You are on page 1of 13

Journal of Digital Forensics

Security and Law
Volume 10 | Number 4 Article 3


Data Extraction on MTK-based Android Mobile
Phone Forensics
Joe Kong
The University of Hong Kong

Follow this and additional works at:
Part of the Computer Law Commons, and the Information Security Commons

Recommended Citation
Kong, Joe (2015) "Data Extraction on MTK-based Android Mobile Phone Forensics," Journal of Digital Forensics, Security and Law:
Vol. 10 : No. 4 , Article 3.
Available at:

This Article is brought to you for free and open access by the Journals at
ERAU Scholarly Commons. It has been accepted for inclusion in Journal of
Digital Forensics, Security and Law by an authorized administrator of
ERAU Scholarly Commons. For more information, please contact

functionalities. etc. This research will perform tests to capture data from MTK Android phone by applying selected forensic tools and compare their effectiveness by analyzing the extracted results. GPS locations. Customized core MT6582 processor [4].hk ABSTRACT In conducting criminal investigations it is quite common that forensic examiners need to recover evidentiary data from smartphones used by offenders. a popular brand of smartphones. flash memory.Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4 DATA EXTRACTION ON MTK-BASED ANDROID MOBILE PHONE FORENSICS Joe Kong Mphil Student in Computer Science The University of Hong Kong jkongyc@connect. The existing the original device when capturing a full extraction tools. procedures for its implementation. documents. can only handle a forensic image for data analysis as a mobile limited number of MTK Android phones and device does not have a standalone hard drive the latest models are often not included [3]. can be used on different brands of smartphones equipped with the same CPU chipset. MTK Android phones. examiners may inadvertently modify performance ratios of the CPU. Apparently live memory extraction and MediaTek (“MTK”) Android phones are analysis is crucial to forensic examinations. examiners encountered difficulties in acquiring complete memory dump from MTK Android phones. In this research paper extraction photographs. emails. MT6582 INTRODUCTION forensic tool that is applicable to these phone models and set up standard operational Smartphones are frequently used in cyber. market.hku. videos. However. Android forensics. a processor chip applications can also be downloaded and which is used in more than 140 Android phone installed into smartphones to extend their models [5]. physical extraction. frequently used in crime cases [1][2] because of Unlike examining a desktop or laptop its low selling price and high price / computer. in a performance tests are conducted on the quad- concentrated and portable form. Keywords: Mobile forensics. however. once identified. which can be shut down and disassemble from This research attempts to explore a generic the phone without altering the data stored © 2015 ADFSL Page 31 . due to a lack of technical knowledge on the phone architecture and that system manuals are not always available. It is anticipated that a generic extraction tool. crimes or by offenders for coordinating their criminal activities as the device allows users to The Current Problem perform online communication and store Low and mid-range China-branded Android personal or commercial information and data phones are growing popular in the Asian such as messages.

and effectiveness. It will also explore possible The experiments conducted in this research are areas for future study in the mobile phone intended to identify an extraction method that industry. and b. they are extraction tools. For Android phones the extraction Objective of This Paper process is even more complicated owing to its This paper will focus on the use of three ever-changing proprietary hardware as well as extraction tools to capture complete memory the vast variety of applications and security dump of the phone under test. Physical Data Acquisition – to c. methods: b. to computer forensics and is widely used by forensic examiners. to identify a suitable extraction tool make a bit-by-bit copy of the to cope with different brands of mobile device with maximum smartphones equipped with the amount of “deleted data or files” same CPU chipset and review the recovered [3]. to conduct literature review Forensic tools used in extracting data from pertaining to mobile forensics on Android phones are largely supported by two MTK Android phones. copying from the backup mode) is able to Chapter 3 discusses the methodology. to compare it does not normally produce any the test results on the application of deleted file and user’s shell forensic tools developed by different permission is required to run the file vendors and evaluate their extraction process. The settings. suits best to MTK Android phone forensics. Thus examiners will need test results. which competency and compatibility of these users can download them from Google. Android devices. File System (logical) Acquisition – forensic data acquired. frequently used in forensic investigations. It sums up process can bypass the device’s pattern locks the challenges to forensics conducted on MTK or passcodes in many investigation cases [6]. Document Structure Either physical extraction [the boot pre. extract data from MTK-based smartphones. Chapter 2 provides literature review on loader or Android Debug Bridge (“ADB”) researches conducted on Android forensics. based on the actual amount of a. physical extraction has the benefit of referring to the forensic tools and methodology recovering maximum amount of “deleted data under test. Page 32 © 2015 ADFSL .JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics therein. or files” by copying bit-by-bit from physical flash memory storage [3] and its acquisition Chapter 6 is the conclusion. Chapter 5 compares the test results by Besides. in options] or logical acquisition process (by particular the MTK devices. Android versions. The process is similar best process for its use. to carry out extensive testing and validation on the latest forensic toolkits. are methods will be evaluated by comparing their constantly updated. Besides. As the two processes are regarded as less Chapter 4 outlines the implementation of invasive to the physical phone when compared extraction process by the three selected to the “JTAG” or “Chip-off” method. In summary the objectives set down for this project are: Extraction methodology a.

which is purportedly the first research paper entitled “Digital Forensic on software to dump full contents of internal MTK-based Shanzhai Mobile Phone with memory from an Android device [8]. casts doubt on the integrity of the prototype and software development platform evidentiary data so recovered. “Android Studies on Android Forensics Forensic Capability and Evaluation of Extraction Tools” [11]. their Lessard and Kessler (Lessard & Kessler. research confined only to extracting specific 2010) [9] investigated Android smartphones by data such as locating file repository of phone acquiring a logical and physical image of the books. there are few researches conducted on MTK In 2012 Ismael Valenzuela presented an forensics. the Droid Memory Dumper Android phones by three mobile forensic tools. The new NAND Flash” [12]. peripheral hardware thus. the ADB of the Android device has MTK Android phones have a short product to be turned on in order for the cycle as they are mostly designed for low-end DMD to tether data using network to middle range products. allowing the execution of the ‘su’ command to gain root EXPERIENCE access and adding some custom transfer There are plenty of research studies on binaries. system architecture is complete. (“DMD”) [7]. The DMD module. SMS and web-browsing phone using ‘dd’ command. Cellebrite. 2011) [10] made use Traditionally a number of forensic tools have of a custom recovery image to boot the device been using the ADB as a communication instead of loading the operating system. which captures a copy of the The test results however showed that a full memory data. A new phone model protocol via the virtual USB port. Timothy Vidas et al. to acquire EXPERIMENT the same image for comparing the two methods. each memory page and writes them to a TCP socket. runs an address translation of memory dump could not be achieved. however.Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4 PAST STUDY AND dumping the Flash Memory. relevant works is listed here. METHOD AND In his research work. Hence. root privileges are to be executed in analysis on its hardware specifications or order to capture system data. After review it is found that China enhanced module of the DMD. compared the In 2011 Joe Sylve introduced a tool on memory effectiveness of logical extraction of two HTC acquisition. The adb tool will collect data from Android Forensics but only a few covers the the device and transfer them to a connecting realm of MTK Android Forensics. Zhang & Christin. has its A Study on MTK Android restrictions: Forensics a. LiME branded phone forensics was referred to in a Forensics. They further used records without obtaining a full memory dump. The authors uncovered tool requires the “rooting” of the device which 90% of the “Shanzhai” phones had been using may alter the state of the target phone and the core processor. Vijith Vijayan in his thesis. A list of the computer via the USB port. PROCEDURE (Vidas. could have replaced the current one before b. call records. The interface to access the Android system via a recovered image can support functions like © 2015 ADFSL Page 33 . of MTK or Spreadtrum. Nevertheless. a mobile forensic tool.

the important task for an Android device must be made available for examiner is to identify the files that are of ‘super user’ privilege of access (also known as interest to the investigation. Volcano Box has used modifying the phone system. Besides. for acquiring data from the target computer without affecting the original hard disk. the Flash scatter-file which begins at a start address and Memory can be reprogrammed in a way to a given length. a state in which the Flash captures memory images or binary data from a Memory can be formatted and reprogrammed. The results access files that are not originally accessible by will be analyzed to confirm the effectiveness of normal users. read or Only Memory (ROM) and Non-Volatile erase files from the target phone’s Flash Random Access Memory (NVRAM)] required Memory via a USB port connection. the extraction process cannot be Touch [14]. Download mode. So if the mobile device is result conducted by the Cellebrite UFED protected by power-on password or pattern (“Universal Forensic Extraction Device”) lock. With practice. SP Flash Tools reads a length of an unlocked bootloader which is commonly memory from the target phone by using a found in MTK Android phones. The tool employs the boot ROM the device. After making a physical copy In order to extract complete memory data. the extracted data mode turned on manually in the system menu will be cross-referenced with the examination of the phone. Terminology Alternatively the device can be put into SP Flash Tools [15] is an application that the Download mode. applications and other kernel library (“BROM_DLL”) and Download types of data in memory structure like Read Agent (“DA”) program to download. can capture internal information of the target thereby resolve the difficult problem of phone. read / write flash. executed. In for the device to boot up and function.JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics computer installed with extraction software. mobile phone. The backup phone data and run those advanced entire process is forensically sound as it will features such as clear up the Flash Memory. the method of “rooting the device” while SP Flash Tools is an example of applying the Page 34 © 2015 ADFSL . write NVRAM files for MTK phones. drivers. fix receive signals and read / device. The Volcano Box [16] supports a large number uniqueness of this method is that there is no of MTK based phones including earlier feature need to “rooting the device” or enabling the phones to the latest Android phone models. The above procedure is Memory. Each read back file is a establish connection of the target phone with continuous memory dump from the Flash any storage media. It USB Debugging mode before extraction. accessing a password-protected phone. the of the mobile phone. The Android phone has to be the methodology and the competency of the powered up as usual and the USB Debugging tools under test. It is in fact a tool designed for repairing. Multiple blocks starting at different similar to computer forensics where a forensic addresses can be read and copied into image boot disk is used to operate the cloning process files for storing in the forensic workstation. upgrading or In this experiment. not interfere with the internal storage of the repair IMEI. Message records “rooting the device”) [13] so that the examiner and photos recovered will be searched to locate can make a copy of all system partitions and relevant files for the test process. unlock user code. It can erase phone data or The Flash Memory holds all binary modify codes / data and then write them back information [which includes internal memory of to the phone.

800. being used for was 3. follows: The phone was then turned off completely by taking out the battery. Line and WeChat.779. Android market and is installed with b. Image files extracted from Lenovo A850 Block Map (KB) Block Map (KB) Block Map (KB) android 1048576 usrdata 2281088 bootimg 6144 cache 129024 ebr1 512 ebr2 512 expdb 10240 logo 3072 mbr 512 misc 512 nvram 5120 preload 256000 preloader 20480 pro-info 3072 protect-f 10240 protect-s 10240 recovery 8192 sec_ro 6144 seccfg 128 uboot 384 © 2015 ADFSL Page 35 . To begin the process. So far as the target device is on its The phone was turned off initially.2. Physical Extraction Using Volcano Box WhatsApp. It support list.Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4 Cellebrite UFED is an expansive and well. programs for the extraction process. The “Backup EMMC” option The mobile phone is running Android OS 4. the auto-detection mechanism of turned on automatically when plugged the software can provide a step-by-step guide into the USB port of the forensic for the extraction process. Table 1. The PROCESS accumulated size of those saved files The Lenovo A850 smartphone.712KB had been extracted. a forensic workstation was set up and The phone had been powered on with configured. For unlisted workstation running the SP Flash devices. a. Volcano Box (Picture 1).192KB.2 was used and one single image file with and the sequences of extraction process were as size 3. a popular model in the MTK battery. A THE EXPERIMENT total number of 20 image files were extracted as listed in Table 1. UFED has also developed a generic Tools and started up the injected boot profile to provide support. The Box was connected via USB cable to the forensic The Experiment on Lenovo workstation running the corresponding A850 software. Phone calls were made and photos debugging mode enabled when plugged taken in order to carry out the subsequent into the specific port of the physical physical extraction for retrieving user’s data. Physical Extraction Using SP Flash known forensic tool used in more than 60 Tools countries. The phone was then experiment. is equipped with MT6582 turned off completely by taking out the processor.

712KB No. the X-Ways Forensics [17].321 2.800.297 2. relating to criminal activities or leading to possible traces.192KB 3.712KB 3. Lenovo A850 SP Flash Tools Volcano Box Cellebrite UFED Image Size 3. an debugging mode enabled when plugged integrated computer forensics software. 3. event logs and user data for which forensic A summary to show the memory size and examiners are tasked to investigate information files captured by the tools is shown at Table 2.JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics Picture 1. The corresponding software.712KB had been extracted. of Files in user partition 2. was into the USB port of the physical also used to mount the extracted images (for Cellebrite UFED Touch. Physical Extraction Using Cellebrite EVALUATION UFED Touch In order to compare the test results of these The phone had been powered on with three tools. which used and one single binary file with size purportedly contains application databases.779.779. Cable connection using Volcano Box c. only USR Data Image file and was connected via USB cable to the in the case of Volcano Box and Cellebrite. Table 2.328 Page 36 © 2015 ADFSL . The device SP Flash Tools. Test results of three extracted methods.779. the forensic workstation running the full memory dump) from the experiment. The “Generic examination is confined to look at the user ADB for Chinese Android” option was data partition of each mounted image.

Volcano Flash Tools. automatically altered once it is powered up). Besides. To further evaluate the results. The table above shows that it Box had 23 new files not recovered by has captured the largest image while the image Cellebrite UFED image. All these files were created or modified whenever the phone mentioned above were activated as part of the was switched on for the extraction (this is a system boot up process without user’s feature of the phone when data in memory are intervention. system and application log files application library files. Comparison of data extracted among three tools Model:Lenovo A850 SP Flash Tool VolcanoBox Cellebrite UFED Analyzed Data Calender 1 1 1 Call Log 4 4 4 Chats 22 22 22 Contacts 81 81 81 Cookies 157 157 157 Locations 15 15 15 Emails 1 1 1 Installed Applications 37 37 37 Passwords 9 9 9 Searched Items 1 1 1 SMS Messages 1 1 1 User Accounts 15 15 15 Web Bookmarks 13 13 13 Web History 14 14 14 Wireless Networks 2 2 2 Data Files Audio 59 59 59 Images 518 518 518 Videos 4 4 4 © 2015 ADFSL Page 37 . Table 3.2. It is noted that when the 1. there are UFED is the same. Cellebrite conduct user data carving from the acquired UFED image got 53 new files which were not images (Table 3).Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4 There were 20 image files recovered by SP found in Volcano Box and vice versa. UFED Physical Analyzer 4. These 76 files are size captured by Volcano Box and Cellebrite system start-up event files.1 [18] was used to For instance. in the user partition.173 common existing files which are different test process was conducted by Volcano Box in size and they are all system log or and Cellebrite.

launching every day. it is b. boot program. Currently. SP Flash Tools were being used d. Having recurrent charges on the extraction examined the mounted images using X-Ways process. The tool is open sourced and free- three times consecutively to acquire the of-charge. the models (the upcoming models are three tools produce similar test results in also included). extraction method that can apply to all Android smartphones. a.img scatter-file. the tool provides more comprehensive steps for user supports 13 types of MTK operations and is considered to be highly processors in the market including adhered to the principle on digital forensics the octa-core devices launched in because: 2014. suppresses the running of installed Efforts should be made to work out a applications of the phone except comprehensive framework for researching relevant download agent for applicable extraction method and evaluating extraction. (ii) USB rapidly as new mobile devices with more debugging mode is disabled.e.img file is acquired allocation recorded in the scatter-file. Android. In conclusion the three tools have conducted more efficiently on the produced the same result on the recovery of userland data when compared with crucial data and files. The based on memory allocation decoding process was carried out on the information contained in the USRData.img file from Lenovo A850. which are running retrieving data or files that are of interest to on the same designated MTK based forensic investigations but SP Flash Tools CPU chipsets. the mobile forensic toolkits which allows the Page 38 © 2015 ADFSL . On the other hand. modification has been made to the internal memory when the phone is booted up for data e.img and Preload. The USRData. SP extraction of data while the phone Flash Tools acquired different image files applications are running. CONCLUSION irrespective of the phone brands or Based on the data analyzed in table 3. i. all the files and records extracted the lack of providing technical from these three extractions are found identical.img. or (iii) powerful CPU and storage capacity are in the absence of root access right.JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics Unlike single memory dump file captured other two forensic tools perform live by Volcano Box and Cellebrite UFED. but its drawback lies with Forensics. Data integrity of the mobile phone observed that forensic examiners are getting is maintained by taking control behind in exploring a competent forensic tool during the boot up process and to extract full range of data from these devices. according to the information on memory c. The tool can extract full range of Future Study data even if the phone is (i) The development in mobile forensics grows password-locked. support on bug fixing or product It is fair to conclude that no file creation or development in future. Nevertheless. The tool seamlessly provides an acquisition. the work conducted on full image In proving the merit of using a controlled dump extracted by other tools. incur no cost or USRData. The analysis process is files.

once identified. is likely to be admissible as evidence in court proceedings. can be used on other CPU chipsets such as Qualcomm or the newer SnapDragon. Such extraction tool may assist in seamlessly gathering all objects and data structure from Android devices as well as bypass any hurdle created by password or encryption mechanism in an orderly manner. In spite of this. Past experience of forensic examinations has showed that physical extraction of data from these phones is not easy to achieve. Low-end Android phones can be a useful device for offenders in view of their low price and that they can be easily disposed of either by destroying them physically or throwing them away. © 2015 ADFSL Page 39 .Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4 extracted data. it is highly possible that a particular generic extraction tool. after analysis. This will provide a good lead for conducting future study. considering these low-end Android phones could have used the same chips or similar form factors to cut cost.

ecu. Cynthia A. listed-specifications/ d_Forensic_Capability_and_Evaluation_ of_Extraction_Tools) Persistent Challenges with Smartphone Forensics. Joseph Android Forensic Capability GizChina.pdf general collection methodology for Android MediaTek from Wikipedia.pdf Capture and Applications for Security and FlashTool V3. April http://www. 2011. 2014.1004. ECU Det. http://ro.academia. Zhang & Christin. and Dissertations. 2011. http://secmeeting.cgi?article=2348&context=td UFED Touch Ultimate.cgi?a contents on Chinese Shanzhai mobile /04/acquiring-volatile-memory-from- phones. University of New Orleans Theses MediaTek.JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics REFERENCES Kidnapping & extortion: Police ecstatic over http://scholarworks. http://www.dfrws.C.mtk2000. Ismael Valenzuela.00 Application Note. toys to tackle cell phone crime. January 27.cellebrite. Vijith Vijayan. 140-quad-core-mt6582-dual-sim-phones. ICDFI.Android Forensics: 8/1/Content. Sylve.2011.mobileforensicscentral. Murphy .com/mf rticle=7480&context=ecuworks c/documents/Mobile%20Device%20Forensi IEEE/SADFE 2012.pdf Simplifying Cell Phone Examinations. 2011.opensecurityresearch.cgi?article=2348&context=td in The Express -339. Digital Forensic on MTK-based Shanzhai February 8. March Paper 1400. http://www.hku. China Lessard J. Acquiring volatile memory http://tribune.ucoz. Ismael Valenzuela. October 19. Mobile Phone with NAND Flash. Kessler G.pdf MediaTek Top 140 quad-core MT6582 dual sim phones listed with Dissertations. http://www. and Applications for Security and Privacy.1004. Beijing.00_Application_Note. Android Memory Capture https://www. Toward a c%20Process%20v3. android. /brochures/UFED-Touch-Ultimate- University of New Orleans Theses and ENGLISH-web. for Mobile Device Digital Forensic from Android based devices with LiME pping-extortion-police-ecstatic-over-toys-to- Forensics Part I. and Evaluation of Extraction forensics J. April tackle-cell-phone-crime/ 23. Investigating and analyzing the web-based http://blog. Android Memory _Mengfei_He_ICDFI2012. Developing Process Publications Pre.html http://hub. Sylve et al.dfinews.pdf nt. 2013.0. Cellebrite. published nt. 2012.ihep. 2012.. Page 40 © 2015 ADFSL .

net/forensics/ UFED Physical Analyzer. http://www.volcano- box.Data Extraction on MTK-Based Android Mobile Phone Forensics JDFSL V10N4 SP Flash Tool + MediaTek MT65XX Drivers Download and Installation Guide including Bricked Devices. forensics/products/applications/ufed- physical-analyzer © 2015 ADFSL Page 41 . http://www. http://laurentiumihet. 2014.x- ways. updated July mediatek-mt65xx-drivers-download-and- installation-guide-including-bricked- devices/ Volcano Box. X-Ways Forensics.

JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone Forensics Page 42 © 2015 ADFSL .