Sign In Start Free Trial

Learning Android Forensics

4.2 (6)

Learning Android Forensics

4.2 (6)

Overview of this book

If you are a forensic analyst or an information security professional wanting to develop your knowledge of Android forensics, then this is the book for you. Some basic knowledge of the Android mobile platform is expected.

Preface

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Free Chapter

1. Introducing Android Forensics

1. Introducing Android Forensics

Mobile forensics

The mobile forensics approach

Challenges in mobile forensics

The Android architecture

Android security

2. Setting Up an Android Forensic Environment

2. Setting Up an Android Forensic Environment

The Android forensic setup

The Android SDK

Connecting and accessing an Android device from the workstation

Android Debug Bridge

Rooting Android

ADB on a rooted device

Summary

3. Understanding Data Storage on Android Devices

3. Understanding Data Storage on Android Devices

Android partition layout

Android file hierarchy

Application data storage on the device

Android filesystem overview

Summary

4. Extracting Data Logically from Android Devices

4. Extracting Data Logically from Android Devices

Logical extraction overview

Manual ADB data extraction

ADB backup extractions

ADB Dumpsys

Bypassing Android lock screens

Cracking an Android pattern lock

Android SIM card extractions

Issues and opportunities with Android Lollipop

Summary

5. Extracting Data Physically from Android Devices

5. Extracting Data Physically from Android Devices

Physical extraction overview

Extracting data physically with dd

Extracting data physically with nanddump

Analyzing a full physical image

Imaging and analyzing Android RAM

Acquiring Android SD cards

Advanced forensic methods

Summary

6. Recovering Deleted Data from an Android Device

6. Recovering Deleted Data from an Android Device

An overview of data recovery

Recovering data deleted from an SD card

Recovering data deleted from internal memory

Analyzing backups

Summary

7. Forensic Analysis of Android Applications

7. Forensic Analysis of Android Applications

Application analysis

Determining what apps are installed

Wi-Fi analysis

Contacts/call analysis

SMS/MMS analysis

User dictionary analysis

Gmail analysis

Google Chrome analysis

Google Maps analysis

Google Hangouts analysis

Google Keep analysis

Google Plus analysis

Facebook analysis

Facebook Messenger analysis

Skype analysis

Snapchat analysis

Viber analysis

Tango analysis

WhatsApp analysis

Kik analysis

WeChat analysis

Application reverse engineering

Summary

8. Android Forensic Tools Overview

8. Android Forensic Tools Overview

ViaExtract

Autopsy

ViaLab Community Edition

Summary

Conclusion

Index

Index

Customer Reviews

4.2 (6)

5 star

50%

4 star

16.7%

3 star

33.3%

2 star

0

1 star

0

Determining what apps are installed

To see what applications are on the device, an examiner could navigate to /data/data and run the ls command. However, this doesn't provide well-formatted data that will look good in a forensic report. We suggest that you pull the /data/system/packages.list file. This file lists the package name for every app on the device and path to its data (if this file does not exist on the device, the adb shell pm list packages -f command is a good alternative). For example, here is an entry for Google Chrome (the full file on our test device contained 120 entries):

Determining what apps are installed

Note

This is the first method of data storage: plain text. Often, we will see apps store data in plain text, including data you wouldn't expect (such as passwords).

Perhaps of greater interest is the /data/system/package-usage.list file, which shows the last time a package (or application) was used. It's not perfect; the times shown in the file did not correlate exactly with the last time...

Search

Your notes and bookmarks