e Download Mode Samsung Captivate booted to a typical download mode for flashing. 

Context in source publication

Context 1

... and the user should exercise caution when accessing a device in this manner. Improper use can easily result in hindering data collection. Similarly, software features like USB negotiation are not as robust as other devices with which the user may be familiar. Using flashing software in VMWare, while possibly desirable, is not possible due to the device not properly negotiating with virtual machine’s virtual USB controller. The Motorola Droid is a Verizon device with screen that slides to the right revealing a full QWERTY keyboard and D-Pad (Directional Pad). In addition to the keyboard the Droid has volume up/down, power and a camera button around the outside edge of the device. The Droid has a build in microSD card, a port for an additional microSD card, and has an ARM Cortex A8 550 mHz processor. It originally shipped with Android 2.0 (DROID). The Droid has a special flash boot mode (shown in Fig. 2) that can be entered by holding the camera button while powering on the device. This special boot mode allows flashing of the device’s recovery partition. Motorola RSD Lite software (Windows only) can facilitate flashing of the recovery partition, but does not accept a bootimg file in it’s native form: an RSD Lite compatible.sbf file containing the bootimg must be created. An .sdf file is comprised 5 of a header with file magic and a count of the parts in the file, each part also contains a header specifying the destination address, flash size, checksum and, of course, the image to flash, in this case the bootimg. Once an .sbf file containing the bootimg has been created the Droid, booted in flash mode, can be attached to a computer running RSD Lite and the device can be flashed with the .sbf file (and thus the contained bootimg). While not strictly required, re-booting the Droid into flash mode while connected the RSD Lite will allow RSD Lite to register a success message. The HTC G1 (shown in Fig. 3) has a Qualcomm MSM7210A 528 mHz processor (ARMv6 instruction set), a full QWERTY keyboard, and an external microSD card port. In addition to the keyboard the G1 has a track ball, and physical volume up/ down, camera, send, home, menu, back, and end/power buttons. One hardware feature germane to collection is that the G1’s has a special HTC USB þ Audio port (ExtUSB) in lieu of the more common microUSB port (HTC products). If the special ExtUSB cable that shipped with the device is not available, a standard miniUSB cable can be used for both recovery and fastboot modes. The G1 employs a boot method called fastboot (shown in Fig. 4). Fastboot requires a fastboot compatible boot loader and a fastboot program on a personal computer. The fastboot program can be compiled from Android Source or pre- compiled versions for Windows, Linux and OSX can conve- niently be obtained via HTC’s developer website (HTC developer center). After booting into fastboot mode and connecting the device to the computer via the special HTC cable or miniUSB, 6 the fastboot program can be used to enumerate devices attached (./fastboot devices) and to flash an image to the device (./fastboot flash recovery bootimg_filename ). Fastboot also allows directly booting to a kernel and ram disk located on a connected computer (./fastboot boot kernel_file- name ramdisk_filename ), which may be slightly preferred over flashing the recovery image as the existing recovery image on the device remains intact. For consistency in the collection process we suggest maintaining a set of recovery images and flashing the recovery image for every collection. The Captivate is part of Samsung’s Galaxy S line of mobile phones, sold by AT&T (shown in Fig. 5). The Captivate has a larger touch screen than the G1 and Droid, but it also has no QWERTY keyboard, in fact it only has 3 edge buttons: power, volume up and volume down. A standard microUSB port can be found at the top of the device behind a plastic sliding cover. In addition to typical internal hardware: 1 GHz ARM Cortex A8, 512 MB of RAM, and 16 GB internal SD card, the Captivate also has a hardware graphics core. Unlike the Droid and the G1 the Captivate employs Samsung’s proprietary RFS (Robust FAT File System) and Samsung’s OneNAND memory (L. Flash and samsung, 2008). This requires Android to load kernel modules to support RFS and makes later analysis more difficult as there is no available software for parsing RFS related data. Instead of using MTD devices, the kernel modules create several STL (Sector Translation Layer) and BML 7 (Block Management Layer) block devices (/dev/block/). A partition table showing typical use of BML devices is shown in Table 3. This type of device compli- cates collection slightly as it is not possible to read from some of the higher-layer STL devices, and collecting all of BML devices, while recommended, is not particularly useful as there is no way to analyze the resulting image. Much like the Droid, the Captivate has a special flash mode (also called download mode, shown in Fig. 6), that can be entered by holding both volume buttons and then connecting the device to a computer for flashing. In this mode the phone can be flashed using an open source tool called Heimdall (Dobell) or the closed source software Odin (Windows only). When using Odin prior to flashing, source files must be placed in a .tar 8 archive. Heimdall does not require files to be packaged as a .tar and is compatible with Windows, Linux and Mac OSX. In addition to the more complex partitioning and file system structure, Samsung devices do not employ the typical bootimg structure in the recovery partition. The recovery image is an initramfs image. Initramfs, available in 2.6.x Linux kernels, is a root file system that is actually embedded into the kernel. The details of creating an image suitable for flashing to a device are slightly more complex than described above, but the same theory applies. The presence of an older Secondary Boot Loader (SBL) will likely not utilize the BML8 recovery partition. Instead the normal boot mode and recovery mode share the same kernel. Unfortunately it is very difficult to tell the version of the SBL without interacting with the device. However the SBL can be flashed. So if after flashing the collection recovery image, if recovery mode is not working as expected, one may assume that an older SBL that does not boot to BML8 is on the device. The SBL can be flashed using Odin or Heimdall (but it requires having an exist SBL that is known to work with the device). Corrupting the SBL will make data collection very difficult because the device will no longer be able to reach download mode, as such flashing the SBL should be a last resort. Note that some devices, such as the Samsung Galaxy Tab (Tablet), require a special cable. Unlike the HTC ExtUSB where a miniUSB cable can serve as a substitute, the 30 pin Galaxy Tab cable that ships with the tablet is the only method of connecting to the device. We have demonstrated a general method for digital forensics collection on Android devices. Through special boot methods enabling the use of custom recovery bootimg, data on Android devices can be collected with very little probability of cor- rupting user data. Use of the recovery bootimg provides a consistent, repeatable method of collecting numerous Android devices without “rooting” the device in normal operating mode. We feel that this recovery bootimg method is both safer and had less impact to data likely to be useful for analysis. Collection recovery images have been created for testing for the devices detailed in Section 6. The collection process involves calculating integrity hashes at the source and destination helping ensure the correctness of the collection. Data contained in the collected images was verified using standard a Linux distribution with MTD and yaffs2 support (see Appendix I). Where possible, we employed the use of a NAND dumping tool which collects more data than typical filesystem copy would collect. While current analysis techniques do not take advantage of this extra information, future techniques may. Most devices transfer data at approximately 4.3 MB/s allowing for full collection to occur in a nominal amount of time. Even though the collection is not atomic, execution is restricted to the recovery partition and other partitions are not altered during collection resulting in an “exact copy” of original contents for all partitions other then the recovery partition. Though no user studies have been performed, we feel that the solution is very approachable and could be adopted by practitioners. When thought of simply as a collection tool, the tool can easily be inspected for correctness. The software installed in collection bootimgs could easily be extended to further aide the practitioner. The menu presented on the screen when a bootimg is executed could have related menu options such as “transfer data” eliminating the need to run./adb shell on the collection computer. Similarly integrity hashes for collected partitions could be displayed on the device screen. By moving this functionality to the device there is less risk of user error, especially if a single computer is used to perform collection of several Android devices. A comprehensive list of boot modes for Android devices, and associated flashing tools, should be created in order to have a reference in place prior to the need for collection on a particular device. Similarly, a comprehensive set of bootimgs supporting all Android devices should be created, maintained and tested. This work is supported in part by CyLab at Carnegie Mellon under grant DAAD19-02-1-0389 from the Army Research Office, and by the National Science Foundation under ITR award CCF-0424422 (Team for Research in Ubiquitous Secure Technology) and IGERT award DGE-0903659 (Usable Privacy and Security), as well as a hardware donation by Google Inc. This appendix is not intended to be a comprehensive method of analysis, but only to ...