on target
erosion. smartphones. Furthermore, running the device on the
kernel mode minimizes copying data and fines hidden data
4.2 Android Physical Dump (APD) from user mode. H. Yang et al. [3] showed that the
APD was developed by S. Yang et al. [15] in 2015. The acquired data using AMExtractor is nearly the same as
tool is based on analyzing the firmware update protocols of acquired data using LiME.
Android smartphones. Therefore, it acquires internal
memory through the Android update protocols of Android 4.5 ANDROPHSY
devices' bootloader. It supports dumping both partition and ANDROPHSY is an open source tool that was developed
entire memory. The format of the acquired data using APD in 2015 by I. Akarawita et al. [16]. It is the first open-
is raw data that can be analyzed through smartphone source tool that supports the all phases of the digital
forensic analysis tools. The authors proved that the forensic process. ANDROPHSY architecture consists of
proposed method guarantees the integrity of the acquired four major modules: case handling, acquisition, analysis
data. They showed that APD acquires the data at a high support, and reporting module. In case handling module,
speed; it took about 30 min to acquire 32 GB memory, case creation and backup archive functionalities for
while UFED 4PC took 120 min on average. APD can be specific case are provided. In acquisition module, it
executed despite of the restriction due to screen lock; by provides physical and logical acquisition. In analysis
turning off the phone and rebooting in the firmware update module, a complete examination and analysis of the
mode rather than normal boot mode. APD tool supports removed data. And last the reporting module, a report in
over 80 of the latest Android models. However, the main PDF format is generated. In order to use this tool, a
drawback of the method is that it requires to analyze the single .jar file and configuration script are need to be
firmware update protocol whenever new Android installed separately.
smartphones are launched. Focusing on physical acquisition in this tool, the authors
used low level Linux and Android built-in forensic
4.3 Hawkeye functionalities such as dd and Android Debug Bridge (adb)
Hawkeye was proposed for physical acquisition purposes commands. The adb commands is used for connection and
in 2016, by Guido et al. [6]. The purpose of Hawkeye is communication between Android smartphone and
focusing on reducing the amount of data, redundant data, workstation over USB. The dd command is a built in
that needs to be transferred during the physical acquisition. command line utility used to recover raw image from
Thus, decreasing the overall acquisition time. Hawkeye physical drives. ANDROPHSY exploits kernel to gain root
runs Android smartphones on either custom bootloader or access, which minimizes data alteration. It provides user
recovery mode in order to acquire physical images. The access control and case management for authentication and
tool temporarily installs hawkeye agent into the target privacy. It does not use SD card as a collection target.
smartphone’s volatile storage. The agent is provided with a Instead, the data are transferred over TCP connection.
list of baseline hashes and partitions. The agent will then
identify and send only necessary data blocks to the 4.6 Android Digital Autopsy (ADA)
backend PMF architecture via USB. The authors chose ADA is an open source digital forensic tool that was
PMF for several reasons: converting images into their raw developed in 2016 by R. Fasra et al. [17]. The tool
format, writing back automatically. The agent can acquire performs physical, logical, and file system acquisition. The
a partition or full smartphone’s internal memory. Hawkeye authors used a device with multimedia card (MMC)
could successfully acquire the internal memory on 16 GB partition layout. The developed a script file to automate the
memory in 7 min. physical acquisition process. The script file identifies the
data blocks, then uses dd commands to acquire RAW
images of the blocks after gaining root access. The
42 IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.11, November 2016

recovered data are then stored in an external storage card, 4.11 MOBILedit! Forensic
i.e. SD card. Along with the proposed tool, the authors MOBILedit! Forensic [23] allows to retrieve, search, and
developed ADA Analysis Tool, but unfortunately it is only view all data, including deleted data, stored on a
for logical acquisition smartphone with only few clicks. This tool is able to
support all smartphones powered by Android and iOS. It is
4.7 Cellebrite UFED frequently updated and upgraded with new features to
Cellebrite UFED [18] is a commercial forensic tool that support more smartphones. The tool has changed the way
performs physical, logical, file system, and password this evidence is obtained and presented. It generates
acquisition on wide range of devices and platform, such as detailed forensic reports ready to be presented in
Android. It also performs decoding, analysis, and reporting. courtroom. The report could be generated in any language.
UFED can acquire data from all Android OS versions.
4.12 ViaExtract
4.8 Oxegen Forensic Suite ViaExtract [24] is a physical and logical extraction tool
Oxygen Forensic Suite [19] is one of the leading forensic created by ViaForensics. It offers a guided data acquisition,
tools that supports wide range of smartphones. It is used by powerful analysis, and flexible reporting features for
Law Enforcement, army, police department, and other Android smartphones. ViaExtract uses device rooting
government authorities, in more than 50 countries all over wizard to gain root access of most smartphones with only
the world. It enables investigators to perform physical click of a button. This tool allows examiners to crack
acquisition of Android smartphones, advanced passcode to extract data from internal and external storage.
examination, and analysis of raw data and of device images It provides a global search feature for greater speed and
extracted from the smartphone. It allows a fully automated ease of use. This feature allows the examiner to search all
acquisition and analysis of supported smartphones. It can the content types extracted in all the currently opened
acquire a 16 GB smartphone in approximately 45 minutes. acquisitions at once. ViaExtract works on many of the
It offers a well-defined report for the examiner that most popular Android smartphones.
summarizes smartphone activities.
4.13 Mobile Phone Examiner Plus (MPE+)
4.9 XRY Physical MPE+ [25] is a mobile device investigation tool that
MSAB [20] provides products for extraction, analyzing, includes enhanced smartphone acquisition and analysis
and reporting. XRY Physical tool supports extraction of capabilities It supports wide range of platforms and
internal memory and removable media without changing devices. It allows examiners to quickly collect, easily
the target device. It also allows users to generate hash identify, and effectively obtain the data. Like DS, MPE+
values of the memory image, as well as individually can search through a smartphone’s memory dump for
decoded file. XRY Physical recovers raw data from the crucial evidence [22]. The examiners can acquire more
target smartphone by bypassing the operating system and data from iOS and Android devices 30% faster than any
offers the chance to go deeper and recover deleted data other tool in the market. MPE+ includes a robust and
from the target smartphone. The physical extraction is superior analysis tools. To perform physical acquisition, an
separated into two distinct stages: the initial dump stage, empty forensic SD card, holds temporarily MPE+’s agent,
where raw data is recovered from the smartphone, and should be inserted in a target smartphone. Use a tool (e.g.
decoding stage, where the tool can automatically SuperOneClick) to gain Shell Root, i.e. not full root.
reconstruct the data into meaningful information. The
extracted data can be viewed by XAMN Spotlight.
5. Comparative Analysis
4.10 Device Seizure (DS)
DS [21] supports physical, logical, file system, and It is very hard to evaluate tool performance, as their
password extraction. It provides a complete analysis and capabilities varied. In this paper physical forensic tools are
report on all acquired data. It supports wide range of compared in terms of cost, user friendly, data recovery
platforms and devices. By using DS physical acquisitions, with screen lock, data integrity, partition data recovery,
most, but not all, deleted data can be recovered from ways to export data, forensic phases support, and
smartphone. It supports physical acquisitions for Android supporting generic Android smartphones. Table 1
up to 4.4.2 (except for version 3). DS has low minimum illustrates the summery of the evaluated forensic tools.
system requirements, so it can run on any device. It can
search through a smartphone’s memory dump for crucial 5.1 Open Source
evidence [22]. The most powerful mobile devices forensic tools, such as
Oxygen, UFED, and MSAB XRY, are expensive and not
IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.11, November 2016 43

affordable, as they are intended for not personal use. physical images from Samsung Galaxy S II family
Besides commercial tools, there are free open source powered by Android 2.3.4 or 2.3.5 [25]. ANDROPHSY,
mobile devices forensic tools, such as LiME, AMExtractor, DS, and MSAB XRY support bypassing screen lock of
ADA, and ANDROPHSY, that compete the commercial Android smartphones [19, 20, 21]. UFED and viaExtract
tools in many terms (e.g. supported devices, acquired data, can bypass any kind of lock and acquires data only if USB
integrity, friendliness) to achieve best results. Debugging is enabled [18, 24]. Oxygen can create physical
images and bypass lock screen for some of Samsung
5.2 User Friendly Galaxy Note family smartphones [19].
Almost all commercial tools provide users with easy-to-use
interface for data extraction, analysis, and reporting. They 5.4 Data Integrity
are designed with a simple interface to navigate, along with Integrity of evidence is a significant dimension in forensics,
a wizard to guide users through the entire process. Some of which describes the need of evidence to be integral and not
them supports multi-language user interface, such as altered during acquisition and analysis. Some of the mobile
Cellebrite UFED and Oxygen. ANDROPHSY is the only device forensic tools required a smartphone to be booted
open source forensic tool that provides users with friendly into normal mode for getting physical images, which
interface. inherently makes changes to a smartphone's storage. Other
mobile device forensic tools ran in the smartphone's
5.3 Bypass Screen-Lock recovery mode or through the bootloader, which are more
All Android smartphones could be locked using either forensically sound. ADB tool preserved integrity by
pattern or password, and delivered with USB debugging booting the target smartphone in the firmware update mode
disabled for security reasons. Therefore, USB debugging which guarantees the integrity of artefact even after
should be enabled in order to apply existing acquisition physical acquisition multiple times [15]. Integrity can be
methods. Most of the software based forensic tools, such verified through hash value checksum. DS, MOBILedit!
as MOBILedit! Forensic, use the ADB protocol for Forensic, UFED, Oxygen, MSAB XRY, ADA, Hawkeye,
physical acquisition. However, USB debugging must be and ANDROPHSY verify data integrity by calculating
enabled to use the ADB protocol and apply acquisition hash values (e.g., MD5, SHA-1, SHA-256, SHA-512)
methods. ADB tool overcomes this problem by executing among images produced. MPE+ builds a Python Script that
physical acquisition after turning off the smartphone and acts upon a copy of evidence rather than the original binary
rebooting in the firmware update mode [15]. Regardless of data, thus original data will not be altered [21, 25].
whether USB debugging is enabled or if the device is in a
rooted state, MPE+ can bypass screen locks and get

Table 1: Comparative analysis of Android forensic tool

44 IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.11, November 2016

Commercial forensic tools, such as Oxygen and Cellebrite

5.5 Partition Data Recovery UFED, are reliable, easy to use, can be used on wide range
Data recovery is the It is heart of any forensic tool. All of Android smartphones across many Android versions,
physical acquisition tools focus on retrieving whole and support all forensic phases. However, they are not
internal memory. Some of them (e.g. APD, Hawakye and applicable on every Android smartphone, especially when
ANDROFSY) allows part of the internal memory to be the target smartphone is locked. Moreover, it is not
acquired physically affordable for personal use. Opens source tools are often
not user friendly, focus only on acquisition phase, can be
5.6 Export Data used on limited version of Android smartphones, but still
Acquired data can be then exported by using different reliable. One interested open source tool, ANDROPHSY,
ways to be saved such as USB connection, Bluetooth, TCP can compete commercial forensic tools in its feature. It is
socket and Infrared. Further, it can be saved directly by designed to be used to acquire all Android smartphone
using SD card of USB flash memory. Table1 illustrates the with any version. It is the first open source tool that
tools and how data are exported. support the life cycle of mobile device forensic.
In the future we hope to include more physical forensic
5.7 Support Forensic Phases tools in this comparative analysis. Also providing physical
The main mobile device forensic phases are: acquisition, forensic tools of different platform, such as iOS and
analysis, and reporting. Few commercial tools support the Windows. For future research we will conduct a practical
entire mobile device forensic phases, such as Oxygen, research for examining physical forensic tools on
Cellebrite UFED, MSAB XRY/XACT, MOBILedit! smartphones running iOS and Android.
Forensic, ViaExtract, and MPE+. For free tools,
ANDROPHSY is the only tool that supports the life cycle References
of mobile device forensic. [1] T. B. Tajuddin and A. A. Manaf, "Forensic investigation
and analysis on digital evidence discovery through physical
5.8 Generic acquisition on smartphone," in 2015 World Congress on
There is no general recovery image method that can be Internet Security (WorldCIS), Dublin, 2015
used on every Android smartphone, as in all android [2] L. Cai, J. Sha, and W. Qian, "Study on forensic analysis of
smartphones highly coupled with Android version, device physical memory," in Proc. of 2nd International Symposium
model, kernel version, hardware profile, build version and on Computer, Communication, Control and Automation
(3CA 2013), 2013.
firmware version specific. ANDROPHSY method pursued
[3] H. Yang, , J. Zhuge, H. Liu, and W. Liu,"A tool for volatile
a modern approach by using low level Linux and Android memory acquisition from Android devices," in Advances in
built-in forensic functionalities such as dd and adb Digital Forensics XII, New Delhi, Springer International
commands to fits any situation. DS supports physical Publishing, 2016, pp. 365-378.
acquisitions for Android up to 4.4.2 (excluding version 3). [4] J. Sylve, A. Case, L. Marziale, and G.G. Richard,
UFED and ViaExtract extracts data physically via USB "Acquisition and analysis of volatile memory from android
debugging for all Android versions including Android devices," Digital Investigation, vol. 8, no. 3, pp. 175-184,
4.NO in the earlier one and Android version 2.2 or higher 2012.
for the later one. Although, Oxygen, MSAB XRY, and [5] I. Kollár, "Forensic RAM dump image analyser," MCS
thesis, Charles Univ., Prague, Czech Republic, 2010.
MOBILedit! Forensic support wide range of Android
[6] M. Guido, J. Buttner, and J. Grover, "Rapid differential
smartphones, but still the former one cannot unlock every forensic imaging of mobile devices," Digital Investigation,
Android smartphones and the later ones cannot support all vol. 18, pp. S46-S54, 2016.
Android smartphones for physical acquisition. [7] L. Spector, "USB 3.0 speed: real and imagined," PCWorld,
2014. [Online]. Available:
http://www.pcworld.com/article/2360306/usb-3-0-speed-
6. Conclusion real-and-imagined.html. Accessed: Oct. 17, 2016.
[8] C. A. Jayasinghe, "Android smart phone contact analyzer",
With the increase in physical forensic tools and practical MSIS dessirtation, 2015.
use of Android smartphones, this paper sets benchmarks [9] A. Distefano, G. Me, and F. Pace. "Android anti-forensics
for any researcher who wants to compare the new tools through a local paradigm," Digital Investigation: The
International Journal of Digital Forensics & Incident, vol. 7,
with the available tools. It also tends to supply
pp. S83-S94, 2010.
investigators or practitioners a more efficient interactive, [10] X. Lee, C. Yang, S. Chen, and J. Wu, "Design and
and convenient way of capturing physical images via implementation of forensic system in Android smart phone,"
choosing reliable and suitable physical forensics tools. in Convergence and Hybrid Information Technology - 5th
International Conference, Daejeon, 2009.
IJCSNS International Journal of Computer Science and Network Security, VOL.16 No.11, November 2016 45

[11] A. Simao, F. Sicoli, L. Melo, F. Deus, and R. Sousa Junior,

"Acquisition of digital evidence in android smartphones," in
Proc. of 9th Australian Digital Forensics Conference, p.
116-124, 2011.
[12] W. Jansen, and R. P. Ayers, "SP 800-101. Guidelines on
cell phone forensics," 2007.
[13] C. Ntantogian, D. Apostolopoulos, G. Marinakis, and C.
Xenakis, "Evaluating the privacy of Android mobile
applications under forensic analysis," Computers & Security,
vol. 42, pp. 66-76, 2014.
[14] P. Wächter, "Practical infeasibility of Android smartphone
live forensics,"Master thesis, Friedrich-Alexander Univ.
Erlangen-Nürnberg, Erlangen and Nurnberg, Bavaria, 2015.
[15] S. J. Yang, J. H. Choi, K. B. Kim, and T. Chang, "New
acquisition method based on firmware update protocols for
Android smartphones," Digital Investigation, vol. 14, pp.
S68-S76, 2015.
[16] I. U. Akarawita, A. B. Perera, and A. Atukorale,
"ANDROPHSY-forensic framework for Android," in Proc.
of 2015 Internatoinal Conferace on Advances in ICT for
Emerging Regions (ICTer), pp. 250-258, 2015.
[17] R. Fasra, and A.R. Meeran, " Performing digital autopsy on
an Android device: an “open aource” approach,"
International Journal of Computer Technology and
Applications, vol. 9, no. 15, pp. 7111-7117, 2016.
[18] "Cellebrite UFED,". [Online]. Available:
http://www.cellebrite.com/Mobile-Forensics. Accessed: Oct.
17, 2016.
[19] "Oxygen Forensic® analyst,". [Online]. Available:
http://www.oxygen-forensics.com/en/. Accessed: Oct. 17,
2016.
[20] majo, "The pioneers of mobile forensics," MSAB, 2016.
[Online]. Available: https://www.msab.com/. Accessed: Oct.
17, 2016.
[21] P. Corporation, "Device seizure," [Online]. Available:
https://www.paraben.com/device-seizure.html. Accessed:
Oct. 17, 2016.
[22] I. I. Yates, "Practical investigations of digital forensics tools
for mobile devices," in Proc. of 2010 Information Security
Curriculum Development Conference, pp. 156-162, 2010.
[23] C. Labs, "MOBILedit!," 2016. [Online]. Available:
http://www.mobiledit.com/forensic. Accessed: Oct. 17,
2016.
[24] S. Goetsch, "Team," in Computer Security, NowSecure,
2016. [Online]. Available:
https://www.nowsecure.com/solutions/mobile-app-security-
testing/. Accessed: Oct. 17, 2016.
[25] AccessData, "Mobile phone examiner plus," AccessData,
2016. [Online]. Available:
http://accessdata.com/solutions/digital-forensics/mpe.
Accessed: Oct. 17, 2016.