Journal of Digital Forensics,Security and Law

Volume 10 | Number 4 Article 3

2015

Data Extraction on MTK-based Android MobilePhone ForensicsJoe KongThe University of Hong Kong

Follow this and additional works at: http://commons.erau.edu/jdfsl

Part of the Computer Law Commons, and the Information Security Commons

This Article is brought to you for free and open access by the Journals atScholarly Commons. It has been accepted for inclusion in Journal of DigitalForensics, Security and Law by an authorized administrator of ScholarlyCommons. For more information, please contact commons@erau.edu.

(c)ADFSL

Recommended CitationKong, Joe (2015) "Data Extraction on MTK-based Android Mobile Phone Forensics," Journal of Digital Forensics, Security and Law:Vol. 10 : No. 4 , Article 3.DOI: https://doi.org/10.15394/jdfsl.2015.1209Available at: http://commons.erau.edu/jdfsl/vol10/iss4/3

Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4

© 2015 ADFSL Page 31

DATA EXTRACTION ON MTK-BASEDANDROID MOBILE PHONE FORENSICS

Joe KongMphil Student in Computer Science

The University of Hong Kongjkongyc@connect.hku.hk

ABSTRACTIn conducting criminal investigations it is quite common that forensic examiners need to recoverevidentiary data from smartphones used by offenders. However, examiners encountereddifficulties in acquiring complete memory dump from MTK Android phones, a popular brand ofsmartphones, due to a lack of technical knowledge on the phone architecture and that systemmanuals are not always available. This research will perform tests to capture data from MTKAndroid phone by applying selected forensic tools and compare their effectiveness by analyzingthe extracted results. It is anticipated that a generic extraction tool, once identified, can be usedon different brands of smartphones equipped with the same CPU chipset.

Keywords: Mobile forensics, MTK Android phones, Android forensics, physical extraction, flashmemory, MT6582

INTRODUCTIONSmartphones are frequently used in cyber-crimes or by offenders for coordinating theircriminal activities as the device allows users toperform online communication and storepersonal or commercial information and datasuch as messages, emails, documents,photographs, videos, GPS locations, etc. in aconcentrated and portable form. Customizedapplications can also be downloaded andinstalled into smartphones to extend theirfunctionalities.

MediaTek (“MTK”) Android phones arefrequently used in crime cases [1][2] because ofits low selling price and high price /performance ratios of the CPU. The existingextraction tools, however, can only handle alimited number of MTK Android phones andthe latest models are often not included [3].This research attempts to explore a generic

forensic tool that is applicable to these phonemodels and set up standard operationalprocedures for its implementation.

The Current ProblemLow and mid-range China-branded Androidphones are growing popular in the Asianmarket. In this research paper extractionperformance tests are conducted on the quad-core MT6582 processor [4], a processor chipwhich is used in more than 140 Android phonemodels [5].

Apparently live memory extraction andanalysis is crucial to forensic examinations.Unlike examining a desktop or laptopcomputer, examiners may inadvertently modifythe original device when capturing a fullforensic image for data analysis as a mobiledevice does not have a standalone hard drivewhich can be shut down and disassemble fromthe phone without altering the data stored

JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics

Page 32 © 2015 ADFSL

therein. For Android phones the extractionprocess is even more complicated owing to itsever-changing proprietary hardware as well asthe vast variety of applications and securitysettings. Besides, Android versions, whichusers can download them from Google, areconstantly updated. Thus examiners will needto carry out extensive testing and validationon the latest forensic toolkits.

Extraction methodologyForensic tools used in extracting data fromAndroid phones are largely supported by twomethods:

a. File System (logical) Acquisition –it does not normally produce anydeleted file and user’s shellpermission is required to run the fileextraction process; and

b. Physical Data Acquisition – tomake a bit-by-bit copy of themobile device with maximumamount of “deleted data or files”recovered [3]. The process is similarto computer forensics and is widelyused by forensic examiners.

Either physical extraction [the boot pre-loader or Android Debug Bridge (“ADB”)options] or logical acquisition process (bycopying from the backup mode) is able toextract data from MTK-based smartphones.As the two processes are regarded as lessinvasive to the physical phone when comparedto the “JTAG” or “Chip-off” method, they arefrequently used in forensic investigations.Besides, physical extraction has the benefit ofrecovering maximum amount of “deleted dataor files” by copying bit-by-bit from physicalflash memory storage [3] and its acquisitionprocess can bypass the device’s pattern locksor passcodes in many investigation cases [6].The experiments conducted in this research areintended to identify an extraction method thatsuits best to MTK Android phone forensics.

Objective of This PaperThis paper will focus on the use of threeextraction tools to capture complete memorydump of the phone under test. Thecompetency and compatibility of thesemethods will be evaluated by comparing theirtest results.

In summary the objectives set down forthis project are:

a. to conduct literature reviewpertaining to mobile forensics onMTK Android phones;

b. based on the actual amount offorensic data acquired, to comparethe test results on the application offorensic tools developed by differentvendors and evaluate theireffectiveness; and

c. to identify a suitable extraction toolto cope with different brands ofsmartphones equipped with thesame CPU chipset and review thebest process for its use.

Document StructureChapter 2 provides literature review onresearches conducted on Android forensics, inparticular the MTK devices.

Chapter 3 discusses the methodology.Chapter 4 outlines the implementation of

extraction process by the three selectedextraction tools.

Chapter 5 compares the test results byreferring to the forensic tools and methodologyunder test.

Chapter 6 is the conclusion. It sums upthe challenges to forensics conducted on MTKAndroid devices. It will also explore possibleareas for future study in the mobile phoneindustry.

Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4

© 2015 ADFSL Page 33

PAST STUDY ANDEXPERIENCE

There are plenty of research studies onAndroid Forensics but only a few covers therealm of MTK Android Forensics. A list of therelevant works is listed here.

Studies on Android ForensicsIn 2011 Joe Sylve introduced a tool on memoryacquisition, the Droid Memory Dumper(“DMD”) [7], which captures a copy of thememory data, runs an address translation ofeach memory page and writes them to a TCPsocket. The DMD module, however, has itsrestrictions:

a. the ADB of the Android device hasto be turned on in order for theDMD to tether data using networkprotocol via the virtual USB port;

b. root privileges are to be executed inorder to capture system data.

In 2012 Ismael Valenzuela presented anenhanced module of the DMD, LiMEForensics, which is purportedly the firstsoftware to dump full contents of internalmemory from an Android device [8]. The newtool requires the “rooting” of the device whichmay alter the state of the target phone andthus, casts doubt on the integrity of theevidentiary data so recovered.

Lessard and Kessler (Lessard & Kessler,2010) [9] investigated Android smartphones byacquiring a logical and physical image of thephone using ‘dd’ command. They further usedCellebrite, a mobile forensic tool, to acquirethe same image for comparing the twomethods.

In his research work, Timothy Vidas et al.(Vidas, Zhang & Christin, 2011) [10] made useof a custom recovery image to boot the deviceinstead of loading the operating system. Therecovered image can support functions like

dumping the Flash Memory, allowing theexecution of the ‘su’ command to gain rootaccess and adding some custom transferbinaries. The adb tool will collect data fromthe device and transfer them to a connectingcomputer via the USB port.

Vijith Vijayan in his thesis, “AndroidForensic Capability and Evaluation ofExtraction Tools” [11], compared theeffectiveness of logical extraction of two HTCAndroid phones by three mobile forensic tools.The test results however showed that a fullmemory dump could not be achieved.

A Study on MTK AndroidForensics

MTK Android phones have a short productcycle as they are mostly designed for low-endto middle range products. A new phone modelcould have replaced the current one beforeanalysis on its hardware specifications orsystem architecture is complete. Hence, thereare few researches conducted on MTKforensics. After review it is found that Chinabranded phone forensics was referred to in aresearch paper entitled “Digital Forensic onMTK-based Shanzhai Mobile Phone withNAND Flash” [12]. The authors uncovered90% of the “Shanzhai” phones had been usingthe core processor, peripheral hardwareprototype and software development platformof MTK or Spreadtrum. Nevertheless, theirresearch confined only to extracting specificdata such as locating file repository of phonebooks, call records, SMS and web-browsingrecords without obtaining a full memory dump.

EXPERIMENTMETHOD ANDPROCEDURE

Traditionally a number of forensic tools havebeen using the ADB as a communicationinterface to access the Android system via a

JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics

Page 34 © 2015 ADFSL

computer installed with extraction software.In order to extract complete memory data, theAndroid device must be made available for‘super user’ privilege of access (also known as“rooting the device”) [13] so that the examinercan make a copy of all system partitions andaccess files that are not originally accessible bynormal users. The Android phone has to bepowered up as usual and the USB Debuggingmode turned on manually in the system menuof the phone. So if the mobile device isprotected by power-on password or patternlock, the extraction process cannot beexecuted.

Alternatively the device can be put intothe Download mode, a state in which the FlashMemory can be formatted and reprogrammed.The Flash Memory holds all binaryinformation [which includes internal memory ofthe device, drivers, applications and othertypes of data in memory structure like ReadOnly Memory (ROM) and Non-VolatileRandom Access Memory (NVRAM)] requiredfor the device to boot up and function. Withan unlocked bootloader which is commonlyfound in MTK Android phones, the FlashMemory can be reprogrammed in a way toestablish connection of the target phone withany storage media. The above procedure issimilar to computer forensics where a forensicboot disk is used to operate the cloning processfor acquiring data from the target computerwithout affecting the original hard disk. Theuniqueness of this method is that there is noneed to “rooting the device” or enabling theUSB Debugging mode before extraction,thereby resolve the difficult problem ofaccessing a password-protected phone. Theentire process is forensically sound as it willnot interfere with the internal storage of thedevice.

In this experiment, Volcano Box has usedthe method of “rooting the device” while SPFlash Tools is an example of applying the

Download mode. After making a physical copyof the mobile phone, the important task for anexaminer is to identify the files that are ofinterest to the investigation. Message recordsand photos recovered will be searched to locaterelevant files for the test process. The resultswill be analyzed to confirm the effectiveness ofthe methodology and the competency of thetools under test. Besides, the extracted datawill be cross-referenced with the examinationresult conducted by the Cellebrite UFED(“Universal Forensic Extraction Device”)Touch [14].

TerminologySP Flash Tools [15] is an application thatcaptures memory images or binary data from amobile phone. It can erase phone data ormodify codes / data and then write them backto the phone. The tool employs the boot ROMkernel library (“BROM_DLL”) and DownloadAgent (“DA”) program to download, read orerase files from the target phone’s FlashMemory via a USB port connection. Inpractice, SP Flash Tools reads a length ofmemory from the target phone by using ascatter-file which begins at a start address anda given length. Each read back file is acontinuous memory dump from the FlashMemory. Multiple blocks starting at differentaddresses can be read and copied into imagefiles for storing in the forensic workstation.

Volcano Box [16] supports a large numberof MTK based phones including earlier featurephones to the latest Android phone models. Itcan capture internal information of the targetphone, read / write flash, unlock user code,backup phone data and run those advancedfeatures such as clear up the Flash Memory,repair IMEI, fix receive signals and read /write NVRAM files for MTK phones. It is infact a tool designed for repairing, upgrading ormodifying the phone system.

Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4

© 2015 ADFSL Page 35

Cellebrite UFED is an expansive and well-known forensic tool used in more than 60countries. So far as the target device is on itssupport list, the auto-detection mechanism ofthe software can provide a step-by-step guidefor the extraction process. For unlisteddevices, UFED has also developed a genericprofile to provide support.

THE EXPERIMENTPROCESS

The Lenovo A850 smartphone, being used forexperiment, is equipped with MT6582processor, a popular model in the MTKAndroid market and is installed withWhatsApp, Line and WeChat. To begin theprocess, a forensic workstation was set up andconfigured. Phone calls were made and photostaken in order to carry out the subsequentphysical extraction for retrieving user’s data.

The Experiment on LenovoA850

The mobile phone is running Android OS 4.2.2and the sequences of extraction process were asfollows:

a. Physical Extraction Using SP FlashToolsThe phone was turned off initially. Itturned on automatically when pluggedinto the USB port of the forensicworkstation running the SP FlashTools and started up the injected bootprograms for the extraction process. Atotal number of 20 image files wereextracted as listed in Table 1. Theaccumulated size of those saved fileswas 3,800,192KB. The phone was thenturned off completely by taking out thebattery.

b. Physical Extraction Using Volcano BoxThe phone had been powered on withdebugging mode enabled when pluggedinto the specific port of the physicalVolcano Box (Picture 1). The Box wasconnected via USB cable to the forensicworkstation running the correspondingsoftware. The “Backup EMMC” optionwas used and one single image file withsize 3,779,712KB had been extracted.The phone was then turned offcompletely by taking out the battery.

Table 1.Image files extracted from Lenovo A850

Block Map (KB) Block Map (KB) Block Map (KB)

android 1048576 usrdata 2281088 bootimg 6144

cache 129024 ebr1 512 ebr2 512

expdb 10240 logo 3072 mbr 512

misc 512 nvram 5120 preload 256000

preloader 20480 pro-info 3072 protect-f 10240

protect-s 10240 recovery 8192 sec_ro 6144

seccfg 128 uboot 384

JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics

Page 36 © 2015 ADFSL

Picture 1. Cable connection using Volcano Box

c. Physical Extraction Using CellebriteUFED TouchThe phone had been powered on withdebugging mode enabled when pluggedinto the USB port of the physicalCellebrite UFED Touch. The devicewas connected via USB cable to theforensic workstation running thecorresponding software. The “GenericADB for Chinese Android” option wasused and one single binary file with size3,779,712KB had been extracted.

A summary to show the memory size andfiles captured by the tools is shown at Table 2.

EVALUATIONIn order to compare the test results of thesethree tools, the X-Ways Forensics [17], anintegrated computer forensics software, wasalso used to mount the extracted images (forSP Flash Tools, only USR Data Image file andin the case of Volcano Box and Cellebrite, thefull memory dump) from the experiment. Theexamination is confined to look at the userdata partition of each mounted image, whichpurportedly contains application databases,event logs and user data for which forensicexaminers are tasked to investigate informationrelating to criminal activities or leading topossible traces.

Table 2.Test results of three extracted methods.

Lenovo A850 SP Flash Tools Volcano Box Cellebrite UFED

Image Size 3,800,192KB 3,779,712KB 3,779,712KB

No. of Files in user partition 2,321 2,297 2,328

Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4

© 2015 ADFSL Page 37

There were 20 image files recovered by SPFlash Tools. The table above shows that ithas captured the largest image while the imagesize captured by Volcano Box and CellebriteUFED is the same. It is noted that when thetest process was conducted by Volcano Boxand Cellebrite, system and application log fileswere created or modified whenever the phonewas switched on for the extraction (this is afeature of the phone when data in memory areautomatically altered once it is powered up).For instance, in the user partition, CellebriteUFED image got 53 new files which were not

found in Volcano Box and vice versa, VolcanoBox had 23 new files not recovered byCellebrite UFED image. These 76 files aresystem start-up event files. Besides, there are1,173 common existing files which are differentin size and they are all system log orapplication library files. All these filesmentioned above were activated as part of thesystem boot up process without user’sintervention. To further evaluate the results,UFED Physical Analyzer 4.2.1 [18] was used toconduct user data carving from the acquiredimages (Table 3).

Table 3.Comparison of data extracted among three tools

Model:Lenovo A850 SP Flash Tool VolcanoBox Cellebrite UFED

Analyzed Data

Calender 1 1 1

Call Log 4 4 4

Chats 22 22 22

Contacts 81 81 81

Cookies 157 157 157

Locations 15 15 15

Emails 1 1 1

Installed Applications 37 37 37

Passwords 9 9 9

Searched Items 1 1 1

SMS Messages 1 1 1

User Accounts 15 15 15

Web Bookmarks 13 13 13

Web History 14 14 14

Wireless Networks 2 2 2

Data Files

Audio 59 59 59

Images 518 518 518

Videos 4 4 4

JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics

Page 38 © 2015 ADFSL

Unlike single memory dump file capturedby Volcano Box and Cellebrite UFED, SPFlash Tools acquired different image filesaccording to the information on memoryallocation recorded in the scatter-file. Thedecoding process was carried out on theUSRData.img, Android.img and Preload.imgfiles. In conclusion the three tools haveproduced the same result on the recovery ofcrucial data and files.

In proving the merit of using a controlledboot program, SP Flash Tools were being usedthree times consecutively to acquire theUSRData.img file from Lenovo A850. Havingexamined the mounted images using X-WaysForensics, all the files and records extractedfrom these three extractions are found identical.It is fair to conclude that no file creation ormodification has been made to the internalmemory when the phone is booted up for dataacquisition.

CONCLUSIONBased on the data analyzed in table 3, thethree tools produce similar test results inretrieving data or files that are of interest toforensic investigations but SP Flash Toolsprovides more comprehensive steps for useroperations and is considered to be highlyadhered to the principle on digital forensicsbecause:

a. The tool can extract full range ofdata even if the phone is (i)password-locked; (ii) USBdebugging mode is disabled; or (iii)in the absence of root access right.

b. Data integrity of the mobile phoneis maintained by taking controlduring the boot up process andsuppresses the running of installedapplications of the phone exceptrelevant download agent forextraction, On the other hand, the

other two forensic tools perform liveextraction of data while the phoneapplications are running.

c. The USRData.img file is acquiredbased on memory allocationinformation contained in thescatter-file. The analysis process isconducted more efficiently on theuserland data when compared withthe work conducted on full imagedump extracted by other tools.

d. The tool is open sourced and free-of-charge, i.e. incur no cost orrecurrent charges on the extractionprocess, but its drawback lies withthe lack of providing technicalsupport on bug fixing or productdevelopment in future.

e. The tool seamlessly provides anextraction method that can applyto all Android smartphones,irrespective of the phone brands ormodels (the upcoming models arealso included), which are runningon the same designated MTK basedCPU chipsets. Currently, the toolsupports 13 types of MTKprocessors in the market includingthe octa-core devices launched in2014.

Future StudyThe development in mobile forensics growsrapidly as new mobile devices with morepowerful CPU and storage capacity arelaunching every day. Nevertheless, it isobserved that forensic examiners are gettingbehind in exploring a competent forensic toolto extract full range of data from these devices.Efforts should be made to work out acomprehensive framework for researchingapplicable extraction method and evaluatingmobile forensic toolkits which allows the

Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4

© 2015 ADFSL Page 39

extracted data, after analysis, is likely to beadmissible as evidence in court proceedings.

Low-end Android phones can be a usefuldevice for offenders in view of their low priceand that they can be easily disposed of eitherby destroying them physically or throwingthem away. Past experience of forensicexaminations has showed that physicalextraction of data from these phones is noteasy to achieve. In spite of this, consideringthese low-end Android phones could have usedthe same chips or similar form factors to cutcost, it is highly possible that a particulargeneric extraction tool, once identified, can beused on other CPU chipsets such as Qualcommor the newer SnapDragon. Such extractiontool may assist in seamlessly gathering allobjects and data structure from Androiddevices as well as bypass any hurdle created bypassword or encryption mechanism in anorderly manner. This will provide a good leadfor conducting future study.

JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics

Page 40 © 2015 ADFSL

REFERENCESKidnapping & extortion: Police ecstatic over

toys to tackle cell phone crime, publishedin The Express Tribune, October 19, 2012,http://tribune.com.pk/story/453569/kidnapping-extortion-police-ecstatic-over-toys-to-tackle-cell-phone-crime/

Investigating and analyzing the web-basedcontents on Chinese Shanzhai mobilephones, IEEE/SADFE 2012,http://hub.hku.hk/bitstream/10722/189648/1/Content.pdf

Det. Cynthia A. Murphy , Developing Processfor Mobile Device Forensics,http://www.mobileforensicscentral.com/mfc/documents/Mobile%20Device%20Forensic%20Process%20v3.0.pdf

MediaTek from Wikipedia,http://en.wikipedia.org/wiki/

MediaTek Top 140 quad-core MT6582 dualsim phones listed with specifications,GizChina.com, March 3, 2014,http://www.gizchina.com/2014/03/03/top-140-quad-core-mt6582-dual-sim-phones-listed-specifications/

Persistent Challenges with SmartphoneForensics, Digital Forensic Investigator,February 8, 2013,http://www.dfinews.com/articles/2013/02/6-persistent-challenges-smartphone-forensics J. Sylve et al., Android MemoryCapture and Applications for Security andPrivacy, University of New Orleans Thesesand Dissertations. Paper 1400, 2011,http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=2348&context=td

Joseph T. Sylve, Android Memory Captureand Applications for Security and Privacy,University of New Orleans Theses andDissertations, 2011,

http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=2348&context=td

Ismael Valenzuela, Acquiring volatile memoryfrom Android based devices with LiMEForensics Part I, Ismael Valenzuela, April23, 2012,http://blog.opensecurityresearch.com/2012/04/acquiring-volatile-memory-from-android.html

Lessard J, Kessler G.C.,Android Forensics:Simplifying Cell Phone Examinations, ECUPublications Pre.2011,http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=7480&context=ecuworks

Vidas, Zhang & Christin, 2011, Toward ageneral collection methodology for Androiddevices,http://www.dfrws.org/2011/proceedings/07-339.pdf

Vijith Vijayan, Android Forensic Capabilityand Evaluation of Extraction Tools, April2012,http://www.academia.edu/1632597/Android_Forensic_Capability_and_Evaluation_of_Extraction_Tools)

Digital Forensic on MTK-based ShanzhaiMobile Phone with NAND Flash, ICDFI,Beijing, China 2012,http://secmeeting.ihep.ac.cn/paper/Paper_Mengfei_He_ICDFI2012.pdf

FlashTool V3.1004.00 Application Note,MediaTek, January 27,2009,http://www.mtk2000.ucoz.ru/FlashTool_V3.1004.00_Application_Note.pdf

UFED Touch Ultimate, Cellebrite,https://www.cellebrite.com/images/stories/brochures/UFED-Touch-Ultimate-ENGLISH-web.pdf

Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4

© 2015 ADFSL Page 41

SP Flash Tool + MediaTek MT65XX DriversDownload and Installation Guide includingBricked Devices, updated July 31, 2014,http://laurentiumihet.ro/sp-flash-tool-mediatek-mt65xx-drivers-download-and-installation-guide-including-bricked-devices/

Volcano Box, http://www.volcano-box.com/features.html

X-Ways Forensics, http://www.x-ways.net/forensics/

UFED Physical Analyzer, Cellebrite,http://www.cellebrite.com/mobile-forensics/products/applications/ufed-physical-analyzer

JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics

Page 42 © 2015 ADFSL