Mobile Forensics Cookbook
上QQ阅读APP看书,第一时间看更新

Preparing the workstation

In forensics, one of the important steps is to make sure that the evidence is not tampered with and if for some reason changes are to be made to the evidence. Example - unlocking, the changes are to be documented carefully. Other precautionary measures such as using sterile and dedicated forensic workstation should also be highlighted.

You have to install the drivers of the Android device before you connect it to the workstation. The device’s drivers can be found in the internet. When the drivers are installed you should reboot the computer.

Before you connect the device to the computer for the first time, unlock the device (if it is locked) and connect it. You will see the Allow USB Debugging request on the screen of the device. Tick the field Always allow from this computer and tap Allow.

You need to make sure that the drivers were installed correctly. On your computer, from the menu, navigate to Start| Control Panel | System | Device Manager. There you need to find the name of the connected device with the record ADB Interface. If you cannot find this record, it means that the device drivers were installed incorrectly.

Connected Samsung device running Android operating system

Android Debug Bridge is a command-line utility, which is a part of Android SDK Platform. You can perform connection diagnostics and other manipulations with Android devices via this utility. When the Android SDK Platform program is installed, enter the adb devices command in the Windows Command Prompt. If there are any Android devices connected to the computer, their list will be displayed on the screen.

 List of connected Android devices

If the device is not detected by the computer, follow these steps:

  1. Switch the device connection mode from Charge only to MTP or PTP.
  2. Tick Mock locations in the Developer Options section of the examined device.
  3. Tick Unknown sources in the Security section of the examined device.
  4. Disable antiviruses on the examined device.
  5. Change the data cable.