Android Forensic

7/28/2019 Android Forensic

1/18

Android ForensicsSession C4

Tuesday, April 3, 2012Ming Chow

Lecturer, Department of Computer ScienceTufts University


2/18

MIS Training Institute Session # - Slide 0 COMPANY NAME

Introduction

n Over 700,000 Android phones activated per day

u ~250 million devices activated so far

n Android is a loosely defined platform:

u Hardware: varies (e.g., phones, tablets, appliances);manufacturers and carriers can customize it

u Operating system: Based on Linux; over 3 majorreleases in the last 1.5 years (more later)

n What this presentation is: how to acquire and analyzedata from an Android device


3/18


What We Will Not Cover

n Jailbreaking or rooting an Android device

n Developing apps or scripts for Android

n Fundamentals of computer forensics and investigations

n Anything specific to law enforcement or the courtsystem

n Using commerical tools such as FTK or EnCase

n Linux internals


4/18


What You Will Need

n Android Standard Development Kit (SDK)

u http://developer.android.com/sdk/index.html

n Basic *nix (Unix or Linux) command line skills


5/18


Android Architecture (continued)

n Based on Linux 2.6 for core system services (e.g.,memory and process management, network stack)

n How the apps are run: by the Android Runtime Systemutilizes the Dalvik virtual machine (VM)

u

Allows multiple apps to run concurrentlyu Each app has its own separate VM (e.g., unique

user ID and process)

u Sandboxed apps: files created by an app cannot beviewed by another app (i.e., based on privilege

separation)


6/18


Android Architecture


7/18


Android File System

n File system is Yet Another Flash File System 2 (YAFF2)

n Base file system is /; generally recreated everytime using ramdisk content

n /cache => Used as scratch pad by OS place dex optimized dalvik bitecode

n /data => Contains USER Data Stored as a separate partition in mtdblocksmounted at bootup

n /default.prop => Default property settings, values restored from this file onevery restart

n /proc

n /sbin

n /sys

n /system

n /sdcard=> The removable sdcard directory

n Interactive: http://anantshri.info/andro/file_system.html


8/18


Memory and Storage

n SIM card

n Removable Flash

n RAM (on the device itself)


9/18


Forensics Caveats

n Cant pull the plug

n Devices are always online (either using Wi-Fi orproviders network)

n Data stored on the device and in the cloud

n Android devices are strongly coupled with Googleservices (e.g., Gmail, Calendar, Voice)


10/18


Anatomy of an Android App

n Android apps are developed using Java and the AndroidSDK

n An app use least-privilege permissions to accessvarious components on device (e.g., camera,

networking, GPS, flashlight)n The binary: a signed.apk file; you can unzip it!

u AndroidManifest.xml: details about the appincluding permissions, version number, and main

classu res/: resources such as images

n Each app runs its own Dalvik VM


11/18


Anatomy of an Android App (continued)

n Data stored in /data/data/ of where the app isinstalled

u Each app has a package name (such ascom.google.dev or edu.tufts.cs.mchow; URL

reversed)

u Subdirectories

lib/ - Custom library files or dependencies

files/ - Files used by the app

cache/ - Cached files, often from the browser

databases/ - Namely SQLite databases


12/18


Secure the Device

1. Unlock device

u Enter or break pass code

u Increase screen timeout

2. Isolate device from network

u Put device in Airplane Mode

3. Enable USB debugging

u On the device, go to Settings > Applications > Development> check off USB debugging

4. Remove SIM card5. Remove SD card

6. Find the right USB and power cables


13/18


Logical Acquisition

n Download latest version of Andrew Hoogs AFLogicalopen source at http://code.google.com/p/android-forensics

u Unzip .apk file and send to device

u Instructions: http://code.google.com/p/android-forensics/wiki/WikiPageUse

n Information acquired include browser history, call logs,metadata of various media files, MMSes, SMSs, appsinstalled (with version), contacts; results to CSV files

n Information about the device saved to info.xml file


14/18


Physical Acquisition

n Bit-by-bit copy of an entire physical store or SD card(FAT32)

u Gold mine of deleted and active personal dataincluding photos, music, downloads, app data

n Use dd


15/18


Online Analysis with Android Debug

Bridge (adb)n http://developer.android.com/guide/developing/tools/adb.html

n Command line tool; found in/platform-tools/

n Client-server based; communication between your computer andthe device

n Make sure USB debugging is enabled on device

n Commands:

u adb devices => see list of connected devices

u adb shell => interact with with device

u

You can push and pull files to and from the device via adbpush and adb pull

u adb logcat => print system log (includes app stuff)


16/18


Online Analysis with the Dalvik Debug

Monitor Server (DDMS)n http://developer.android.com/guide/developing/debugging/ddms.

html

n Command line tool; found in /tools/

n Again, make sure USB debugging is enabled on device

n Graphical

n Can take screenshots of device

n Overlaps with adb (e.g., logcat)

n Can emulate phone operations, location

n

Can spoof calls and text messagesn Can dump application state


17/18


Conclusion

n Challenges

u Fragmentation

Many different Android OSes

Many different carriers and devicesu Varies file systems used by Android(YAFFS2, FAT32, etc.)

u Rooted vs. un-rooted devices

n Still a very young field (mobile forensics)

n Both logical and physical techniques are necessary

n Android continues to grow --fast


18/18


References and Resources

n Android Forensics: Simplifying Cell Phone Examinations, Lessard & Kessler, Small Scale Digital DeviceForensics Journal, Vol. 4, No. 1, September 2010,http://www.ssddfj.org/papers/SSDDFJ_V4_1_Lessard_Kessler.pdf

n Introduction to Computer Forensics and Android Forensics, Simson Garfinkelhttp://simson.net/ref/2011/2011-07-12%20Android%20Forensics.pdf

n Android Forensics: Investigation, Analysis, and Mobile Security for Google Android, Andrew Hoog, SyngressPress, June 2011. http://my.safaribooksonline.com/book/-/9781597496513

n Android: Forensics and Reverse Engineering, Raphael Rigo,https://deepsec.net/docs/Slides/DeepSec_2010_Reverse_Forensics.pdf

n http://computer-forensics.sans.org/blog/2010/03/01/open-source-android-digital-forensics-application/

n http://code.google.com/p/android-forensics/

n http://www.dfinews.com/article/introduction-android-forensics

n http://viaforensics.com/services/mobile-forensics/android-forensics

n https://viaforensics.com/android-forensics/htcia-android-forensics-training-presentation-february-14-2012.html

n http://techcrunch.com/2011/12/22/android-700000/

n http://developer.android.com/sdk/index.html

Android Forensic

Documents

Transcript of Android Forensic