Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Learning Android Forensics
  • Toc
  • feedback
Learning Android Forensics

Learning Android Forensics

4.2 (6)
close
Learning Android Forensics

Learning Android Forensics

4.2 (6)

Overview of this book

If you are a forensic analyst or an information security professional wanting to develop your knowledge of Android forensics, then this is the book for you. Some basic knowledge of the Android mobile platform is expected.
Table of Contents (10 chapters)
close
close
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Free Chapter
1
1. Introducing Android Forensics
chevron up
1. Introducing Android Forensics
Mobile forensics
The mobile forensics approach
Challenges in mobile forensics
The Android architecture
Android security
2
2. Setting Up an Android Forensic Environment
2. Setting Up an Android Forensic Environment
The Android forensic setup
The Android SDK
Connecting and accessing an Android device from the workstation
Android Debug Bridge
Rooting Android
ADB on a rooted device
Summary
3
3. Understanding Data Storage on Android Devices
3. Understanding Data Storage on Android Devices
Android partition layout
Android file hierarchy
Application data storage on the device
Android filesystem overview
Summary
4
4. Extracting Data Logically from Android Devices
4. Extracting Data Logically from Android Devices
Logical extraction overview
Manual ADB data extraction
ADB backup extractions
ADB Dumpsys
Bypassing Android lock screens
Cracking an Android pattern lock
Android SIM card extractions
Issues and opportunities with Android Lollipop
Summary
5
5. Extracting Data Physically from Android Devices
5. Extracting Data Physically from Android Devices
Physical extraction overview
Extracting data physically with dd
Extracting data physically with nanddump
Analyzing a full physical image
Imaging and analyzing Android RAM
Acquiring Android SD cards
Advanced forensic methods
Summary
6
6. Recovering Deleted Data from an Android Device
6. Recovering Deleted Data from an Android Device
An overview of data recovery
Recovering data deleted from an SD card
Recovering data deleted from internal memory
Analyzing backups
Summary
7
7. Forensic Analysis of Android Applications
7. Forensic Analysis of Android Applications
Application analysis
Determining what apps are installed
Wi-Fi analysis
Contacts/call analysis
SMS/MMS analysis
User dictionary analysis
Gmail analysis
Google Chrome analysis
Google Maps analysis
Google Hangouts analysis
Google Keep analysis
Google Plus analysis
Facebook analysis
Facebook Messenger analysis
Skype analysis
Snapchat analysis
Viber analysis
Tango analysis
WhatsApp analysis
Kik analysis
WeChat analysis
Application reverse engineering
Summary
8
8. Android Forensic Tools Overview
8. Android Forensic Tools Overview
ViaExtract
Autopsy
ViaLab Community Edition
Summary
Conclusion
9
Index
Index

The mobile forensics approach

Once the data is extracted from a device, different methods of analysis are used based on the underlying case. As each investigation is distinct, it is not possible to have a single definitive procedure for all cases. However, the overall process can be broken into five phases as shown in the following diagram:

The mobile forensics approach

Phases in mobile forensics

The following section discusses each phase in detail:

Investigation Preparation

This phase begins when a request for examination is received. It involves preparing all of the paperwork and forms required to document the chain of custody, ownership information, the device model, its purpose, the information that the requestor is seeking, and so on. The chain of custody refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. From the details submitted by the requestor, it's important to have a clear understanding of the objective for each examination.

Seizure and Isolation

Handling the device during seizure is one of the important steps while performing forensic analysis. The evidence is usually transported using anti-static bags which are designed to protect electronic components against damages produced by static electricity. As soon as the device is seized, care should be taken to make sure that our actions don't result in any data modification on the device. At the same time, any opportunity that can aid the investigation should also not be missed.

Following are some of the points that need to be considered while handling an Android device during this phase:

  • With increasing user awareness on security and privacy, most of the devices now have screen lock enabled. During the time of seizure, if there is a chance to do so, disable the passcode. Some devices do not ask the user to re-enter the passcode while disabling the lock screen option.
  • If the device is unlocked, try to change the settings of the device to allow greater access to the device. Some of the settings that can be considered to achieve this are as follows:
    • Enable USB debugging: Enabling this option gives greater access to the device through Android debug bridge (adb) connection. We are going to cover adb connection in detail in Chapter 2, Setting Up Android Forensic Environment. This will greatly aid the forensic investigator during the data extraction process. In Android devices, this option is usually found under Settings | Developer options, as shown in the following screenshot. In later Android versions starting from 4.2, the developer options are hidden by default. To enable them, navigate to Settings | About Phone and tap on Build number 7 times.
    • Enable stay awake setting: Enabling this option and charging the device will make the device stay awake which means that, it doesn't get locked. In Android devices, this option is usually found under Settings | Developer options, as shown in the following screenshot:
      Seizure and Isolation

      Stay awake and USB debugging options

    • Increase Screen timeout: This is the time for which the device will be active once it is unlocked. Depending on the device model, this time can be set up to 30 minutes. In most devices, it can be accessed under Settings | Display | Screen timeout, as shown in the following screenshot:

    Note

    Please note that the location to access this item changes across different versions and models of Android phones.

    Seizure and Isolation

    Screen timeout option on an Android device

In mobile forensics, it is of critical importance to protect the seized device so that our interaction with the evidence (or for that matter, an attacker's attempt to remotely interact with the device) does not change the evidence. In computer forensics, we have software and hardware write blockers that can perform this function. But in mobile forensics, since we need to interact with the device to pull the data, these write blockers are not of any use. Another important aspect is that we also need to prevent the device from interacting with wireless radio networks. As mentioned earlier, there is a high probability that an attacker can issue remote wipe commands to delete all data, including e-mails, applications, photos, contacts, and other files on the device.

The Android Device Manager (ADM) and several other third-party apps allow the phone to be remotely wiped or locked. This can be done by signing into the Google account that is configured on the mobile device. Using this software, an attacker can also locate the device, which could pose a security risk. For all these reasons, isolating the device from all communication sources is very important.

Tip

Have you thought about remote wipe options that do not require internet access? Mobile Device Management (MDM) software provides a remote wipe feature just by sending an SMS. Isolating the device from all communication options is crucial.

To isolate the device from a network, we can put the device in Airplane mode if there is access to the device. Airplane mode disables a device's wireless transmission functions, such as cellular radio, Wi-Fi, and Bluetooth. However, this may not always be possible because most of the devices are screen-locked. Also, as Wi-Fi is now available in airplanes, some devices now allow Wi-Fi access in Airplane mode. Hence, an alternate solution would be to use a Faraday bag or RF isolation box, as both effectively block signals to and from the mobile phone. But, one concern with these isolation methods however, is that once they're employed, it is difficult to work with the phone because you cannot see through them to use the touch screen or keypad. For this reason, Faraday tents and rooms exist, as shown in the following screenshot (taken from http://www.technicalprotection.co.uk/), but are very expensive.

Seizure and Isolation

Pyramid-shaped Faraday tent

Even after taking all these precautions, certain automatic functions, such as alarms can trigger. If such a situation is encountered, it must be properly documented.

Acquisition

The acquisition phase refers to the extraction of data from the device. Due to the inherent security features of mobile devices, extracting data is not always straight forward. Depending on the operating system, make, and model of the device, the extraction method is decided. The following types of acquisition methods can be used to extract data from a device:

  • Manual acquisition: This is the simplest of all acquisition methods. The examiner uses the user interface of the phone to browse and investigate. No special tools or techniques are required here, but the limitation is that only those files and data that are visible through a normal user interface can be extracted. Data extracted through other methods can also be verified using this.
  • Logical acquisition: This is also called logical extraction. This generally refers to extracting the files that are present on a logical store such as a filesystem partition. This involves obtaining data types, such as text messages, call history, pictures and so on, from a phone. The logical extraction technique works by using the original equipment manufacturer's APIs for synchronizing the phone's contents with a computer. This technique usually involves extracting the following evidence:
    • Call Logs
    • SMS
    • MMS
    • Browser history
    • People
    • Contact methods
    • Contacts extensions
    • Contacts groups
    • Contacts phones
    • Contacts setting
    • External image media (metadata)
    • External image thumbnail media (metadata)
    • External media, audio, and misc. (metadata)
    • External videos (meta data)
    • MMSParts (includes full images sent via MMS)
    • Location details (GPS data)
    • Internet activity
    • Organizations
    • List of all applications installed, along with their version
    • Social networking apps data such as WhatsApp, Skype, Facebook, and so on.
  • Filesystem acquisition: This is a logical procedure and generally refers to the extraction of a full file system from a mobile device. File system acquisition can sometimes help in recovering deleted contents (stored in SQLite files) that are deleted from the device.
  • Physical acquisition: This involves making a bit-by-bit copy of the entire flash memory. The data extracted using this method is usually in the form of raw data (as a hexadecimal dump), which can then be further parsed to obtain file system information or human readable data. Since all investigations are performed on this image, this process also ensures that original evidence is not altered.

Examination and Analysis

In this phase, different software tools are used to extract the data from the memory image. In addition to these tools, an investigator would also need the help of a hex editor, as tools do not always extract all the data. There is no single tool that can be used in all cases. Hence, examination and analysis requires a sound knowledge of various file systems, file headers, and so on.

Reporting

Documentation of the examination should be done throughout the process, noting down what was done in each phase. The following points might be documented by an examiner:

  • Date and time the examination started
  • Physical condition of the phone
  • The status of the phone when received (ON/OFF)
  • Make, model, and operating system of the phone
  • Pictures of the phone and individual components
  • Tools used during the investigation
  • Data documented during the examination

The data extracted from the mobile device should be clearly presented to the recipient so that it can be imported into other software for further analysis. In the case of civil or criminal cases, wherever possible, pictures of data, as it existed on the cellular phone, should be collected, as they can be visually compelling to a jury.

End of Section 3
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete