REFERENCE ARCHITECTURE FOR ANDROID · PDF fileREFERENCE ARCHITECTURE FOR ANDROID APPLICATIONS...
Embed Size (px)
Transcript of REFERENCE ARCHITECTURE FOR ANDROID · PDF fileREFERENCE ARCHITECTURE FOR ANDROID APPLICATIONS...
Vol.107 (2) June 2016SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS92
Based on: “Playing Hide-and-Seek: Detecting the Manipulation of Android Timestamps”, by H. Pieterse, M.S. Olivier and R. Van Heerden which appeared in the Proceedings of Information Security South African (ISSA) 2015, Johannesburg, 12 & 13 August 2015. © 2015 IEEE
REFERENCE ARCHITECTURE FOR ANDROID APPLICATIONSTO SUPPORT THE DETECTION OF MANIPULATED EVIDENCE
H. Pieterse,∗† M.S. Olivier† and R.P. van Heerden‡
∗ Defence, Peace, Safety and Security, Council for Scientific and Industrial Research, Pretoria, SouthAfrica E-mail: [email protected]† Department of Computer Science, University of Pretoria, Pretoria, South Africa E-mail:[email protected]‡ Meraka Institute, Council for Scientific and Industrial Research, Pretoria, South Africa E-mail:[email protected]
Abstract: Traces found on Android smartphones form a significant part of digital investigations. Akey component of these traces is the date and time, often formed as timestamps. These timestampsallow the examiner to relate the traces found on Android smartphones to some real event that tookplace. This paper performs exploratory experiments that involve the manipulation of timestamps foundin SQLite databases on Android smartphones. Based on observations, specific heuristics are identifiedthat may allow for the identification of manipulated timestamps. To overcome the limitations of theseheuristics, a new reference architecture for Android applications is also introduced. The referencearchitecture provides examiners with a better understanding of Android applications as well as theassociated digital evidence. The results presented in the paper show that the suggested techniques toestablish the authenticity and accuracy of digital evidence are feasible.
Key words: Digital forensics, mobile forensics, smartphones, Android, timestamps, referencearchitecture.
The past decade saw the rapid improvement of smartphonetechnology, allowing these devices to become very popularacross the globe. Their current prominence is directlyrelated to the provided capabilities and functionality,which nowadays closely resemble a personal computer.Bundled with a complete operating system, improvedconnectivity and communication functions, and the optionof adding additional third-party applications, smartphoneshave become powerful devices. The leading smartphoneoperating system (OS) of 2014 was Android , which hasbeen evolving in a remarkable way and continues to gainwidespread popularity. The current prevalence of Androidled this paper to focus only on this particular smartphoneOS.
The extensive and wide use of Android smartphones allowsthese devices to become a rich source of trace evidence. All events occurring on Android smartphones generatetraces that form an important component of digitalinvestigations, especially when the user of the smartphoneis involved in criminal activities. The valuable information(such as contacts, text messages, call lists, website visitedor instant messages) contained in these traces can provide awell-defined snapshot of a user’s actions at a specific time.Besides providing a description of the event, traces foundon Android smartphones also often store the time anddate component in the form of a timestamp. Timestampsare integral to digital investigations since it provides theexaminer the opportunity to relate the traces found on theAndroid smartphones to some physical event that tookplace.
To conceal fraudulent activities, smartphone users can usecertain techniques to manipulate the timestamps of thetraces and change the associated events. These techniquesare referred to as Anti-forensics and are primarily used “tocompromise the availability or usefulness of evidence” .These techniques are applied by smartphone users in anattempt to either hide or change event logs, which resultsin the alteration of the timestamps associated with thoseevents.
It is thus important for examiners to be able to verifythe authenticity and accuracy of timestamps. Withoutsuch verification, the collected timestamps might beincorrect or inaccurate due to tampering and will leadthe examiner to make unreliable conclusions. Existingresearch shows few papers that attempt to offer a solutionregarding the verification of the authenticity and accuracyof timestamps. Verma et. al.  preserve date and timestamps by capturing the system generated modification,access, change and/or creation date and timestamps (MACDTS) values and storing it in a secure location such asa cloud server outside of the smartphone. The cloudsnapshot of the original MAC DTS values can be used toverify the authenticity of MAC DTS values of questionablefiles on the smartphone . Govindaraj et. al.  designeda solution, called iSecureRing, which allows a jailbrokeniPhone to be secure and forensic ready by preservingthe timestamps. These timestamps are stored outside thedevice on a secure server or the cloud and can be usedduring security incidents . Both solutions, however,require the installation of additional functionality on thesmartphone prior to seizing the device for investigation.There is, thus, no existing solution (to the best of the
Vol.107 (2) June 2016 SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS 93
authors’ knowledge) that allows for the verification oftimestamps collected from seized Android smartphones.
This paper performs exploratory experiments that involvethe manipulation of timestamps found in SQLite databaseson Android smartphones. While conducting theexperiments, the changes occurring on the Androidsmartphone are observed. Based on those observations,specific heuristics are identified that may indicate themanipulation of timestamps. The identified heuristics canbe categorised into two distinct groups. The first group ofheuristics are specific changes that occur on the Androidfile system and the second group refer to inconsistenciesin individual SQLite databases. These heuristics are,however, susceptible to external factors that can impacttheir availability. To further establish the accuracy andauthenticity of the timestamps as well as other forms ofdigital evidence, a new reference architecture for Androidapplications is also introduced. The purpose of thereference architecture is to provide the examiners witha better understanding of Android applications and howthe associated digital evidence originated. The immediatechallenges to address are the following: (a) effectivemanipulation of timestamps found in SQLite databaseson Android smartphones, (b) verifying the authenticity ofthese timestamps by using the identified heuristics and(c) introducing a newly designed reference architecturefor Android applications. The current paper providespreliminary evidence that, in terms of the challengesidentified, the suggested approach shows potential.
The remainder of the paper is structured as follows.Section 2 briefly describes the architecture of Androidand the internal structure of SQLite databases. Section3 presents the methodology followed to conduct theexploratory experiments and offers a descriptive summaryof the findings. The reference architecture for Androidapplications is introduced in Section 4. A short discussionand future developments of the research is presented inSection 5. The final conclusions are made in Section 6.
With the continuous growth in functionality of Androidsmartphones, increasing number of people make use ofthese devices during their daily activities. For the tracescollected by Android smartphones to be of use duringdigital investigations, a comprehensive understanding ofthe architecture of Android is required. An evaluation ofSQLite is also required, since most of the traces foundon Android smartphones are stored in SQLite databases.This section, therefore, provides a short introduction of theAndroid architecture and presents the internal structure ofSQLite databases.
2.1 Android’s Architecture
Android is a popular open source software architectureprovided by the Open Handset Alliance  that is currentlytargeting mobile devices, such as smartphones and tabletcomputers. The Android software architecture (see Figure
Figure 1: Architecture of the Android Operating Systems [6, 7]
1) is divided into five layers: Applications, ApplicationFramework, Libraries, Android Runtime and the LinuxKernel . The uppermost layer, Applications, providesaccess to a set of core applications. The ApplicationFramework layer implements a software framework thatreassembles functions used by existing applications. Allavailable libraries are written in C/C++ and called througha Java interface. The Android runtime consists of aset of core libraries and a Dalvik virtual machine. Thebottommost layer is the Linux kernel, which allows forinteraction between the upper layers by means of devicedrivers [9, 10].
Until Android version 2.2 (Froyo), most Androidsmartphones used Yet Another Flash File System 2(YAFFS2) . YAFFS2 was developed in 2004in response for larger sized NAND (Not-AND) flashdevices . With the release of Android version2.3 (Gingerbread), the file system for Android devicesswitched from YAFFS2 to Fourth Extended (EXT4)file system . YAFFS2 was developed with asingle-threaded design, which may cause bottlenecks indevices released with a multi-core chipset. The EXT4file system, which is one of the most used file systemsin Linux, does not have this limitation and can runsmoothly on multi-core devices. The disk space of theEXT4 file system is divided into logical blocks, whichreduce management overhead and improves throughput. The key features of the EXT4 file system promote thedevelopment of advance applications and functionalities.
The architecture of Android regularly improves to supportmore improved applications. It is therefore necessary tocontinuously evaluate Android’s architecture and remainup to date with the current changes.
Vol.107 (2) June 2016SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS94
Table 1: User Data Stored in SQLite Databases
User Data SQLite Database Location TableCall History /data/data/com.sec.android.provider.logsprovider/databases/log.db logsMessages (SMS/MMS) /data/data/com.android.providers.telephony/databases/mmssms.db smsE-mails (Gmail) /data/data/com.google.android.gm/databases/mailstore.<[email protected]>.db messagesGoogle Hangouts /data/data/com.google.android.talk/databases/babel1.db messagesWhatsApp Messenger /data/data/com.whatsapp/databases/msgstore.db messages
2.2 SQLite Databases
SQLite is an open source software library that implementsa lightweight Structured Query Language (SQL) databaseengine for embedded use [14, 15]. The lightweight designof SQLite does not require a separate server and thusallows for the quick processing of stored data by readingand writing directly to a disk file . The main databasefile, <database name>.db or <database name>.db3,consists out of a complete SQL structure that includestables, indices, triggers, and views . To support theSQL structure, the main database file is divided into one ormore pages and each page share the same size . Thefirst page of the main database file is called the header pageand is composed of the database header and the schematable. The database header stores structural informationand the schema table contain the table information ofthe database. The pages following the header page arestructured as B-trees and store the actual data .
During transactions, SQLite stores additional informationin a second file called either a rollback journal orwrite-ahead log (WAL) file . The rollback journalis the default method of SQLite to implement an atomiccommit and rollback. Beginning with SQLite version3.7.0, the new WAL approach was introduced and allowedfor improved speed and concurrent execution. TheWAL approach preserves the original content in the maindatabase file and appends changes to a separate WAL file(<database name>.db-wal), which contains a header andzero or more WAL frames. Transferring the transactionsfrom the WAL file to the main database file is calleda “checkpoint”. When a checkpoint occurs the updatedor new pages in the WAL file are written to the maindatabase file. The checkpoint operation leaves the WALfile untouched, allowing the WAL file to be reused ratherthan deleted . SQLite does a checkpoint automaticallywhen a file reaches a size of 1000 pages .
SQLite databases are a popular choice for data storage inAndroid applications . An Android application, whichuses SQLite, separately includes the SQLite databasesand this allows for reduced external dependencies andminimized latency . A lot of events taking placeon an Android smartphone generate valuable traces, forexample: call history, SMS/MMS messages, e-mails(Gmail) and instant messages generated by GoogleHangouts (previously Google Talk) as well as WhatsAppMessenger. A summary of the SQLite databases used tostore these traces, as well as the location of these databases
on an Android smartphone are provided in Table 1. Theexamples used throughout the remainder of this paperfocus on the SQLite database of the Messaging application.
3. DETECTION OF MANIPULATED TIMESTAMPS
Timestamps of traces found on Android smartphonesare integral to digital investigations, especially if theowner of the smartphone participates in criminal activities.Collected timestamps allow the examiner to relate thetraces to some physical event and, more importantly,establish a timeline depicting the chronological orderof events. Due to the importance of timestamps indigital investigations, smartphone users, or even maliciousapplications, can alter timestamps to compromise theintegrity of traces as evidence.
In order to detect manipulated timestamps, it is necessaryto understand the processes involved in the creation ofthe timestamps. Understanding these processes providethe required insight to manipulate timestamps found inSQLite databases. The exploratory experiments conductedthroughout this paper can be categorised into two groups.The first group of experiments observe normal operationof SQLite databases while the second group focuseson detecting changes occurring due to the manipulationof timestamps found in the SQLite databases. All ofthe experiments and observations were performed on aSamsung Galaxy S2, running Android version 4.1.2 (JellyBean). The experiments conducted are not limited to theSamsung Galaxy S2 and can be performed on any otherAndroid smartphone.
3.1 Observing SQLite Databases
To understand the underlying structure of SQLitedatabases and comprehend the operations involved in thecreation of timestamps, it is necessary to observe thesedatabases under normal conditions. Applications usingSQLite databases to store user-related data are located inthe /data/data/<application package name>/databases/directories on an Android smartphone . Observingthe SQLite databases located in the /data directory is notpermitted by default and is only accessible by rooting theAndroid smartphone. The term rooting, which is similarto the Jailbreaking of an iPhone, is often perceived asa negative action . Rooting an Android smartphonemerely means to escalate the current rights to root accessrights. Root access rights allow any user access to theroot directory (/) and provide the necessary permissions to
Vol.107 (2) June 2016 SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS 95
take root actions . The technical process of rootingan Android smartphone is, however, beyond the scopeof this paper. The Samsung Galaxy S2, which is usedto observe the results of interacting with the SQLitedatabases, is already rooted and therefore provides accessto the required databases.
The purpose of observing SQLite databases is to identifyhow these databases react and function under normaloperations. The observations are made by monitoringthe directory containing the SQLite database whilesimultaneously interacting with the database. Interactionswith the SQLite databases occur by sending messages,such as text and instant messages, and making phonecalls. After conducting a set of 10 experiments usingthe rooted Samsung Galaxy S2 smartphone, the finalconclusion of the observations led to the identificationof several changes occurring as a direct result of theinteraction with the SQLite databases. Firstly, fromthe observations it is possible to infer that all ofthe data received during the interactions are stored inthe <database name>.db-wal file. The data are onlytransferred from the <database name>.db-wal file to the<database name>.db file when reaching the limit of 1000pages. Secondly, the timestamps associated with the dataare added as new entries, with a unique record identifier, atthe end of the database table.
A summary of the findings of observing the SQLitedatabases is the identification of the files that are alteredduring normal operations and the location where thetimestamps are stored in the tables. The insight gainedby observing the SQLite databases will assist with themanipulation of timestamps.
3.2 Manipulation of Individual Timestamps in SQLiteDatabases
Manipulation of timestamps found in SQLite databasesrequires access to the correct files. Observationsfrom the previous exploratory experiments identifiedthe correct files to be the <database name>.db and<database name>.db-wal files. Access to these filesrequires the enabling of the Universal Serial Bus (USB)debugging functionality . Although the default settingfor USB debugging is “disabled”, going to Settings,selecting Developer options and touching the checkboxnext to USB debugging will turn on this feature. OnceUSB debugging is enabled, interaction with the rootdirectory can occur using the Android debug bridge (adb).Android Debug Bridge is a versatile command-line toolthat communicates with a connected Android smartphone. To allow for complete access to the root directory,adb is restarted with the command, adb root, to gain rootpermission. Full access, with the necessary permissions,has been established and it is now possible to manipulatethe timestamps in SQLite databases.
Manipulation of timestamps proceeds through threeindividual phases: retrieve, manipulate, and return.The first phase retrieves the required SQLite database
files from the Android smartphone. Since the sqlite3command utility, which is required to interact withthe SQLite databases, does not come pre-installed onAndroid smartphones , the SQLite databases must betransferred to the local computer. The command, adbpull <remote><local>, copies the specified file fromthe Android smartphone to the local computer . Itis necessary to repeat this command for both the maindatabase file, as well as the associated WAL file, whichcannot be edited directly. Retrieving both the maindatabase file and the associated WAL file ensures that allthe latest records are present. The list of commands toretrieve these files is shown below:
• adb pull /data/data/<application package name>/databases/<database name>.dbC:\<local folder>
• adb pull /data/data/<application package name>/databases<database name>.db-walC:\<local folder>
Manipulating the timestamps found in the copied SQLitedatabase files is performed during the second phase.A script is created to act as a malicious applicationand randomly manipulate timestamps within the SQLitedatabase. During the execution of the script the maindatabase file is opened, allowing for a checkpoint to occur.Once the execution of the script is completed, only themain database file (<database name>.db) remains andmust be returned to the Android smartphone.
The final phase returns the modified SQLite databaseto the Android smartphone. The command, adb push<local><remote>, copies the specified file to theconnected Android smartphone . To prevent thechanges from being over-written by the existing datain the <database name>.db-wal file, the file must beremoved. The first step is to start an interactiveshell using adb shell, followed by su, which providesroot permissions within the shell. The next command,cd /data/data/<application package name>/databases/,change the current working directory to the directorycontaining the main database and associated WAL file.Using the command rm <database name>.db-wal willdelete the WAL file from the directory. For the changes toreflect on the Android smartphone, it is necessary to rebootthe device.
Using the Messaging application as an example, Figure2 provides a snapshot of the messages before and afterthe manipulation of the timestamps. The comparisonshows significant changes to the dates of specific messagesand an adjustment of the order of the messages. Thesechanges occur as a direct result of manipulating thetimestamps. Close observation during the manipulationallow for the identification of the altered database files(<database name>.db and <database name>.db-wal).Examining the main database file shows that the individualrecords are ordered incorrectly. These findings are furtherdiscussed in the following section.
Vol.107 (2) June 2016SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS96
(a) Original timestamps (b) Manipulated timestamps
Figure 2: Messaging application showing messages with the original (a) and manipulated (b) timestamps
3.3 Discussion of Findings and Identification of Heuris-tics
The findings and observations of the exploratory exper-iments, conducted to identify changes occurring due tothe manipulation of timestamps, can be categorised intotwo groups. The first group contains a collection ofheuristics that identifies the presence of certain changesin the Android file system, which are indicators ofthe manipulation of the SQLite database. The secondgroup subsequently focuses on the individual SQLitedatabases and the identification of inconsistencies in thesedatabases. The presence of specific file system changes aswell as inconsistencies in the associated SQLite databaseindicates that the authenticity of the timestamps might becompromised.
Android File System Changes: Android File System Flags(AFS-Flags) are indicators of the potential tamperingof SQLite databases on Android smartphones. EachAFS-Flag represents a change that occurs in the Androidfile system due to the modification or removal of a SQLitedatabase or any other associated database files. Thepresence of any of these AFS-Flags is not an indicationof the manipulation of timestamps but merely that theSQLite databases have been tampered with. The followingfour individual AFS-Flags offer guidance regarding thetampering of SQLite databases:
• File permissions: associated with the SQLitedatabase files in the directory of a specific applicationare set to give only read/write access to the file ownerand the group members. For each application, thecurrent file owner and group members are only theindividual application. Any modification or removalof a file within this directory will change the existingfile permissions of the modified file from -rw-rw—-to -rw-rw-rw-. The following changes to the filepermissions are therefore an indication of the possible
manipulation of timestamps in the SQLite databases:
– File permission of <database name>.db filechanged from -rw-rw—- to -rw-rw-rw-.
– File permission of <database name>.db-walfile changed from -rw-rw—- to -rw-rw-rw-.
• Ownership: of the SQLite databases is given tothe specific application using the database. The fileowner and group members are thus set to the userID (UID) of the application, which is unique andspecific to the application. The UID remains constantfor the duration of the application on the particularAndroid smartphone. Modifications to any SQLitedatabase files will result in a change of ownershipand subsequently change the UID of both the fileowner and group members. The following change tothe ownership of the main database file is a possibleindication of the manipulation the databases:
– The current ownership for the file owner andgroup members of the <database name>.dbfile changed from the current UID to root.
• File Size: of the main database file is expected to besmaller than the size of the associated WAL file, sinceall new transactions are appended to the WAL file.The size of the main database file is only expectedto grow after a checkpoint, when all the transactionsfrom the WAL file is transferred to the main databasefile. A checkpoint, however, occurs only after theWAL file accumulated 1000 entries (leading to afile size of approximately 4MB), and thus the sizeof the main database remains relatively small. Anautomatic checkpoint occurs when the main databasefile is opened to allow for the manipulation of thetimestamps. The WAL file must be deleted to preventthe changes made in the main database file from beingoverwritten by the existing content located in theWAL file. Once the Android smartphone is rebootedto reflect the changes, a new WAL file is automatically
Vol.107 (2) June 2016 SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS 97
(a) Before manipulation of the mmssms.db (b) After manipulation of the mmssms.db
Figure 3: Comparison of changes in the directory containing the SQLite database for the Messaging application
generated. This new WAL file contains limited dataand thus has a file size that is smaller than the sizeof the main database file. A WAL file with a file sizesmaller than the size main database file is thereforean indication of the possible manipulation of thatdatabase.
• System Reboot: is required for the changesmade to the SQLite databases to reflect on theAndroid smartphone. The system reboot must occurafter making the changes to the SQLite database.Therefore the timestamps of the files associated witha system reboot will follow after the timestamp thatshows when the main database file was last modified.Multiple experiments revealed that the following filesare indicators of a system reboot:
– rtc.log file located in the /data/log/ directory.
– powerreset info.txt file located in the /data/log/directory.
– SYSTEM BOOT@[timestamp].txt file generatedin the /data/system/dropbox/ directory.
– event log@[timestamp].txt file generated in the/data/system/dropbox/ directory.
Android log data are written to certain files inthe /data/log/ directory . Two files, rtc.logand powerreset info.txt, are existing files in thisdirectory. These files are updated with a newentry after every system reboot and every entryshows the boot time of the Android smart-phone. The files, SYSTEM BOOT@[timestamp].txtand event log@[timestamp].txt, are located in thedirectory /data/system/dropbox/ [26, 27]. This folderis used by a service known as DropBoxManager(unrelated to the DropBox cloud storage service)and persistently stores chunks of data from varioussources such as application crashes and kernel logrecords . The SYSTEM BOOT@[timestamp].txtfile is generated consistently at boot time, with thetimestamp forming part of the file name showingwhen the Android smartphone was booted. The otherfile, event log@[timestamp].txt, is generated at 30minute intervals and also indicates the time whenthe Android smartphone was rebooted. A systemreboot occurring closely after the modification dateof a SQLite database provides a possible indication ofthe modification of timestamps. A system reboot can,however, occur at any time after pushing the modified
Figure 4: The /data/log/ directory containing the rtc.log andpowerreset info.txt
main database file onto the Android smartphone andis thus necessary to establish a time frame in whichthis particular AFS-Flag will be deemed reliable.
Figure 3 provides a comparison of the changes thatoccurred in the directory containing the SQLite databasethat stores the SMS/MMS messages. Figure 3 (b)indicates the existence of three AFS-Flags. The firstAFS-Flag is the file permissions of both the mmssms.dband the mmssms.db-wal, which changed from -rw-rw—-to -rw-rw-rw-. The second AFS-Flag is the ownershipfor both the file owner and group members of the maindatabase file that changed from radio to root. The finalAFS-Flag is the file size of the mmssms.db-wal, which issmaller than the size of the main database file, indicatingthat the mmssms.db-wal file was possibly deleted.
Figure 4 shows that the rtc.log and powerreset info.txt fileswere last modified at 15:28 on May 6 and Figure 5 presentsthe contents of a SYSTEM [email protected],which indicates that a reboot occurred at 15:29 on 6May. All three files illustrate that a reboot occurredapproximately at 15:28 on May 6, which follows after thelast modified date of the main database file (15:27 on May6). The existence of these files verifies that a system rebootoccurred after pushing the modified main database file ontothe Android smartphone.
The presence of all four AFS-Flags indicates the possiblemanipulation of timestamps within the SQLite databasestoring the SMS/MMS messages. Identification of thesemanipulated timestamps requires the analysis of theSQLite database for potential inconsistencies.
SQLite Database Inconsistencies: SQLite databasesare the prominent choice for data storage in theAndroid OS. The association of one or more AFS-Flags
Vol.107 (2) June 2016SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS98
Figure 5: The SYSTEM BOOT@[timestamp].txt file is generatedafter a reboot
with a specific SQLite database indicates the potentialmanipulation of the stored timestamps. Detection of themanipulated timestamps requires the further analysis ofthe SQLite database for any potential inconsistencies. Aninconsistency in a SQLite database is described as a recordthat is listed incorrectly when ordered according to thefollowing fields: primary key and a field containing datesor timestamps. The identification of inconsistencies in thetables of SQLite databases requires the evaluation of theabove mentioned fields.
The tool selected to perform the evaluation is SQL.SQL is a powerful query language, allowing for theformulation of queries that can be of forensics use .The evaluation of the tables available in the SQLitedatabases proceeds through three steps and use thefollowing SQL statements: CREATE TABLE, INSERTINTO, and SELECT. To preserve the integrity of the datastored in the original table, a new temporary table iscreated using the CREATE TABLE statement. The purposeof the CREATE TABLE statement is to define the physicalstructure of the new temporary table . The temporarytable contains a primary key, which is an integer valuethat auto-increments, and all the fields that are necessaryto identify the inconsistencies. The query to create thetemporary table is as follows:
CREATE TABLE temp (new id INTEGER PRIMARY KEYAUTOINCREMENT, original id INTEGER, timestampsINTEGER);
Following the creation of the new temporary table is thepopulation of this table with all the records currentlylocated in the original table, which is being investigated.To perform this action, a combination of the INSERTINTO and SELECT statements is used. The SELECTstatement selects all the records from the table currentlyunder investigation while the INSERT INTO statementinserts these selected records into the temporary table.Continuing with the SMS/MMS SQLite database of theMessaging application as an example, the SQL queryrequired to copy the records from the sms table into thetemporary table is as follows:
INSERT INTO temp (original id, timstamps) SELECT id,date FROM sms;
To locate any inconsistencies in the records collected inthe temporary table, it is necessary to compare the valuesin the timestamps field of subsequent records. Since allthe values in the timestamps field are expected to followone another (each new record is appended at the end of
the table), the difference between two subsequent valuesin the timestamps field must be smaller than or equal tozero. A positive difference is an indication of a timestampthat is out of order and the cause of this inconsistency isthe manipulation of the timestamp. The SQL query usedto detect the records that are inconsistent is as follows:
SELECT T1.original id, T1.timestamps, (T1.timestamps- T2.timestamps) AS difference FROM temp T1, temp T2WHERE T2.new id = T1.new id + 1 AND difference>0;
Applying this SQL query to the records in the temporarytable leads to the identification of multiple inconsistenciesin the SMS/MMS SQLite database. The existenceof these inconsistent records in the SMS/MMS SQLitedatabase invalidates the authenticity of the database.The examiner must thus decide whether to exclude themanipulated records from the investigation or only focusthe investigation around the manipulated records.
4. REFERENCE ARCHITECTURE FOR ANDROIDAPPLICATIONS
The exploratory experiments conducted during thisresearch identified two categories of heuristics thatcan be used to establish the authenticity and accuracyof timestamps in SQLite databases. The successfulapplication of these heuristics depends, however, on thefollowing two external factors. Firstly, the skills of thesmartphone user or the sophistication of the maliciousapplication performing the manipulation can influencethe availability of the heuristics. Smartphone users orthe malicious application may be aware of the changesthat occur due to the manipulation of timestamps inSQLite databases. To prevent detection, these changescan be removed or altered in an attempt to thwart theexaminer performing the investigation. Secondly, thetimeframe between the manipulation of the timestampsand the seizing of the smartphone can also influence theavailability of certain AFS-Flags. An extended timeframecan cause specific AFS-Flags (such as File size and Systemreboot) to be deleted or be overwritten by the AndroidOS. The aim of these heuristics is to assist with theidentification of manipulated timestamps and not otherforms of digital evidence.
Due to the limitations of the identified heuristics, itbecomes necessary to explore other techniques that canalso be used to establish the authenticity and accuracyof digital evidence. Identifying such techniques requiresa deeper understanding of Android applications, whichis responsible for creating the evidence. It is possibleto obtain such an understanding by designing referencearchitecture for Android applications. A referencearchitecture captures the common architectural elementsas well as the relationships between these elements fora specific domain . Using a reference architectureto model Android applications allow the examiner tocomprehend how the digital evidence originated andwhether the evidence is authentic and accurate. Whilereference architectures exist for many domains such as
Vol.107 (2) June 2016 SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS 99
Figure 6: Structured Analysis and Design Technique notation
web browsers  and web servers , this is thefirst reference architecture, to the best of the authors’knowledge, which allows for the modelling of Androidapplications.
The design of the reference architecture is accomplishedby using the Structured Analysis and Design Technique(SADT). SADT is a graphical language for describingsystems by using a set of diagrams consisting primarilyof boxes, which are interconnected by arrows. The boxesrepresent a specific function or system activity and theinterconnected arrows provide external interfaces to thedefined function or system activity. The external interfacesare the following [33, 34]:
• Input represents data or other consumables requiredfor functioning.
• Output is the results produced by the function orsystem activity.
• Control influences or regulates the execution but arenot consumed.
• Mechanism is a component used to accomplish thefunction or system activity.
The notation of SADT, as defined above is used in thispaper to illustrate the reference architecture for Androidapplications (see Figure 6).
Designing a reference architecture for Android appli-cations requires the examination of a wide variety ofexisting Android applications. This paper closely focusedon the Messaging application, which allowed for theidentification of certain architectural elements as wellas the relationship between these elements. In orderto confirm whether the identified architectural elementsand the relationship between these elements are prevalentamong other applications, additional Android applicationswere also thoroughly examined. The examination of theseAndroid applications led to the discovery two commonarchitectural elements: application activity and SQLitedatabases.
The application activity is responsible for launching thegraphical user interface and initialising the logic ofthe Android application. The graphical user interface,structured according to a specified layout and styledfollowing a certain theme, accepts as input an action, alongwith optional data, from the end user. The graphical userinterface is therefore the space where interactions betweenend users and the Android application occur and acceptsspecific sets of input, which leads to expected results.The application logic contains the work-flow logic of theAndroid application and executes the received input toproduce results accordingly.
The data involved in the requested action is transferred andretained in a SQLite database. This includes the originaldata supplied by the end user during the admission of theaction and a timestamp, indicating when the action wasperformed. The retention of the data proceeds accordingto the policies or set guidelines of the SQLite library ,which describes what data will be stored, how such datais stored and for how long it will be kept. The SQLitelibrary receives the incoming data and transforms the dataaccording to the rules and requirements of both the SQLitelibrary and SQLite database. Once transformed, the datais retained in the <database name>.db-wal file until theWAL file reaches the limit of 1000 pages. Once the limitis reached, the SQLite library transfers the data to the<database name>.db file.
The reference architecture for Android applicationsconsists of two core components: application activityand SQLite database. The final reference architecturefor Android application is shown in Figure 7. Thepurpose and ultimate goal of the reference architecture isto organise conventional Android applications accordingto a standardised model. From this standardisation,an examiner conducting a digital forensics investigationcan establish certain particulars regarding the Androidapplications currently under investigation. Using thenewly designed reference architecture, a collection ofgeneral characteristics regarding Android applications canbe identified:
• The Android application must first receive an actionfrom the end-user
• Only after receiving the action can changes be madeto data retained in the SQLite database.
• Each individual application accepts a limited selec-tion of inputs.
• Each input contains an action and possibly optionaldata.
• Every input, along with the action and optional data,leads to expected results.
• The action to be executed by the Android applicationis provided by the end user, who is either a humanoperator or another application.
Vol.107 (2) June 2016SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS100
Figure 7: Reference Architecture for Android Applications
Figure 8: Modelling of the Messaging application according to the Reference Architecture
• Data is expected to flow from the application activityto the SQLite database.
• The data is transformed according to the SQLite or
database rules and inserted into the WAL file.
Any findings by the examiner that contradicts the above
Vol.107 (2) June 2016 SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS 101
general characteristics are possible indications of theinaccuracy and unreliability of digital evidence producedby the Android application.
Continuing with the Messaging application as an example,the newly designed reference architecture can now be usedto model the application (see Figure 8). The mapping ofthe Messaging application onto the reference architectureallows for the identification of the core components ofthe application as well as the flow of data between thesecomponents. The modelled architecture of the applicationcan now be used to evaluate the authenticity of the storeddata by determining if any of the general characteristicsare violated. Firstly, the data is only available in themain database file (mmssms.db) and not, as expected, inthe WAL file (mmssms.db-wal). The omission of thedata in the WAL file shows that the data flow betweenthe application activity and the SQLite database hasbeen violated. Secondly, reviewing the usage log ofthe Messaging application shows that the input was notprovided by the end-user. These findings thus confirmthe inaccuracy of the digital evidence associated withthe Messaging application. It is therefore possible toconclude that the data stored by the Messaging applicationis possibly changed or altered.
The modelling of Android applications according to thereference architecture thus provides support to examinersinvolved in ongoing investigations. Using the referencearchitecture the examiner is capable of establishing theauthenticity and accuracy of any digital evidence related tothe modelled Android application. The insight offered bythe reference architecture will lead the examiner to cometo the correct conclusions regarding the investigation, sincepotentially incorrect digital evidence, such as manipulatedtimestamps, can be eliminated before concluding the finalreport. The reference architecture is, however, limited toAndroid applications only and can’t be used to model othersoftware applications.
5. DISCUSSION AND FUTURE WORK
The exploratory experiments performed while composingthis paper showed that the timestamps found in SQLitedatabases can be manipulated by following the techniquedescribed in Section 3.2. This technique is currentlythe most plausible technique to manipulate timestampsin SQLite databases. Although other techniques can bedesigned, the inability to directly alter the data in the WALfile and the unavailability of the sqlite3 command utilityon an Android smartphone will limit the capabilities andimpact the efficiency of other techniques.
To establish the authenticity of timestamps found inSQLite databases and detect the potentially manipulatedtimestamps, this paper introduced two categories ofheuristics. The first group of heuristics determine theauthenticity of timestamps by evaluating the file systemfor specific changes and the second group identifiesinconsistencies in the SQLite databases. These heuristicsare independent of an Android smartphone and does not
require any prerequisites to be installed on the Androidsmartphones prior the investigation. The purpose of theheuristics is to give examiners an indication of whetherthe timestamps collected in SQLite databases weretampered with. The results presented by the heuristicsallow the examiner to establish the authenticity of thetimestamps. Based on the authenticity of the timestamps,the examiner can decide to either include or disregardthe evidence, associated with the evaluated timestamps,in the investigation. The heuristics are therefore capableto save crucial time during the investigation and allow theexaminer to arrive at correct and accurate conclusions. Theexperiments provided throughout this paper showed thatall of the identified heuristics are capable of providingthe examiner with the necessary support to establish theauthenticity of timestamps in SQLite databases.
The current collection of heuristics only focuses ondetecting the manipulation of timestamps found in SQLitedatabases. Manipulation of timestamps can, however,occur at multiple locations. The time zone settings ofan Android smartphone, which can be set incorrectlyor be changed (intentionally or unintentionally), caninfluence the accuracy of the timestamps found in SQLitedatabases. Besides the time zone settings, the actualtime of the Android smartphone can also be manuallyadjusted by disabling the automatic time synchronisationfeature. Manual adjustments of the time will impactthe timestamps that are generated for the traces storedin the SQLite databases when certain events occur onthe Android smartphone. It is therefore necessary toincorporate the evaluation of the time zone and timesettings of an Android smartphone.
The availability of the identified heuristics can, however,be influenced by external factors and therefore this paperalso introduced a reference architecture for Androidapplications. The newly introduced reference architectureserves as a template to model a diverse collection ofAndroid applications. To allow for such diversity,the reference architecture captures only the essentialcomponents found in modern implementations of Androidapplications and identifies the relationships between thesecomponents. The simplistic design of the referencearchitecture clearly and concisely describes the role ofeach component, allowing for easy comprehension ofthe modelled Android application. The design of thereference architecture is flexible, providing the abilityto model Android applications at different levels ofcomplexity. Depending on the architecture of Androidapplications, the components of the reference architecturecan be combined or expanded to more closely representthe modelling of a specific Android application. Thereference architecture therefore serves as a valuabletemplate for examiners to gain a better understanding ofAndroid applications. Modelling any Android applicationaccording to this reference architecture allows examinersto easily comprehend the related digital evidence andprovide the necessary insight to determine the evidence’sauthenticity and accuracy.
Vol.107 (2) June 2016SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS102
Future work will therefore continue to expand thisresearch, exploring different avenues to further establishthe authenticity and accuracy of digital evidence. Firstly,the existing collection of heuristics will be extended byidentifying additional heuristics that can establish theauthenticity and accuracy of timestamps. Such heuristicswill include the evaluation of the time zone and timesettings of a seized Android smartphone. Secondly, thecurrent focus is only on determining the authenticity andaccuracy of timestamps. It is thus necessary to broadenthe focus and also include other forms of digital evidence.Lastly, the existing reference architecture will be extendedto include the modelling of other forms of applicationssoftware. The reference architecture will also be validatedusing mathematical notation to ensure the architectureapplies to more complex scenarios.
Evidence found, in the form of traces, on smartphonesform an important asset of digital investigations. Thetimestamps associated with the traces allow the examinerto construct a timeline of events. Such a timeline oftenforms the basis for further investigation and has theability to provide answers to certain questions. Dueto the importance of timestamps, it is necessary forexaminers to be able to verify their authenticity. Collectedtimestamps might be incorrect due to tampering andwithout additional verification; the timestamps will leadthe examiner to make unreliable conclusions. To verifythe authenticity of timestamps found in SQLite databases,this paper introduced a collection of heuristics that canbe categorised into two distinct groups. The first groupof heuristics identifies the presence of certain changesin the Android file system, which is indicator of themanipulation of the SQLite databases. The secondgroup of heuristics subsequently focuses on the individualSQLite databases and the identification of inconsistenciesin these databases. The availability of these heuristicsare, however, susceptible to external factors and thereforea reference architecture for Android applications wasalso introduced to further establish the authenticity andaccuracy of digital evidence. The challenges addressedin the paper were to show that (a) timestamps can bemanipulated in SQLite databases, (b) identifying that theauthenticity of these timestamps has been compromisedand (c) overcoming the limitations of techniques usedto identify the compromised timestamps. Challenge(a) was addressed by showing the process that mustbe followed to successfully manipulate timestamps inSQLite databases, challenge (b) was addressed by usingthe identified heuristics and challenge (c) was addressedby introducing a newly designed reference architecturefor Android applications. The current paper providespreliminary evidence that the suggested approach showspotential and future work will focus on expanding thisresearch.
 L. Goasduff and J. Rivera: “Gartner sayssmartphone sales surpassed one billionunits in 2014,” 2015. [Online]. Available:http://www.gartner.com/newsroom/id/2996817.(Accessed: Apr. 7, 2015).
 S. Radicati: “Mobile statistics report, 2014-2018,”The Radicati Group Inc., Tech. Rep., 2014.
 R. Harris: “Arriving at an anti-forensics consen-sus: examining how to define and control theanti-forensics problem,” Digital Investigation, Vol. 3,pp. 44-49, 2006.
 R. Verma, J. Govindarai and G. Gupta: “Preservingdates and timestamps for incident handling in An-droid smartphones,” Advances in Digital Forensics X,Vol. 433, pp. 209-225, 2014.
 J. Govindaraj, R. Verma, R. Mata and G. Gupta:“Poster: iSecureRing: Forensic ready secure iOSapps for jailbroken iPhones,” Proceedings: 35thIEEE Symposium on Security and Privacy, 2014.
 M. Song, W. Xiang and X. Fu: “Research onarchitecture of multimedia and its design basedon Android,” Proceedings: 2010 InternationalConference on Internet Technology and Applications,pp. 1-4, 2010.
 M. Faheem, N.-A. Le-Khac and T. kechadi:“Smartphones Forensic Analysis: A Case Study forObtaining Root Access of an Android Samsung S3Device and Analyse the Image without an ExpensiveCommercial Tool,” Journal of Information Security,Vol. 5, pp. 83-90, 2014.
 Open handset alliance: “Android,”2015. [Online]. Available:http://www.openhandsetalliance.com/androidoverview.html. (Accessed: Apr. 9, 2015).
 C. Maia, L.M. Nogueira and L.M. Pinho: “Evalu-ating Android OS for embedded real-time systems,”Proceedings: 6th International Workshop on Op-erating Systems Platforms for Embedded Real-TimeApplications, pp. 63-70, 2010.
 B. Speckmann: “The Android mobile platform,”Ph.D. dissertation, Department of Computer Science,Eastern Michigan University, Michigan, 2008.
 C. Zimmermann, M. Spreitzenbarth, S. Schmittand F.C. Freiling: “Forensic analysis of YAFFS2,”Sicherheit, pp. 59-69, 2012.
 J. Lessard and G. Kessler: “Android forensics:simplifying cell phone examinations,” Small ScaleDigital Device Forensics Journal, Vol. 4, No. 1, pp.1-12, 2010.
Vol.107 (2) June 2016 SOUTH AFRICAN INSTITUTE OF ELECTRICAL ENGINEERS 103
 H.J. Kim and J.S Kim: “Tuning the ext4 filesys-tem performance for Android-based smartphones,”Frontiers in Computer Education, Springer BerlinHeidelberg, pp. 745-752, 2012.
 F. Freiling, M. Spreitzenbarth and S. Schmitt:“Forensic analysis of smartphones: The AndroidData Extractor Lite (ADEL),” Proceedings of theConference on Digital Forensics, Security and Law,pp. 151-160, 2011.
 S. Jeon, J. Bang, K. Byun and S. Lee: “A recoverymethod of deleted record for SQLite database,”Personal and Ubiquitous Computing, Vol. 16, No. 6,pp. 707-715, 2012.
 SQLite: “About SQLite,” 2015. [Online]. Available:https://www.sqlite.org/about.html. (Accessed: Apr.14, 2015).
 SQLite: “The SQLite Database FileFormat,” 2015. [Online]. Available:https://www.sqlite.org/fileformat2.html. (Accessed:Sept. 15, 2015).
 P. Patodi: “Database recovery mechanism forAndroid devices,” Ph.D. dissertation, Indian Instituteof Technology, Bombay, 2012.
 A. Caithness: “The forensic implications ofSQLite’s write ahead log,” 2012. [Online]. Available:http://www.cclgroupltd.com/the-forensic-implications-of-sqlites-write-ahead-log/. (Accessed: Sept. 15,2015).
 SQLite: “Write-Ahead Logging,” 2015. [Online].Available: https://www.sqlite.org/wal.html. (Ac-cessed: Sept. 15, 2015).
 A.S. Sharma, M.S. Malhi, M. Singh and R. Singh:“CSLA - An application using Android Capstoneproject,” Proceedings: 2014 IEEE InternationalConference on MOOC, Innovation and Technology inEducation, pp. 382-385, 2014.
 A.D. Schmidt, H.G. Schmidt, L. Batyuk, J.HClausen, S.A. Camtepe, S. Albayrak and C. Yildizli:“Smartphone malware evolution revisited: Androidnext target?,” Proceedings: 4th InternationalConference on Malicious and Unwanted Software(MALWARE), pp. 1-7, 2009.
 Android Developers: “Android DebugBridge,” 2015. [Online]. Available:http://developer.android.com/tools/help/adb.html.(Accessed: Sept. 22, 2015).
 Stackoverflow: “How to use ADB in Android studioto view an SQLite DB,” 2013. [Online]. Available:http://stackoverflow.com/questions/18370219/how-to-use-adb-in-android-studio-to-view-an-sqlite-db.(Accessed: Sept. 22, 2015).
 R. Johnson and A. Stavrou: “Resurrecting theread logs permission on Samsung devices,” Proceed-ings: Black Hat Asia 2015, pp. 1-25, 2015.
 Android Developers: “DropBoxManager,”2015. [Online]. Available:http://developer.android.com/reference/android/os/DropBoxManager.html. (Accessed: Sept. 22, 2015).
 M. Kaart and S. Laraghy: “Android forensics:Interpretation of timestamps,” Digital Investigation,Vol. 11, No. 3, pp. 234-248, 2014.
 H. Pieterse and M. Olivier: “Smartphones asdistributed witnesses for digital forensics,” Advancesin Digital Forensics X, Vol. 433, pp. 237-251, 2014.
 E. Ugboma: Learn Database Programming usingSQL of MS Access 2007, BookSurge Publishing,2009.
 W. Eixelsberger, M. Ogris, H. Gall and B.Bellay: “Software architecture recovery of a programfamily,” Proceedings: 1998 International Conferenceon Software Engineering, pp. 508-511, 1998.
 A. Grosskurth and M.W. Godfrey: “A referencearchitecture for web browsers,” Proceedings: 21stIEEE International Conference on Software Mainte-nance, pp. 661-664, 2005.
 A.E. Hassan and R.C. Holt: “A reference architecturefor web servers,” Proceedings: Seventh WorkingConference on Reverse Engineering, pp. 150-159,2000.
 D.A. Marca and C.L. McGowan: SADT: structuredanalysis and design technique, McGraw-Hill, Inc.,1987.
 M.E. Dickover, C.L. McGowan and D.T. Ross:“Software design using: SADT,” Proceedings: 1977Annual Conference, pp. 125-133, 1977.
 S. Lee: “Creating and Using Databases for AndroidApplications,” International Journal of DatabaseTheory and Application, Vol. 5, No. 2, pp. 99-106,2012.