Android remains the dominant OS in the smartphone market even though the iOS share of
the market increased during the iPhone 6 release period. As various types of Android
smartphones are being launched in the market, forensic studies are being conducted to
test data acquisition and analysis. However, since the application of new Android security
technologies, it has become more difficult to acquire data using existing forensic methods.
In order to address this problem, we propose a new acquisition method based on analyzing
the firmware update protocols of Android smartphones. A physical acquisition of Android
smartphones can be achieved using the flash memory read command by reverse engineering the firmware update protocol in the bootloader. Our experimental results
demonstrate that the proposed method is superior to existing forensic methods in terms of
the integrity guarantee, acquisition speed, and physical dump with screen-locked smartphones (USB debugging disabled)