android™ app forensic evidence database
TRANSCRIPT
![Page 1: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/1.jpg)
Android™ App Forensic Evidence Database
Chris Chao-Chun Cheng, Chen Shi, Brody Concannon,Neil Zhenqiang Gong, and Yong Guan
Iowa State UniversityNIST Center of Excellence in Forensic Science – CSAFE
Acknowledgement: Barbara Guttman, Michael Ogata, and James Lyle (NIST)
![Page 2: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/2.jpg)
Animal Poaching: Washington State 17’
1+ felony charge & 1+ misdemeanor count
![Page 3: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/3.jpg)
Mobile App’s Evidence: Animal Poaching
Obtain the suspect’s mobile device
Extract the file system image
Identify evidence in the image
Extract GPS coordinates from photos
Text messages
Shotgun slug
Match to one of suspect’s guns
GPS coordinates of illegal animals kill sites
… today we struck a huge bear …
… the bear ran right off it into the river dead as hell…
![Page 4: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/4.jpg)
Mobile Forensics Problems
1. Given an app, what kinds of artifacts will be collected and where will it be stored?
2. After the app is updated, what are the changes of the evidentiary data?
3. What kinds of evidence stored in the suspect’s device? Where they are?
![Page 5: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/5.jpg)
App Evidence Database
![Page 6: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/6.jpg)
Workflow of Updating AED
Crawl Apps from markets
Apply program analysis and generate result
Update apps, metadata, forensic analysis result
![Page 7: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/7.jpg)
App Crawlers Development
• 30+ App Markets: Google Play Store, ApkPure…
• Versions, MD5 hash, Permission list, Release date …
![Page 8: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/8.jpg)
Static Program Analysis: EviHunter
1. Obtain Android Package(APK) file
2. Extract app’s code
3. Perform forward analysis and apply propagation rules
4. Output when reaching a sink method(file system)
Chris Chao-Chun Cheng, Chen Shi, Neil Zhenqiang Gong, and Yong Guan, "EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis," in ACM CCS 2018
![Page 9: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/9.jpg)
Dynamic Program Analysis
Preprocessing:
Install customized Android OS on device
For each app:
1. Install and run it on device carried modified OS
2. Output when reaching a sink method (file system)
Zhen Xu, Chen Shi, Chris Cheng, Neil Gong and Yong Guan, "A Dynamic Taint Analysis Tool for Android App Forensics," in SADFE 2018
![Page 10: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/10.jpg)
Real-world Apps Evidence (1)
App Evidence Location Evidence Type
Twitter/data/data/com.twitter.android/cache/.fcaches/fil
eStreamCacheDownloader/journal.tmpText Input
Instagram/data/data/com.instagram.android/shared_prefs/
rti.mqtt.mqtt_radio_active_time.xmlLocation
FB Messenger/data/data/com.facebook.orca/files/mobileconfig
/sessionless.data/0.mctableText Input
WhatsApp/sdcard/Android/data/com.whatsapp/cache/SSLS
essionCache/157.240.2.53.443Location
WhatsApp/data/user/0/com.whatsapp/shared_prefs/registr
ation.RegisterPhone.xmlText Input
![Page 11: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/11.jpg)
Real-world Apps Evidence (2)
• 8,690 Google Play Store apps• SharedPreferences is the most likely evidentiary file type. • Time is the most type evidence in file system.• Manual verification: 90% precision and 89% recall.
![Page 12: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/12.jpg)
Case Study: Airpush Ads (1)
• 133 reported cases:– Path: /data/data/<package name>/databases/ldata.db– Evidence Type: Location and Time
• Manual verification
![Page 13: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/13.jpg)
Case Study: Airpush Ads (2)
Hourly Tracking
![Page 14: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/14.jpg)
Case Study: Airpush Ads (3)
• Traceback from the class: com.yrkfgo.assxqx4
docs.airpush.com
![Page 15: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/15.jpg)
Case Study: Airpush Ads (4)
450 Million Users > 300K Apps
Source:https://airpush.com/about/
![Page 16: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/16.jpg)
Conclusion
• First Android apps forensic evidence database.
• Save time and move fast in real-world cases.
• Up-to-date forensic analysis result of real-world apps.
![Page 17: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/17.jpg)
Android App Evidence Database (1)
Various sources Multiple versions
![Page 18: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/18.jpg)
Android App Evidence Database (2)
Search keyword of app
Click to check its evidentiary data
![Page 19: Android™ App Forensic Evidence Database](https://reader033.vdocuments.us/reader033/viewer/2022041617/6253216bf35f0b3a617e0bfe/html5/thumbnails/19.jpg)
Android App Evidence Database (3)