UP | HOME
2018-12-20

Android Forensics WIP

Table of Contents

Computer/ Digital Forensics is about gathering (left-over) evidence relating to an (criminal) act, but (almost always) after the fact. Proactive forensics is about OS enhancements that make forensics far more effective and far less time consuming.

This article does not get into ethics and legal issues.

We are devoting just about one week to this topic. So, our goal is to give you good enough understanding of forensics, in general, but more specifically on Android.

1 Overview

  1. Copying Android Device Content As-Is (without Corruption)
  2. Databases inside the Android Device
  3. Logs

2 Android Device Image

  1. By imaging we mean making an "exact copy" of what is inside the (i) persistent storage (eMMC) and (ii) the physical RAM. Item (ii) includes virtual memory mappings.
  2. Like the Heisenberg's Uncertainty Principle of physics, in attempting to image, the image may get modified. Forensics tools take care that this is minimized.

2.1 Connect to PC the Android Device as a USB storage or Media Device

[Read earlier lectures.]

2.2 adb backup

The ADB has a builtin command for doing backup. Recall that adb on the PC is a client to an adb server running within the Android device. So, in taking this backup we are executing a process within the device. Clearly, the memory image is going to be altered.

2.3 Imaging via Recovery

Android Recovery OS such as ClockworkMod or TWRP have a builtin command to backup the eMMC.

2.4 Examining the Image

  1. Reversing tools are often required in forensics. Classic Linux command line tools, such as dd, are not mentioned below.
  2. http://www.sleuthkit.org/ Free Open Source Digital Forensics. "The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate disk images." "Autopsy is a … graphical interface to The Sleuth Kit …" Binaries for Linux and OS X are readily available. Kali Linux includes TSK.
  3. Userdata Partition
    1. The /data/system/ directory
    2. The /data/data/<pkg-name>/ directories
    3. Android SQLite Database ./sqlite-android.html

2.5 Interpreting App Data

  1. Base64 is a group of encoding schemes that represent binary data in an ASCII string format. Base64 encoding catenates three octets (bytes), and splits them into four encoded characters using 6-bits each. Obviously, this can easily be decoded. Read https://en.wikipedia.org/wiki/Base64.
  2. For many major APKs, detailed forensic analysis procedures exist. E.g., WhatsApp and Facebook.
  3. Security conscious apps would have encrypted the database and files. Decrypting these is a separate task requiring cryptography experts, and even then it may be impossible.

2.6 Understand File Deletion

  1. All OS, including Linux/ Android, do record that the i-nodes (or equivalent) and block numbers are now free.
  2. They do not erase block content.
  3. Freed i-nodes and blocks may join a queue of free things. So, for some time to come, they may not get re-used.

2.7 Android Factory Reset

  1. Anderson's paper overview. [Ref below] Conclusion: Even after a factory reset, many things can still be retrieved in-tact.
  2. Simon, Laurent, and Ross Anderson. "Security Analysis of Android Factory Resets." 4th Mobile Security Technologies Workshop (MoST). PDF 2015. Required Reading.

3 Android Forensics Slides

  1. Khaled, Android Forensics, 40+ SlideShare Slides, local PDF, Mar 2015. Mohamed Khaled, [Digital Forensics Engineer and Information Security Incident Handler, EGCERT at NTRA] 40+ SlideShare Slides, local PDF, Mar 2015. Required Reading.

4 Mateti and Students: Proactive Forensics

  1. Use case: A new Android ROM planted in the hands of an evading terrorist.
  2. Technical issues in building such a ROM. Ethics and Legal issues??
  3. PS Aiyyappan, "[[./Theses/aiyyappan-mtech-2015.pdf][Adding Proactive Forensic Support to Android]", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2015. Advisor: Dr Prabhaker Mateti. Slides 2015 Reference
  4. Karthik, "[[./Theses/karthik-mtech-2016.pdf][Enabling Proactive Forensics in Android ROMs]", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2016. Advisor: Dr Prabhaker Mateti. Slides 2016. Reference
  5. Sudip Hazra
  6. Conf Paper

5 Memory/ Network Forensics

[skipped]

6 Pocket Spy

Android Device Implanted as a Pocket Spy

  1. Zhang, Zhongwen, Peng Liu, Ji Xiang, Jiwu Jing, and Lingguang Lei. "How Your Phone Camera Can Be Used to Stealthily Spy on You: Transplantation Attacks against Android Camera Service." In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 99-110. ACM, 2015. https://s2.ist.psu.edu/paper/coda048-Transplantation-Attack-CODASPY2015-camera-ready.pdf

7 Case Study: WhatsApp

8 References

  1. Prabhaker Mateti, Bibliography on Android Forensics, TBD PDF, 2018.
  2. https://en.wikipedia.org/ FBI – Apple Encryption Dispute. 2016. Required Reading.
  3. https://link.springer.com/chapter/10.1007/978-3-030-00581-8_15 Lin X. (2018) Android Forensics. In: Introductory Computer Forensics. Springer, Cham
  4. Heuser, Stephan, et al. DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android. Technical Report, TU Darmstadt, 2016. Reference.
  5. Dixon, Phillip D. (December 2005). "An Overview of Computer Forensics" IEEE Potentials. IEEE. 24 (5): 8. 10.1109/mp.2005.1594001. ISSN 0278-6648. Recommended Reading.
  6. http://freeandroidforensics.blogspot.com/ Pretty good tutorials. Recommended Visits.

9 References #2

  1. Nathan Scrivens and Xiaodong Lin. 2017. Android digital forensics: data, extraction and analysis. In Proceedings of the ACM Turing 50th Celebration Conference - China (ACM TUR-C '17). ACM, New York, NY, USA, Article 26, 10 pages. DOI: https://doi.org/10.1145/3063955.3063981 WSU download TBD
  2. http://cerbero.io/profiler/ Malware and forensic analysis. Not free.
  3. http://www.slideshare.net/mometan/an-devconiii-moetanabianv14ssh Android Forensics: Exploring Android Internals and Android Apps Published on Jul 03, 2012
  4. Mohamed Khaled, http://www.slideshare.net/MohamedKhaled49/android-forensics-an-custom-recovery-image Mar 24, 2015. EGCERT at NTRA.
  5. Android Forensics. http://sqliteviewer.com/blog/android-sqlite-database-and-its-file-location.html
  6. Santhosh Kumar, Android Forensics and Security Testing, http://www.slideshare.net/loveyoubabe/android-forensics-and-security-testing, Defcon Kerala, 2014
  7. Karthik, "Enabling Proactive Forensics in Android ROMs", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2016.
  8. PS Aiyyappan, "Adding Proactive Forensic Support to Android", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2015.

10 Refs

WhatsApp forensics U of Nevada, poorly done.

FBI wanted Apple iPhone to be decrypted.

  1. http://freeandroidforensics.blogspot.com/
  2. Moe Tanabian, Android Forensics: Exploring Android Internals and Android Apps, 50+ Slides; 2012; (VP of Engineering, Head of Smart Things IoT Innovation Lab at Samsung Electronics) Recommended Reading
  3. Admin, Android Sqlite Database and Its File System Discussed In Detail, HTML; June 9th, 2015. Required Reading.
  4. Santhosh Kumar, Android Forensics and Security Testing, http://www.slideshare.net/loveyoubabe/android-forensics-and-security-testing, Defcon Kerala, 2014. Recommended Reading
  5. http://www.slideshare.net/mometan/an-devconiii-moetanabianv14ssh Android Forensics: Exploring Android Internals and Android Apps Published on Jul 03, 2012 Recommended Reading
  6. Casey, Eoghan (Fall 2002). "Practical Approaches to Recovering Encrypted Digital Evidence" (PDF). International Journal of Digital Evidence. Utica, New York: Economic Crime Institute, Utica College. 1 (3): 12. ISSN 1938-0917. Retrieved 2009-01-12.
  7. http://accessdata.com/solutions/digital-forensics/forensic-toolkit-ftk; https://en.wikipedia.org/wiki/Forensic_Toolkit Reference
  8. http://cerbero.io/profiler/ Malware and forensic analysis tool. Not free. Reference

11 Refs

  1. https://resources.infosecinstitute.com/android-forensics-labs/#gref Technical descriptions; Exercise 1: Getting started with ADB; Emulating “user data” taken from a real device; Exercise 2: Understanding Android internals; Exercise 3: Bypassing screen locks; Exercise 4: Physical Acquisition; Exercise 5: Analysis of the SD Card data on the emulator. Exercise 6: Acquiring and analyzing android backups. Exercise 7: Logical Acquisition. Exercise 8: SQLite data recovery. Exercise 9: File carving using Scalpel; [scalpel, which is preinstalled in Santoku.]
  2. http://opensecuritytraining.info/AndroidForensics_files/Android%20Forensics%20and%20Security%20Testing%20-%20Labs%20and%20Commands.docx
  3. https://infosecaddicts.com/use-santoku-android-forensics/
  4. https://news.ycombinator.com/item?id=18732973 + https://venturebeat.com/2018/12/21/indian-government-to-intercept-monitor-and-decrypt-citizens-computers/ DECEMBER 21, 2018

12 References

  1. http://cerbero.io/profiler/ Malware and forensic analysis. Not free.
  2. http://www.slideshare.net/mometan/an-devconiii-moetanabianv14ssh Android Forensics: Exploring Android Internals and Android Apps Published on Jul 03, 2012
  3. Mohamed Khaled, http://www.slideshare.net/MohamedKhaled49/android-forensics-an-custom-recovery-image Mar 24, 2015. EGCERT at NTRA.
  4. Android Forensics. http://sqliteviewer.com/blog/android-sqlite-database-and-its-file-location.html
  5. Santhosh Kumar, Android Forensics and Security Testing, http://www.slideshare.net/loveyoubabe/android-forensics-and-security-testing, Defcon Kerala, 2014
  6. Karthik, "Enabling Proactive Forensics in Android ROMs", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2016.
  7. PS Aiyyappan, "Adding Proactive Forensic Support to Android", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2015.

13 End


Copyright © 2016 www.wright.edu/~pmateti • 2018-12-20