Forensic Aspect of Remote Wiping in Android · Forensic Aspect of Remote Wiping in Android...
Transcript of Forensic Aspect of Remote Wiping in Android · Forensic Aspect of Remote Wiping in Android...
Forensic Aspect of Remote Wiping in Android
Presented by: Ming Di Leom
Supervisor: Dr. Kim-Kwang Raymond Choo
Structure
• Background
• Thumbnail recovery
• Effectiveness of remote wiping apps
• Discussion
• Future research
2
Background
• In August 2013, Google announced Android Device
Manager (ADM).
• Remotely
• Locate
• Ring
• Erase (factory reset) your Android device
• Available to Android v2.3 (Gingerbread) and above
(~99%).
• No setup or installation required.
• Automatically installed through Google Play Service.
• Just need Google Account.
• Remote wipe feature is not new in Android.
• Previously offered to Google Apps customer, or via
third party app (e.g. anti-virus).
Research motivation
• ADM marks remote wiping as official (built-in) feature
in Android.
• This means most Android phone is already equipped
with remote wiping capability.
• Previous studies have shown factory reset is
ineffective.
Thumbnail recovery
8
Preliminary study
• Repeat the experiment done by previous study
(Schwamm 2014).
• Using older Android device (Nexus S vs. Samsung S3).
• Attempt to recover camera photos.
• Using similar forensic software to recover photos.
• Recovery rate is much lower (~50% vs 100%)
• Why?
• Let’s try to manually recover
Schwamm, R 2014, 'Effectiveness of the factory reset on a mobile device',
Master's thesis, Naval Postgraduate School, Monterey, California, USA.
Recovered Original
Fragmentation
• However, not all kind of files are fragmented.
• e.g. thumbnail
• Smaller version of original picture.
• Less likely to be fragmented.
Thumbnail recovery
• Structure of thumbnail cache
• Existing (free) file recovery tool can be tweaked to
target thumbnail only.
• Reduce false positive
Result*
Thumbnail type Thumbnails recovered Percentage
200 x 200 resolution thumbnail in thumbcache 10/10 100%
VGA resolution thumbnail in thumbcache 3/10 (9/10 if include
fragmented thumbnail)30%
Embedded thumbnail in JPEG file 10/10 100%
(* After factory reset)
Effectiveness of remote
wiping/factory resetIn 3rd-party app
15
Effectiveness of remote wiping/factory reset
• Schwamm, (2014) tested default factory reset
function.
• 7 apps were tested against the default.
• Compare the recovery rate.
• 2 apps offer “secure” wiping, which should make the
files unrecoverable.
• Test on 3 mobile devices:
• Moto G (< 3 months of usage, using new file system)
• Nexus S (> 3 years of usage, older file system)
• Nexus 4 (~2 years of usage, most common file system,
test still ongoing)
Results:
• 1 app default wipe method remove almost nothing
• Out of 2 apps which offer secure wiping, only 1 is
more effective.
• Even with secure wiping, data recovery is still
possible
• Almost all apps are similar to default’s.
• Very low recovery rate on Moto G (secure wiping or
not)
Discussion
• Data remnant issue can be solved through full-disk
encryption
• Introduced in Android 4.0 (Ice Cream Sandwich)
• Default in Android 5.0 (Lollipop)
• However, 4 months after Android Lollipop release,
encryption is back to optional due to performance
issue of current hardware.
• Recommendation:
• Enable full-disk encryption if possible
• Secure wiping, although not very effective, but better than
nothing.
Future research
• Thumbnail recovery
• More photo gallery apps
• More devices (i.e. camera resolution)
• Effectiveness study
• Secure wiping method used.
• Which/how factor (usage, file system) affects recovery
rate.
19
Q & A
20