Forensic Aspect of Remote Wiping in Android

Presented by: Ming Di Leom

Supervisor: Dr. Kim-Kwang Raymond Choo

Structure

• Background

• Thumbnail recovery

• Effectiveness of remote wiping apps

• Discussion

• Future research

2

Background

• In August 2013, Google announced Android Device

Manager (ADM).

• Remotely

• Locate

• Ring

• Erase (factory reset) your Android device

• Available to Android v2.3 (Gingerbread) and above

(~99%).

• No setup or installation required.

• Automatically installed through Google Play Service.

• Just need Google Account.

• Remote wipe feature is not new in Android.

• Previously offered to Google Apps customer, or via

third party app (e.g. anti-virus).

Research motivation

• ADM marks remote wiping as official (built-in) feature

in Android.

• This means most Android phone is already equipped

with remote wiping capability.

• Previous studies have shown factory reset is

ineffective.

Thumbnail recovery

8

Preliminary study

• Repeat the experiment done by previous study

(Schwamm 2014).

• Using older Android device (Nexus S vs. Samsung S3).

• Attempt to recover camera photos.

• Using similar forensic software to recover photos.

• Recovery rate is much lower (~50% vs 100%)

• Why?

• Let’s try to manually recover

Schwamm, R 2014, 'Effectiveness of the factory reset on a mobile device',

Master's thesis, Naval Postgraduate School, Monterey, California, USA.

Recovered Original

Fragmentation

• However, not all kind of files are fragmented.

• e.g. thumbnail

• Smaller version of original picture.

• Less likely to be fragmented.

Thumbnail recovery

• Structure of thumbnail cache

• Existing (free) file recovery tool can be tweaked to

target thumbnail only.

• Reduce false positive

Result*

Thumbnail type Thumbnails recovered Percentage

200 x 200 resolution thumbnail in thumbcache 10/10 100%

VGA resolution thumbnail in thumbcache 3/10 (9/10 if include

fragmented thumbnail)30%

Embedded thumbnail in JPEG file 10/10 100%

(* After factory reset)

Effectiveness of remote

wiping/factory resetIn 3rd-party app

15

Effectiveness of remote wiping/factory reset

• Schwamm, (2014) tested default factory reset

function.

• 7 apps were tested against the default.

• Compare the recovery rate.

• 2 apps offer “secure” wiping, which should make the

files unrecoverable.

• Test on 3 mobile devices:

• Moto G (< 3 months of usage, using new file system)

• Nexus S (> 3 years of usage, older file system)

• Nexus 4 (~2 years of usage, most common file system,

test still ongoing)

Results:

• 1 app default wipe method remove almost nothing

• Out of 2 apps which offer secure wiping, only 1 is

more effective.

• Even with secure wiping, data recovery is still

possible

• Almost all apps are similar to default’s.

• Very low recovery rate on Moto G (secure wiping or

not)

Discussion

• Data remnant issue can be solved through full-disk

encryption

• Introduced in Android 4.0 (Ice Cream Sandwich)

• Default in Android 5.0 (Lollipop)

• However, 4 months after Android Lollipop release,

encryption is back to optional due to performance

issue of current hardware.

• Recommendation:

• Enable full-disk encryption if possible

• Secure wiping, although not very effective, but better than

nothing.

Future research

• Thumbnail recovery

• More photo gallery apps

• More devices (i.e. camera resolution)

• Effectiveness study

• Secure wiping method used.

• Which/how factor (usage, file system) affects recovery

rate.

19

Q & A

20