Download - Android Forensic
-
7/28/2019 Android Forensic
1/18
Android ForensicsSession C4
Tuesday, April 3, 2012Ming Chow
Lecturer, Department of Computer ScienceTufts University
-
7/28/2019 Android Forensic
2/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Introduction
n Over 700,000 Android phones activated per day
u ~250 million devices activated so far
n Android is a loosely defined platform:
u Hardware: varies (e.g., phones, tablets, appliances);manufacturers and carriers can customize it
u Operating system: Based on Linux; over 3 majorreleases in the last 1.5 years (more later)
n What this presentation is: how to acquire and analyzedata from an Android device
-
7/28/2019 Android Forensic
3/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
What We Will Not Cover
n Jailbreaking or rooting an Android device
n Developing apps or scripts for Android
n Fundamentals of computer forensics and investigations
n Anything specific to law enforcement or the courtsystem
n Using commerical tools such as FTK or EnCase
n Linux internals
-
7/28/2019 Android Forensic
4/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
What You Will Need
n Android Standard Development Kit (SDK)
u http://developer.android.com/sdk/index.html
n Basic *nix (Unix or Linux) command line skills
-
7/28/2019 Android Forensic
5/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Android Architecture (continued)
n Based on Linux 2.6 for core system services (e.g.,memory and process management, network stack)
n How the apps are run: by the Android Runtime Systemutilizes the Dalvik virtual machine (VM)
u
Allows multiple apps to run concurrentlyu Each app has its own separate VM (e.g., unique
user ID and process)
u Sandboxed apps: files created by an app cannot beviewed by another app (i.e., based on privilege
separation)
-
7/28/2019 Android Forensic
6/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Android Architecture
-
7/28/2019 Android Forensic
7/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Android File System
n File system is Yet Another Flash File System 2 (YAFF2)
n Base file system is /; generally recreated everytime using ramdisk content
n /cache => Used as scratch pad by OS place dex optimized dalvik bitecode
n /data => Contains USER Data Stored as a separate partition in mtdblocksmounted at bootup
n /default.prop => Default property settings, values restored from this file onevery restart
n /proc
n /sbin
n /sys
n /system
n /sdcard=> The removable sdcard directory
n Interactive: http://anantshri.info/andro/file_system.html
-
7/28/2019 Android Forensic
8/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Memory and Storage
n SIM card
n Removable Flash
n RAM (on the device itself)
-
7/28/2019 Android Forensic
9/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Forensics Caveats
n Cant pull the plug
n Devices are always online (either using Wi-Fi orproviders network)
n Data stored on the device and in the cloud
n Android devices are strongly coupled with Googleservices (e.g., Gmail, Calendar, Voice)
-
7/28/2019 Android Forensic
10/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Anatomy of an Android App
n Android apps are developed using Java and the AndroidSDK
n An app use least-privilege permissions to accessvarious components on device (e.g., camera,
networking, GPS, flashlight)n The binary: a signed.apk file; you can unzip it!
u AndroidManifest.xml: details about the appincluding permissions, version number, and main
classu res/: resources such as images
n Each app runs its own Dalvik VM
-
7/28/2019 Android Forensic
11/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Anatomy of an Android App (continued)
n Data stored in /data/data/ of where the app isinstalled
u Each app has a package name (such ascom.google.dev or edu.tufts.cs.mchow; URL
reversed)
u Subdirectories
lib/ - Custom library files or dependencies
files/ - Files used by the app
cache/ - Cached files, often from the browser
databases/ - Namely SQLite databases
-
7/28/2019 Android Forensic
12/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Secure the Device
1. Unlock device
u Enter or break pass code
u Increase screen timeout
2. Isolate device from network
u Put device in Airplane Mode
3. Enable USB debugging
u On the device, go to Settings > Applications > Development> check off USB debugging
4. Remove SIM card5. Remove SD card
6. Find the right USB and power cables
-
7/28/2019 Android Forensic
13/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Logical Acquisition
n Download latest version of Andrew Hoogs AFLogicalopen source at http://code.google.com/p/android-forensics
u Unzip .apk file and send to device
u Instructions: http://code.google.com/p/android-forensics/wiki/WikiPageUse
n Information acquired include browser history, call logs,metadata of various media files, MMSes, SMSs, appsinstalled (with version), contacts; results to CSV files
n Information about the device saved to info.xml file
-
7/28/2019 Android Forensic
14/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Physical Acquisition
n Bit-by-bit copy of an entire physical store or SD card(FAT32)
u Gold mine of deleted and active personal dataincluding photos, music, downloads, app data
n Use dd
-
7/28/2019 Android Forensic
15/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Online Analysis with Android Debug
Bridge (adb)n http://developer.android.com/guide/developing/tools/adb.html
n Command line tool; found in/platform-tools/
n Client-server based; communication between your computer andthe device
n Make sure USB debugging is enabled on device
n Commands:
u adb devices => see list of connected devices
u adb shell => interact with with device
u
You can push and pull files to and from the device via adbpush and adb pull
u adb logcat => print system log (includes app stuff)
-
7/28/2019 Android Forensic
16/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Online Analysis with the Dalvik Debug
Monitor Server (DDMS)n http://developer.android.com/guide/developing/debugging/ddms.
html
n Command line tool; found in /tools/
n Again, make sure USB debugging is enabled on device
n Graphical
n Can take screenshots of device
n Overlaps with adb (e.g., logcat)
n Can emulate phone operations, location
n
Can spoof calls and text messagesn Can dump application state
-
7/28/2019 Android Forensic
17/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
Conclusion
n Challenges
u Fragmentation
Many different Android OSes
Many different carriers and devicesu Varies file systems used by Android(YAFFS2, FAT32, etc.)
u Rooted vs. un-rooted devices
n Still a very young field (mobile forensics)
n Both logical and physical techniques are necessary
n Android continues to grow --fast
-
7/28/2019 Android Forensic
18/18
MIS Training Institute Session # - Slide 0 COMPANY NAME
References and Resources
n Android Forensics: Simplifying Cell Phone Examinations, Lessard & Kessler, Small Scale Digital DeviceForensics Journal, Vol. 4, No. 1, September 2010,http://www.ssddfj.org/papers/SSDDFJ_V4_1_Lessard_Kessler.pdf
n Introduction to Computer Forensics and Android Forensics, Simson Garfinkelhttp://simson.net/ref/2011/2011-07-12%20Android%20Forensics.pdf
n Android Forensics: Investigation, Analysis, and Mobile Security for Google Android, Andrew Hoog, SyngressPress, June 2011. http://my.safaribooksonline.com/book/-/9781597496513
n Android: Forensics and Reverse Engineering, Raphael Rigo,https://deepsec.net/docs/Slides/DeepSec_2010_Reverse_Forensics.pdf
n http://computer-forensics.sans.org/blog/2010/03/01/open-source-android-digital-forensics-application/
n http://code.google.com/p/android-forensics/
n http://www.dfinews.com/article/introduction-android-forensics
n http://viaforensics.com/services/mobile-forensics/android-forensics
n https://viaforensics.com/android-forensics/htcia-android-forensics-training-presentation-february-14-2012.html
n http://techcrunch.com/2011/12/22/android-700000/
n http://developer.android.com/sdk/index.html