I

I. INTRODUCTION
Android is an operating system based on Linux Kernel which is basically designed for a touchscreen mobile devices such as smartphones and tablet computers. Android is initially developed by Android, Incorporated which was financially backed up by Google in 2005. This Operating system was unveiled during 2007. The open-handed alliance was founded at the same time. It is a consortium of hardware and software technology companies. These companies are devoted to advancing open standards for mobile devices.

The first publicly available smartphone running Android was HTC Dream that was released on 22 October 2008. The user interface of the Android operating system is based on direct manipulation using touch inputs. Examples of touch inputs are swiping, tapping, pinching, and reverse pinching.

Android helps in communication services over the network or the internet. This helps many users, even at far distances to communicate, share text messages, audio, video, images, voice calls etc. But this powerful technology is even misused many times such as for child pornography, fraud, email tracking etc. This is done by the cyber criminals for their own benefits.

Digital Forensics is defined as the process of identifying, collecting, preserving, analyzing, reporting and presenting digital evidence in a manner that is legally acceptable by law or the legal proceedings. When a cyber-crime occurs, Information technology’s best approach is to respond with a set of predetermined actions. Applying digital forensics to aid in the investigation process and the recovery of stuff on digital media and internet is one of these actions.

Digital Forensics includes various types as shown in the figure below:
? Mobile Forensics
? Database Forensics
? Network Forensics
? Forensic data analysis
? Computer Forensics

Figure 1: Digital forensics types

After a cyber-incident has occurred, Digital forensics performs four important steps as shown in figure2. These steps consist of collection, examination, analysis, and reporting. This ensures quick and efficient results.

1. Collection: The evidence is collected and the image is taken.
2. Examination: The method is selected for the evidence to be examined.
3. Analysis: The stage of analysis is to obtain findings from digital evidence in accordance with the information required by judicial authorities.
4. Reporting: Reporting phase is the preparation of documentation to be submitted to the judicial authorities.

Figure 2: The process of digital forensics

A. Architecture of Android

The Android architecture comprises of four layers as shown in figure 3 namely: Linux Kernel, Libraries, Application Framework, and application. The heart of Android architecture that exists at the root of Android architecture is the kernel. Linux kernel is responsible for device drivers, memory manager, device management, power manager and resource access. Libraries layer provides libraries which are written in C/C++. Application framework layer provides set of API by which we can use system services and its component. All application installed on your device such as Contact Manager, Camera, Calendar, Settings etc.

Figure 3: Architecture of android
II. MOBILE DEVICE FORENSICS
Smartphone forensic is new and relatively quickly emerging field within the law enforcement and community under digital forensics. Nowadays mobile devices are becoming cheaper, smarter, and easily available for the daily use purposes.
Mobile forensic which has a goal of extracting digital evidence in a legal context is a set of scientific methodologies. Extracting digital evidence means gathering, recovering, and analyzing data stored internally in the mobile phone. Mobile device forensics is a continuously evolving science which involves a branch of digital forensics for recovering data or evidence from a mobile device. It presents a real challenge to forensic community and law enforcement due to the fast and unstoppable change of technology.
The Mobile forensic process is characterized by 4 different processes as seizure, Forensic acquisition, analysis and extraction, and report generating.

Figure 4: Basic Framework of Digital forensics

• Seizure
Seizing devices is covered by same legal considerations as the other digital media. As we know that the aim or main goal of seizure is to preserve the evidence, Mobiles will often be recovered when switched on, and the device can often be transferred in the same state as available, which can somehow change files.
Also, the investigator or first responding person would risk user lock activation. So it is necessary that we seize the mobile devices on a crime scene. This is an advanced forensic acquisition and analysis tool for examining mobile devices, global positioning system (GPS) devices, and personal digital assistants (PDA).

• Acquisition
Second mobile flow process tool involves the acquisition, which usually means or refers to the retrieval of material from a mobile. The bit copy imaging used in computer forensics, it can retrieve the evidence. Even if the power is down, you can retrieve data, even live.

• Examination
Examination means analyzing the data or the information that we have recovered from the mobile device using tools. Despite the device differences, the basic information obtained from mobile phones is shown in figure 5.

Figure 5: The basic data obtained by mobile phone examination

• Reporting
When the whole investigation is done, reporting is the next step. Reporting includes audit information, when the incident occurred, when it was examined, tools used for examination, the status of the phone examined and the result.
III. MOBILE FORENSICS TOOL
Mobile device forensics is a branch of digital forensics for recovering data or evidence from a mobile device. It presents a real challenge to forensic community and law enforcement due to the fast and unstoppable change of technology. The phrase mobile device usually refers to mobile phones; however, extracting digital evidence in a legal context is a set of scientific methodologies.

Many mobile devices with the same operating system may also vary widely in their implementation, resulting in a myriad of a file system and structure permutations. These permutations create significant challenges for mobile forensic tool manufacturers and examiners. The availability of forensic software tools for mobile devices is considerably different from that of personal computers. While personal computers may differ from mobile devices from a hardware and software perspective, their functionality has become increasingly similar. Although the majority of mobile device operating systems are open source (i.e., Android), feature phone OS’s are typically closed.

Mobile device examiners typically assemble a collection of both forensic and non-forensic tools for their toolkit. The range of devices over which they operate is typically narrowed to distinct platforms, a specific operating system family or even a single type of hardware architecture.

A. Mobile Device Tool Classification System

• Manual Extraction – Involves viewing the data on a device or system. The information displayed on the screen needs to manipulate device manually and information may be recorded using a camera. It is not possible to recover any deleted information. The data recovered from the device can be even modified, overwritten and deleted and is very time-consuming.
Popular tools for manual extractions include:
? Project-A-Phone
? EDEC Eclipse

• Logical Extraction – Extraction of user-level data via a forensic tool. Typically, deleted data is not recovered at this level. On some devices, forensic tools may extract file systems at this level. The database files may contain deleted data.
? XRY Logical
? Oxygen Forensic Suite
? Lantern
• Hex Dumping and JTAG (Also referred to as Physical Extraction) – Extraction methods afford more direct access to the raw information stored by the forensic examiner. The entire physical memory is obtained and deleted data may be recovered. Joint Test Action Group (JTAG) allows for imaging that have minor damage and can’t be properly interfaced.
? XACT
? Cellebrite UFED Physical Analyzer
? Pandora’s Box

• Chip-Off – This extraction requires the physical removal of flash memory. Extensive training is required in order to successfully perform extractions at this level. Chip-Off extractions are challenging based on a wide variety of chip types, a myriad of raw data formats, and the risk of causing physical damage to the chip during the extraction process. It involves data acquisition from a device’s flash memory.
? FEITA Digital inspection station
? Chip Epoxy Glue Remover
? Circuit Board Holder

• Micro Read – A Micro Read involves recording the physical observation of the gates on a memory chip with the use of an electron microscope. This level would require a team of experts, proper equipment, time and in-depth knowledge of proprietary information. There are no commercially available Micro Read tools.

Figure 6: Mobile Device Tool Classification System
IV. FINDING AND RESULTS
In this paper, the data or the evidence can be obtained by mobile device examination. This analysis can be done using oxygen forensic suite and MOBIL edit.

A. SYSTEM FEATURES

TABLE ?. THE SYSTEM FEATURES

B. OXYGEN FORENSIC SUITE
Oxygen Forensic Suite is a mobile forensic software that goes beyond standard logical analysis of cell phones, smartphones and tablets.

Screenshots of the Oxygen Forensic Analysis and Extractor are given below:

Figure 7: Physical Acquisition with Rooting

Figure 8: Android Rooting

Rooting procedure is a part Oxygen Forensic® Extractor that guides you through the whole process of gaining the root rights to the device. This method makes rooting and further extraction completely forensic and safe.

Figure 9: Android Rooting Execution

Figure 10: Android Rooting File System Access

Figure 11: Screenshot of Oxygen Forensic Suite

C. MOBILedit

Figure 12: Screenshot for MOBILedit

D. Comparison of Findings for Both Tools

TABLE ??. THE COMPARISON RESULT OF SELECTED SOFTWARES

IV. CONLUSION