-
Journal of Digital Forensics, Journal of Digital Forensics,
Security and Law Security and Law
Volume 10 Number 4 Article 3
2015
Data Extraction on MTK-based Android Mobile Phone Forensics Data
Extraction on MTK-based Android Mobile Phone Forensics
Joe Kong The University of Hong Kong
Follow this and additional works at:
https://commons.erau.edu/jdfsl
Part of the Computer Engineering Commons, Computer Law Commons,
Electrical and Computer Engineering Commons, Forensic Science and
Technology Commons, and the Information Security Commons
Recommended Citation Recommended Citation Kong, Joe (2015) "Data
Extraction on MTK-based Android Mobile Phone Forensics," Journal of
Digital Forensics, Security and Law: Vol. 10 : No. 4 , Article 3.
DOI: https://doi.org/10.15394/jdfsl.2015.1209 Available at:
https://commons.erau.edu/jdfsl/vol10/iss4/3
This Article is brought to you for free and open access by the
Journals at Scholarly Commons. It has been accepted for inclusion
in Journal of Digital Forensics, Security and Law by an authorized
administrator of Scholarly Commons. For more information, please
contact [email protected].
(c)ADFSL
http://commons.erau.edu/jdfslhttp://commons.erau.edu/jdfslhttps://commons.erau.edu/jdfslhttps://commons.erau.edu/jdfslhttps://commons.erau.edu/jdfsl/vol10https://commons.erau.edu/jdfsl/vol10/iss4https://commons.erau.edu/jdfsl/vol10/iss4/3https://commons.erau.edu/jdfsl?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/258?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/837?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/266?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/266?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/1277?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/1247?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/1247?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPageshttps://doi.org/10.15394/jdfsl.2015.1209https://commons.erau.edu/jdfsl/vol10/iss4/3?utm_source=commons.erau.edu%2Fjdfsl%2Fvol10%2Fiss4%2F3&utm_medium=PDF&utm_campaign=PDFCoverPagesmailto:[email protected]://commons.erau.edu/http://commons.erau.edu//creativecommons.org/licenses/by-nc-nd/4.0//creativecommons.org/licenses/by-nc-nd/4.0/
-
Data Extraction on MTK-Based Android Mobile Phone Forensics
JDFSL V10N4
© 2015 ADFSL Page 31
DATA EXTRACTION ON MTK-BASEDANDROID MOBILE PHONE FORENSICS
Joe KongMphil Student in Computer Science
The University of Hong [email protected]
ABSTRACTIn conducting criminal investigations it is quite common
that forensic examiners need to recoverevidentiary data from
smartphones used by offenders. However, examiners
encountereddifficulties in acquiring complete memory dump from MTK
Android phones, a popular brand ofsmartphones, due to a lack of
technical knowledge on the phone architecture and that
systemmanuals are not always available. This research will perform
tests to capture data from MTKAndroid phone by applying selected
forensic tools and compare their effectiveness by analyzingthe
extracted results. It is anticipated that a generic extraction
tool, once identified, can be usedon different brands of
smartphones equipped with the same CPU chipset.
Keywords: Mobile forensics, MTK Android phones, Android
forensics, physical extraction, flashmemory, MT6582
INTRODUCTIONSmartphones are frequently used in cyber-crimes or
by offenders for coordinating theircriminal activities as the
device allows users toperform online communication and
storepersonal or commercial information and datasuch as messages,
emails, documents,photographs, videos, GPS locations, etc. in
aconcentrated and portable form. Customizedapplications can also be
downloaded andinstalled into smartphones to extend
theirfunctionalities.
MediaTek (“MTK”) Android phones arefrequently used in crime
cases [1][2] because ofits low selling price and high price
/performance ratios of the CPU. The existingextraction tools,
however, can only handle alimited number of MTK Android phones
andthe latest models are often not included [3].This research
attempts to explore a generic
forensic tool that is applicable to these phonemodels and set up
standard operationalprocedures for its implementation.
The Current ProblemLow and mid-range China-branded Androidphones
are growing popular in the Asianmarket. In this research paper
extractionperformance tests are conducted on the quad-core MT6582
processor [4], a processor chipwhich is used in more than 140
Android phonemodels [5].
Apparently live memory extraction andanalysis is crucial to
forensic examinations.Unlike examining a desktop or laptopcomputer,
examiners may inadvertently modifythe original device when
capturing a fullforensic image for data analysis as a mobiledevice
does not have a standalone hard drivewhich can be shut down and
disassemble fromthe phone without altering the data stored
-
JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone
Forensics
Page 32 © 2015 ADFSL
therein. For Android phones the extractionprocess is even more
complicated owing to itsever-changing proprietary hardware as well
asthe vast variety of applications and securitysettings. Besides,
Android versions, whichusers can download them from Google,
areconstantly updated. Thus examiners will needto carry out
extensive testing and validationon the latest forensic
toolkits.
Extraction methodologyForensic tools used in extracting data
fromAndroid phones are largely supported by twomethods:
a. File System (logical) Acquisition –it does not normally
produce anydeleted file and user’s shellpermission is required to
run the fileextraction process; and
b. Physical Data Acquisition – tomake a bit-by-bit copy of
themobile device with maximumamount of “deleted data or
files”recovered [3]. The process is similarto computer forensics
and is widelyused by forensic examiners.
Either physical extraction [the boot pre-loader or Android Debug
Bridge (“ADB”)options] or logical acquisition process (bycopying
from the backup mode) is able toextract data from MTK-based
smartphones.As the two processes are regarded as lessinvasive to
the physical phone when comparedto the “JTAG” or “Chip-off” method,
they arefrequently used in forensic investigations.Besides,
physical extraction has the benefit ofrecovering maximum amount of
“deleted dataor files” by copying bit-by-bit from physicalflash
memory storage [3] and its acquisitionprocess can bypass the
device’s pattern locksor passcodes in many investigation cases
[6].The experiments conducted in this research areintended to
identify an extraction method thatsuits best to MTK Android phone
forensics.
Objective of This PaperThis paper will focus on the use of
threeextraction tools to capture complete memorydump of the phone
under test. Thecompetency and compatibility of thesemethods will be
evaluated by comparing theirtest results.
In summary the objectives set down forthis project are:
a. to conduct literature reviewpertaining to mobile forensics
onMTK Android phones;
b. based on the actual amount offorensic data acquired, to
comparethe test results on the application offorensic tools
developed by differentvendors and evaluate theireffectiveness;
and
c. to identify a suitable extraction toolto cope with different
brands ofsmartphones equipped with thesame CPU chipset and review
thebest process for its use.
Document StructureChapter 2 provides literature review
onresearches conducted on Android forensics, inparticular the MTK
devices.
Chapter 3 discusses the methodology.Chapter 4 outlines the
implementation of
extraction process by the three selectedextraction tools.
Chapter 5 compares the test results byreferring to the forensic
tools and methodologyunder test.
Chapter 6 is the conclusion. It sums upthe challenges to
forensics conducted on MTKAndroid devices. It will also explore
possibleareas for future study in the mobile phoneindustry.
-
Data Extraction on MTK-Based Android Mobile Phone Forensics
JDFSL V10N4
© 2015 ADFSL Page 33
PAST STUDY ANDEXPERIENCE
There are plenty of research studies onAndroid Forensics but
only a few covers therealm of MTK Android Forensics. A list of
therelevant works is listed here.
Studies on Android ForensicsIn 2011 Joe Sylve introduced a tool
on memoryacquisition, the Droid Memory Dumper(“DMD”) [7], which
captures a copy of thememory data, runs an address translation
ofeach memory page and writes them to a TCPsocket. The DMD module,
however, has itsrestrictions:
a. the ADB of the Android device hasto be turned on in order for
theDMD to tether data using networkprotocol via the virtual USB
port;
b. root privileges are to be executed inorder to capture system
data.
In 2012 Ismael Valenzuela presented anenhanced module of the
DMD, LiMEForensics, which is purportedly the firstsoftware to dump
full contents of internalmemory from an Android device [8]. The
newtool requires the “rooting” of the device whichmay alter the
state of the target phone andthus, casts doubt on the integrity of
theevidentiary data so recovered.
Lessard and Kessler (Lessard & Kessler,2010) [9]
investigated Android smartphones byacquiring a logical and physical
image of thephone using ‘dd’ command. They further usedCellebrite,
a mobile forensic tool, to acquirethe same image for comparing the
twomethods.
In his research work, Timothy Vidas et al.(Vidas, Zhang &
Christin, 2011) [10] made useof a custom recovery image to boot the
deviceinstead of loading the operating system. Therecovered image
can support functions like
dumping the Flash Memory, allowing theexecution of the ‘su’
command to gain rootaccess and adding some custom transferbinaries.
The adb tool will collect data fromthe device and transfer them to
a connectingcomputer via the USB port.
Vijith Vijayan in his thesis, “AndroidForensic Capability and
Evaluation ofExtraction Tools” [11], compared theeffectiveness of
logical extraction of two HTCAndroid phones by three mobile
forensic tools.The test results however showed that a fullmemory
dump could not be achieved.
A Study on MTK AndroidForensics
MTK Android phones have a short productcycle as they are mostly
designed for low-endto middle range products. A new phone
modelcould have replaced the current one beforeanalysis on its
hardware specifications orsystem architecture is complete. Hence,
thereare few researches conducted on MTKforensics. After review it
is found that Chinabranded phone forensics was referred to in
aresearch paper entitled “Digital Forensic onMTK-based Shanzhai
Mobile Phone withNAND Flash” [12]. The authors uncovered90% of the
“Shanzhai” phones had been usingthe core processor, peripheral
hardwareprototype and software development platformof MTK or
Spreadtrum. Nevertheless, theirresearch confined only to extracting
specificdata such as locating file repository of phonebooks, call
records, SMS and web-browsingrecords without obtaining a full
memory dump.
EXPERIMENTMETHOD ANDPROCEDURE
Traditionally a number of forensic tools havebeen using the ADB
as a communicationinterface to access the Android system via a
-
JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone
Forensics
Page 34 © 2015 ADFSL
computer installed with extraction software.In order to extract
complete memory data, theAndroid device must be made available
for‘super user’ privilege of access (also known as“rooting the
device”) [13] so that the examinercan make a copy of all system
partitions andaccess files that are not originally accessible
bynormal users. The Android phone has to bepowered up as usual and
the USB Debuggingmode turned on manually in the system menuof the
phone. So if the mobile device isprotected by power-on password or
patternlock, the extraction process cannot beexecuted.
Alternatively the device can be put intothe Download mode, a
state in which the FlashMemory can be formatted and
reprogrammed.The Flash Memory holds all binaryinformation [which
includes internal memory ofthe device, drivers, applications and
othertypes of data in memory structure like ReadOnly Memory (ROM)
and Non-VolatileRandom Access Memory (NVRAM)] requiredfor the
device to boot up and function. Withan unlocked bootloader which is
commonlyfound in MTK Android phones, the FlashMemory can be
reprogrammed in a way toestablish connection of the target phone
withany storage media. The above procedure issimilar to computer
forensics where a forensicboot disk is used to operate the cloning
processfor acquiring data from the target computerwithout affecting
the original hard disk. Theuniqueness of this method is that there
is noneed to “rooting the device” or enabling theUSB Debugging mode
before extraction,thereby resolve the difficult problem ofaccessing
a password-protected phone. Theentire process is forensically sound
as it willnot interfere with the internal storage of thedevice.
In this experiment, Volcano Box has usedthe method of “rooting
the device” while SPFlash Tools is an example of applying the
Download mode. After making a physical copyof the mobile phone,
the important task for anexaminer is to identify the files that are
ofinterest to the investigation. Message recordsand photos
recovered will be searched to locaterelevant files for the test
process. The resultswill be analyzed to confirm the effectiveness
ofthe methodology and the competency of thetools under test.
Besides, the extracted datawill be cross-referenced with the
examinationresult conducted by the Cellebrite UFED(“Universal
Forensic Extraction Device”)Touch [14].
TerminologySP Flash Tools [15] is an application thatcaptures
memory images or binary data from amobile phone. It can erase phone
data ormodify codes / data and then write them backto the phone.
The tool employs the boot ROMkernel library (“BROM_DLL”) and
DownloadAgent (“DA”) program to download, read orerase files from
the target phone’s FlashMemory via a USB port connection.
Inpractice, SP Flash Tools reads a length ofmemory from the target
phone by using ascatter-file which begins at a start address anda
given length. Each read back file is acontinuous memory dump from
the FlashMemory. Multiple blocks starting at differentaddresses can
be read and copied into imagefiles for storing in the forensic
workstation.
Volcano Box [16] supports a large numberof MTK based phones
including earlier featurephones to the latest Android phone models.
Itcan capture internal information of the targetphone, read / write
flash, unlock user code,backup phone data and run those
advancedfeatures such as clear up the Flash Memory,repair IMEI, fix
receive signals and read /write NVRAM files for MTK phones. It is
infact a tool designed for repairing, upgrading ormodifying the
phone system.
-
Data Extraction on MTK-Based Android Mobile Phone Forensics
JDFSL V10N4
© 2015 ADFSL Page 35
Cellebrite UFED is an expansive and well-known forensic tool
used in more than 60countries. So far as the target device is on
itssupport list, the auto-detection mechanism ofthe software can
provide a step-by-step guidefor the extraction process. For
unlisteddevices, UFED has also developed a genericprofile to
provide support.
THE EXPERIMENTPROCESS
The Lenovo A850 smartphone, being used forexperiment, is
equipped with MT6582processor, a popular model in the MTKAndroid
market and is installed withWhatsApp, Line and WeChat. To begin
theprocess, a forensic workstation was set up andconfigured. Phone
calls were made and photostaken in order to carry out the
subsequentphysical extraction for retrieving user’s data.
The Experiment on LenovoA850
The mobile phone is running Android OS 4.2.2and the sequences of
extraction process were asfollows:
a. Physical Extraction Using SP FlashToolsThe phone was turned
off initially. Itturned on automatically when pluggedinto the USB
port of the forensicworkstation running the SP FlashTools and
started up the injected bootprograms for the extraction process.
Atotal number of 20 image files wereextracted as listed in Table 1.
Theaccumulated size of those saved fileswas 3,800,192KB. The phone
was thenturned off completely by taking out thebattery.
b. Physical Extraction Using Volcano BoxThe phone had been
powered on withdebugging mode enabled when pluggedinto the specific
port of the physicalVolcano Box (Picture 1). The Box wasconnected
via USB cable to the forensicworkstation running the
correspondingsoftware. The “Backup EMMC” optionwas used and one
single image file withsize 3,779,712KB had been extracted.The phone
was then turned offcompletely by taking out the battery.
Table 1.Image files extracted from Lenovo A850
Block Map (KB) Block Map (KB) Block Map (KB)
android 1048576 usrdata 2281088 bootimg 6144
cache 129024 ebr1 512 ebr2 512
expdb 10240 logo 3072 mbr 512
misc 512 nvram 5120 preload 256000
preloader 20480 pro-info 3072 protect-f 10240
protect-s 10240 recovery 8192 sec_ro 6144
seccfg 128 uboot 384
-
JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone
Forensics
Page 36 © 2015 ADFSL
Picture 1. Cable connection using Volcano Box
c. Physical Extraction Using CellebriteUFED TouchThe phone had
been powered on withdebugging mode enabled when pluggedinto the USB
port of the physicalCellebrite UFED Touch. The devicewas connected
via USB cable to theforensic workstation running thecorresponding
software. The “GenericADB for Chinese Android” option wasused and
one single binary file with size3,779,712KB had been extracted.
A summary to show the memory size andfiles captured by the tools
is shown at Table 2.
EVALUATIONIn order to compare the test results of thesethree
tools, the X-Ways Forensics [17], anintegrated computer forensics
software, wasalso used to mount the extracted images (forSP Flash
Tools, only USR Data Image file andin the case of Volcano Box and
Cellebrite, thefull memory dump) from the experiment.
Theexamination is confined to look at the userdata partition of
each mounted image, whichpurportedly contains application
databases,event logs and user data for which forensicexaminers are
tasked to investigate informationrelating to criminal activities or
leading topossible traces.
Table 2.Test results of three extracted methods.
Lenovo A850 SP Flash Tools Volcano Box Cellebrite UFED
Image Size 3,800,192KB 3,779,712KB 3,779,712KB
No. of Files in user partition 2,321 2,297 2,328
-
Data Extraction on MTK-Based Android Mobile Phone Forensics
JDFSL V10N4
© 2015 ADFSL Page 37
There were 20 image files recovered by SPFlash Tools. The table
above shows that ithas captured the largest image while the
imagesize captured by Volcano Box and CellebriteUFED is the same.
It is noted that when thetest process was conducted by Volcano
Boxand Cellebrite, system and application log fileswere created or
modified whenever the phonewas switched on for the extraction (this
is afeature of the phone when data in memory areautomatically
altered once it is powered up).For instance, in the user partition,
CellebriteUFED image got 53 new files which were not
found in Volcano Box and vice versa, VolcanoBox had 23 new files
not recovered byCellebrite UFED image. These 76 files aresystem
start-up event files. Besides, there are1,173 common existing files
which are differentin size and they are all system log
orapplication library files. All these filesmentioned above were
activated as part of thesystem boot up process without
user’sintervention. To further evaluate the results,UFED Physical
Analyzer 4.2.1 [18] was used toconduct user data carving from the
acquiredimages (Table 3).
Table 3.Comparison of data extracted among three tools
Model:Lenovo A850 SP Flash Tool VolcanoBox Cellebrite UFED
Analyzed Data
Calender 1 1 1
Call Log 4 4 4
Chats 22 22 22
Contacts 81 81 81
Cookies 157 157 157
Locations 15 15 15
Emails 1 1 1
Installed Applications 37 37 37
Passwords 9 9 9
Searched Items 1 1 1
SMS Messages 1 1 1
User Accounts 15 15 15
Web Bookmarks 13 13 13
Web History 14 14 14
Wireless Networks 2 2 2
Data Files
Audio 59 59 59
Images 518 518 518
Videos 4 4 4
-
JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone
Forensics
Page 38 © 2015 ADFSL
Unlike single memory dump file capturedby Volcano Box and
Cellebrite UFED, SPFlash Tools acquired different image
filesaccording to the information on memoryallocation recorded in
the scatter-file. Thedecoding process was carried out on
theUSRData.img, Android.img and Preload.imgfiles. In conclusion the
three tools haveproduced the same result on the recovery ofcrucial
data and files.
In proving the merit of using a controlledboot program, SP Flash
Tools were being usedthree times consecutively to acquire
theUSRData.img file from Lenovo A850. Havingexamined the mounted
images using X-WaysForensics, all the files and records
extractedfrom these three extractions are found identical.It is
fair to conclude that no file creation ormodification has been made
to the internalmemory when the phone is booted up for
dataacquisition.
CONCLUSIONBased on the data analyzed in table 3, thethree tools
produce similar test results inretrieving data or files that are of
interest toforensic investigations but SP Flash Toolsprovides more
comprehensive steps for useroperations and is considered to be
highlyadhered to the principle on digital forensicsbecause:
a. The tool can extract full range ofdata even if the phone is
(i)password-locked; (ii) USBdebugging mode is disabled; or (iii)in
the absence of root access right.
b. Data integrity of the mobile phoneis maintained by taking
controlduring the boot up process andsuppresses the running of
installedapplications of the phone exceptrelevant download agent
forextraction, On the other hand, the
other two forensic tools perform liveextraction of data while
the phoneapplications are running.
c. The USRData.img file is acquiredbased on memory
allocationinformation contained in thescatter-file. The analysis
process isconducted more efficiently on theuserland data when
compared withthe work conducted on full imagedump extracted by
other tools.
d. The tool is open sourced and free-of-charge, i.e. incur no
cost orrecurrent charges on the extractionprocess, but its drawback
lies withthe lack of providing technicalsupport on bug fixing or
productdevelopment in future.
e. The tool seamlessly provides anextraction method that can
applyto all Android smartphones,irrespective of the phone brands
ormodels (the upcoming models arealso included), which are
runningon the same designated MTK basedCPU chipsets. Currently, the
toolsupports 13 types of MTKprocessors in the market includingthe
octa-core devices launched in2014.
Future StudyThe development in mobile forensics growsrapidly as
new mobile devices with morepowerful CPU and storage capacity
arelaunching every day. Nevertheless, it isobserved that forensic
examiners are gettingbehind in exploring a competent forensic
toolto extract full range of data from these devices.Efforts should
be made to work out acomprehensive framework for
researchingapplicable extraction method and evaluatingmobile
forensic toolkits which allows the
-
Data Extraction on MTK-Based Android Mobile Phone Forensics
JDFSL V10N4
© 2015 ADFSL Page 39
extracted data, after analysis, is likely to beadmissible as
evidence in court proceedings.
Low-end Android phones can be a usefuldevice for offenders in
view of their low priceand that they can be easily disposed of
eitherby destroying them physically or throwingthem away. Past
experience of forensicexaminations has showed that
physicalextraction of data from these phones is noteasy to achieve.
In spite of this, consideringthese low-end Android phones could
have usedthe same chips or similar form factors to cutcost, it is
highly possible that a particulargeneric extraction tool, once
identified, can beused on other CPU chipsets such as Qualcommor the
newer SnapDragon. Such extractiontool may assist in seamlessly
gathering allobjects and data structure from Androiddevices as well
as bypass any hurdle created bypassword or encryption mechanism in
anorderly manner. This will provide a good leadfor conducting
future study.
-
JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone
Forensics
Page 40 © 2015 ADFSL
REFERENCESKidnapping & extortion: Police ecstatic over
toys to tackle cell phone crime, publishedin The Express
Tribune, October 19,
2012,http://tribune.com.pk/story/453569/kidnapping-extortion-police-ecstatic-over-toys-to-tackle-cell-phone-crime/
Investigating and analyzing the web-basedcontents on Chinese
Shanzhai mobilephones, IEEE/SADFE
2012,http://hub.hku.hk/bitstream/10722/189648/1/Content.pdf
Det. Cynthia A. Murphy , Developing Processfor Mobile Device
Forensics,http://www.mobileforensicscentral.com/mfc/documents/Mobile%20Device%20Forensic%20Process%20v3.0.pdf
MediaTek from Wikipedia,http://en.wikipedia.org/wiki/
MediaTek Top 140 quad-core MT6582 dualsim phones listed with
specifications,GizChina.com, March 3,
2014,http://www.gizchina.com/2014/03/03/top-140-quad-core-mt6582-dual-sim-phones-listed-specifications/
Persistent Challenges with SmartphoneForensics, Digital Forensic
Investigator,February 8,
2013,http://www.dfinews.com/articles/2013/02/6-persistent-challenges-smartphone-forensics
J. Sylve et al., Android MemoryCapture and Applications for
Security andPrivacy, University of New Orleans Thesesand
Dissertations. Paper 1400,
2011,http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=2348&context=td
Joseph T. Sylve, Android Memory Captureand Applications for
Security and Privacy,University of New Orleans Theses
andDissertations, 2011,
http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=2348&context=td
Ismael Valenzuela, Acquiring volatile memoryfrom Android based
devices with LiMEForensics Part I, Ismael Valenzuela, April23,
2012,http://blog.opensecurityresearch.com/2012/04/acquiring-volatile-memory-from-android.html
Lessard J, Kessler G.C.,Android Forensics:Simplifying Cell Phone
Examinations, ECUPublications
Pre.2011,http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=7480&context=ecuworks
Vidas, Zhang & Christin, 2011, Toward ageneral collection
methodology for
Androiddevices,http://www.dfrws.org/2011/proceedings/07-339.pdf
Vijith Vijayan, Android Forensic Capabilityand Evaluation of
Extraction Tools,
April2012,http://www.academia.edu/1632597/Android_Forensic_Capability_and_Evaluation_of_Extraction_Tools)
Digital Forensic on MTK-based ShanzhaiMobile Phone with NAND
Flash, ICDFI,Beijing, China
2012,http://secmeeting.ihep.ac.cn/paper/Paper_Mengfei_He_ICDFI2012.pdf
FlashTool V3.1004.00 Application Note,MediaTek, January
27,2009,http://www.mtk2000.ucoz.ru/FlashTool_V3.1004.00_Application_Note.pdf
UFED Touch Ultimate,
Cellebrite,https://www.cellebrite.com/images/stories/brochures/UFED-Touch-Ultimate-ENGLISH-web.pdf
-
Data Extraction on MTK-Based Android Mobile Phone Forensics
JDFSL V10N4
© 2015 ADFSL Page 41
SP Flash Tool + MediaTek MT65XX DriversDownload and Installation
Guide includingBricked Devices, updated July 31,
2014,http://laurentiumihet.ro/sp-flash-tool-mediatek-mt65xx-drivers-download-and-installation-guide-including-bricked-devices/
Volcano Box, http://www.volcano-box.com/features.html
X-Ways Forensics, http://www.x-ways.net/forensics/
UFED Physical Analyzer,
Cellebrite,http://www.cellebrite.com/mobile-forensics/products/applications/ufed-physical-analyzer
-
JDFSL V10N4 Data Extraction on MTK-Based Android Mobile Phone
Forensics
Page 42 © 2015 ADFSL
Data Extraction on MTK-based Android Mobile Phone
ForensicsRecommended Citation
Data Extraction on MTK-based Android Mobile Phone Forensics