sign in sign up
<<
Home , Blazer (web browser), Camera phone, Samsung Galaxy Camera

Combining technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide.

SAMSUNG GALAXY April 11, 2013

Introduction. The Galaxy was : Abstract released on November 16, 2012. This Android 4.1 (Jellybean) Camera device has the potential to replace mobile Network:, or (LTE) phones, as it has the same functionality GSM, HSPA+ Forensics of a , with the additional perk of a high quality camera. This creates an Processor:1.4 GHz Quad Core attractive incentive to buy the camera, Memory:microSD, 4GB on The purpose of this project which could lead to the possibility of it board, 1GB RAM was to determine whether or not forensics on the Samsung Galaxy becoming more popular. Connectivity: WiFI As the camera’s popularity rises in the 802.11a/b/g/n, WiFi hotspot camera was possible. Although market, and more users purchase the the camera runs an Android device, the risk of the camera being used :Yes operating system, there was still a chance that no data could be in an illicit manner rises as well. As the GPS:Yes extracted, as forensics on this Samsung Galaxy camera is now a part device had never been done of an investigator’s scope, understanding Table 1. before. To begin the process of where any evidence can be retrieved Goals. this project, as much data as is crucial. Using several different The goal for this project was to possible had to be created on forensic tools, any data that could be of develop an informational guide for the the camera by utilizing all of the applications and features that evidentiary value is detailed in this paper. Samsung Galaxy camera. Due to the By providing a guide to finding crucial were offered. The next step was novelty of the product, it was crucial fora to find a forensic tool(s) capable data from the Samsung Galaxy camera, preliminary source to be created in order examiners analyzing this device in the of providing data that would to aid forensic examiners in working constitute as forensic artifacts. The future will be saving valuable time. with this device. In order to develop a major goal of this project was to forensic guide, the Samsung Galaxy find any artifacts and determine Samsung Galaxy Camera. camera had to be used as a normal user their locations on the camera, As aforementioned, the camera was would. All user data artifactshad to be in case the device is ever a part released on November 16, only two found in a forensic manner in order to of an investigation. By explor- months before it was received for this simulate a case in reality. The findings ing the way data is stored on the Samsung Galaxy camera, project. The specifications of the camera from this device make up the content of are provided in Table 1. A more detailed forensic examiners now this paper, and are placed in order for have an idea of what tools will chart can be found on gsmarena. investigators to navigate both the guide com. When this project first started, no work and what information can and the camera with ease. The locations be extracted. SIM card or data plan was provided, of possible evidence are all available although the camera does have these and easily referenced for any professional options available. The camera is meant analyzing the camera in search of data. to be used as a camera with networking Additionally, even with its well-known, capabilities and is not built to be a Android operating system, therewas . Since the camera mostly possibility of the camera storing functions off WiFi, applications can be information differently than other devices. downloaded to allow the camera to act A secondary goal was to discover as a cell phone. continued on next page

44 Montgomery Street, Suite 700 San Francisco, CA 94104 415.524.7320 GALAXY, continued

whether the acquisition of the camera was similar or Santoku. different from the same process on other Android devices. Santoku worked successfully and once the camera was connected to the guest machine, AFLogical was Methodology. used. AFLogical is a tool provided by viaForensics The Samsung Galaxy camera was received on January 8(viaForensics) and comes built into Santoku. This tool is 31, 2013 for the means of facilitating this project. open source and is used for mobile phones; it extracts call In order to get the most accurate results possible, an logs, contacts, SMS, and MMS. Although the camera is average user identity needed to be created. Use of the not considered a mobile phone, it runs Android, which camera had to be simulated as though an everyday provided a chance that some data could be pulled. person had purchased it and constantly utilized it. The Before extracting any data, AFLogical needed to name Sammy Sung was given to the camera and this be put onto the camera. To install AFLogical, Santoku avatar acted as a normal Galaxy camera user who tutorials were referenced (Kswartz). The command “adb frequently visited Facebook, Twitter, Gmail, Voice, devices”2 was first used to ensure the camera showed up and various other applications that came with the camera. in Santoku. Next, “adb install AFLogical-OSE_1.5.2.apk” Once Sammy’s identity was created, six accounts were was used to push the AFLogical to the camera. associated with this name; Facebook, Samsung, Google, This resulted in the creation of an AFLogical application Twitter, Dropbox and Chaton. A full timeline of all the on the camera itself. Upon clicking it via the camera, the data created and deleted can be found in Appendix A. “Extract All” option was selected. Within Santoku, a new After the accounts were created and synced with directory was made for any output that was extracted from the camera, the next step was to begin using the the camera. To pull data from the camera, the command applications. Twenty applications and features were used “adb pull /sdcard/forensics” was executed (Figure 1). and will be discussed more extensively further on in this paper. Allapplications were used a multitude of times in order to generate enough data. Once enough was created, portions of data were deleted to understand where the Galaxy camera stored information and to determine if data could be recovered. Having a plentiful amount of data from networks, , text messages, pictures, and other applications, the next step was acquiring the camera. Considering that the Samsung Galaxy camera was new and no forensics had been done on it yet, deciding on a starting point for acquisition was a point of difficulty. At first, an attempt was made to image the device using FTK Imager and EnCase 6.19, to decide if it was possible. As expected, the camera was not recognized by either software and was showing in Windows Explorer as a portable media device. The next step was Oxygen Forensic Suite 2012. This Figure 1. software has a good track record of imaging mobile devices and it seemed like the best tool to use for the Once the extraction was complete, any files that project as it is available at the Leahy Center for Digital were pulled were found in the aforementioned directory. Investigation (LCDI). Unfortunately, Oxygen1 did not In this case, only one picture was extracted. This picture recognize the camera. The Linux forensic platform Santoku was attempted to be sent to a contact via the Messaging was then used in a virtual machine to test whether or not it application preinstalled on the camera. Since a data would detect the camera. Android is an operating system plan was not present, the picture was pending and never based on Linux, so there was a high possibility Santoku sent. No other data was pulled from the camera.Different would recognize the camera as something more than just results may occur depending on where data is stored on a media device. the camera by the user. Also, for any examiner who has 1. As research continued, it was found that Oxygen Forensic Suite 2013 could acquire the camera The findings were the same as those provided by EnCase 7 and are not discussed in this paper. It is just 2. Commands are executed without quotations. The commands mentioned throughout this paper are in another option for examiners to use if Oxygen is their tool of preference. quotations fordistinguishability. continued on next page GALAXY, continued

access to AFLogical Law Enforcement software has a possibility of extracting more data. Concluding AFLogical was not the correct tool to use for this project, the next step was to see what other options Santoku offered. Santoku comes preinstalled with Android SDK. Android SDK is a software developer kit that comes with various tools for debugging and developing Android applications (Developer). Within this developer kit is Android Debug Bridge (ADB). This is a command line tool that enables a user to communicate with a connected Android device via computer (Developer). Using ADB allows for data to be pushed or pulled to or from an Android device. With the right ADB commands, information from logged data, system data, and port connectionscan be outputted. For the purpose of this project, the command ‘dumpsys’ was used. “Dumpsys provides information on services, memory, Figure 3. and other system details...” (Hoog 119). Running applications, process IDs and current system activities Below the Unix timestamp was the latitude are just some of the types of data that can be displayed. (44.4609067) and the longitude (-73.2159816) of This command was executed using “adb shell dumpsys the device on March 27 at 5:41 PM. Putting the two > dump.txt” Dump.txt is where the data from dumpsys numbers into a plotter (Figure 4) showed that the camera was output to for an easier viewing. Once the dump was was located at the LCDI during the given date and time. complete, pages worth of information were presented, but two important pieces of data provided by dumpsys were “accounts” and “last known locations”. “Accounts” revealed the number of accounts associated with the device, as well as the usernames they were connected to (Figure 2). Here the 7 accounts on the Samsung Galaxy camera that were originally created are displayed.

Figure 2.

“Last known locations” showed the last time, date, and location the camera connected to a cell tower Figure 4. (Figure 3). This could be extremely useful to know during an investigation, as timestamps are crucial and could Although Santoku provided interesting and useful data, determine a suspect’s whereabouts at a given time. much more about the Samsung Galaxy camera needed In this case, Provider=network time showed the string to be explored. The next option to entertain was using the 1364420491146. By converting that to a human Cellebrite UFED Physical Pro located at the LCDI. readable time using a Unix timestamp converter, the number turned into March 27, 2013 at 5:41:31 PM.

continued on next page GALAXY, continued

Cellebrite UFED Physicasl Pro. any different from the first one. While scrolling through Cellebrite’s UFED Physical Pro is a well-known mobile the list of Samsung mobile phones, the option for the forensics tool. It supports thousands of different cell phones Samsung Galaxy Camera appeared. Cellebrite had (Cellebrite) running different operating systems and allows updated their software to support the camera after the for logical and physical extractions, as well as SIM card initial file system dump. and password extraction. This was the next tool used in A physical extraction was attempted, this time using the an attempt to get the acquisition process moving forward. Samsung Galaxy camera option, but it did not provide The Galaxy camera was plugged into the Cellebrite UFED any data at all when it was complete. Knowing the and a physical extraction was attempted. file system dump worked the first time, this option was then exercised. The data provided by this dump will be Physical Extraction. discussed later in the Results section. A physical extraction means all data from a device, even deleted data found in unallocated space, is pulled. Encase 7.04. During a physical extraction, a physical image is created. With over 35,000 copies of EnCase Forensic This is an exact, full copy of a device and typically software sold (SC Magazine) to clients all over the provides an abundance of data. It is ideal to do this type world, it is undeniable that EnCase is amongst the most of extraction because it outputs all of the zeros and ones commonly used forensic tools in the industry. Because of contained on a system. its notoriety, it is the go-to tool and makes perfect sense The first time the Cellebrite UFED was used, there was that the newest version of EnCase comes equipped with no Samsung Galaxy camera option. Out of curiosity an acquire smartphone feature. Although the camera is to determine if physical data could be pulled anyway, not considered a smartphone, it still runs a smartphone the Samsung Galaxy Appeal mobile phone option was operating system; attempting to acquire the camera using selected instead. Unfortunately, a physical extraction was EnCase 7 was the last reliable option left. not possible after multiple attempts were made. Acquire Smartphone Feature. File System Dump. With the camera plugged into the workstation, EnCase Thinking that a physical extraction was unsuccessful 7 immediately recognized it as a Google Android device. because the camera was not rooted, a logical acquisition The “Perform Physical Acquisition” box was checked and was then attempted. A file system dump is a logical an output path was created (Figure 5). This was the first extraction of a device and does not typically grab as time throughout the project that there was a successful much data as a physical extraction would. Again, at this way to physically extract data from the camera. point there was no option for the Galaxy Camera, so the Galaxy Appeal was used once more. This process worked and after about 5 hours, a file system dump of the camera was provided. The results seemed accurate when looked at with Cellebrite’s Physical Analyzer software, but it was impossible to tell just how accurate they really were. There was no way to ensure the Galaxy Appeal option extracted all of the camera’s logical data, or if it bypassed certain parts because the Appeal may not be set up in the same way the camera is. Although they are both Android and Samsung devices, there was no forensically sound way to determine the data extracted was complete. Because of this, the data found from the extraction was only looked at for learning purposes and will not be discussed in this report. The next step was to root the camera, as it was the last option in getting other forensic tools to fully acquire the device. This process can be found in Appendix B. Once the camera was rooted successfully, the Cellebrite UFED was used again just to see if the file system dump was Figure 5.

continued on next page GALAXY, continued

Once the imaging process was complete, hashing address of the Droid Bionic is 40:98:4E:CC:84:4C. In and verification was done using the Process Evidence Figure 8, the Droid Bionic’s MAC address can be found function. This was to ensure the data didn’t change during under “destination”. This means the Droid Bionic was imaging. Since both MD5 hashes matched, it was finally sending a word document and a picture to the camera. time to start analysis. At the end of analysis, the image The document named GSR.docx was sent to the camera was hashed and verified again to determine nothing on March 4, 2013 at 6:16 PM, which is what the changed by the end of the project. The hashes matched number under ‘timestamp’ (1362438992767) converted again, ensuring the data was not contaminated in any to. Although the file GSR.docx was deleted on March 14 way (Figure 6). from the camera, it still appeared in the database file.

Figure 6. Figure 8.

Results. Bluetooth artifacts are also found in the external. The applications discussed in this section were chosen db database, located in \data\data\com.android. based on the amount of data created and found. Only providers.media\databases. When the document GSR. the results of applications that were thought to be of most docx was deleted from the camera, the date modified evidentiary value are presented. Please note that in a of an entry called /storage/sdcard0/Bluetooth real investigation, it is advised to look at all evidence (Figure 9) was updated in external.db. The timestamp provided. 1363297819 converts to March 14, 2013 at 5:50 PM. According to Appendix A, that was the time the Bluetooth. GSR.docx document was deleted. There is no indication, According to the timeline in Appendix A, the Samsung though, in external.db that this timestamp is associated to Galaxy camera was paired with an Android Bionic GSR.docx, so it could be anything. To better determine mobile phone on March 4, 2013 at 6:09 PM. This can what was being modified the database’s hex needed to be proved by navigating to the directory \data\misc\ be examined. bluetooth and looking at the incomingconnection.conf file (Figure 7). The timestamp 1362438593661 was given, which converted to March 4, 2013 6:09:53 PM. A picture was sent with the name 20130304_173931. jpg from the camera to the Droid Bionic. There was no indication of what data was sent from the Samsung Galaxy camera. Only artifacts of received Bluetooth media could be found in the path \data\data\com. droid.bluetooth\databases\btopp.db. Figure 9.

Before beginning a search, the timestamp of ‘date modified’ had to be converted into hexadecimal. 1363297819 converted to hex 5142461B. That string of hex was then searched for within external.db. It is highlighted in red (Figure 10). Above that entry, is GSR. Figure 7. docx (highlighted in yellow). In blue, the hex 51352b51 is found.

Taking a closer look at the database file btopp.db, 3SQLite Spy is a SQlite database browser. It takes the contents of a .db file and presents it in organized using the software SQLite Spy3, the Bluetooth MAC tables. This tool was used to preview all SQlite databases mentioned in this report.

continued on next page GALAXY, continued

Figure 11: Screenshots from Clipboard directory

Figure 10.

That string converted to March 4, 2013 at 6:16:33 PM, which is the time and dates the document GSR.docx was sent to the camera. While that is a longer method of figuring out timestamps, it works and proves to be another option if for some reason the database btopp.db is inaccessible.

Clipboard. An interesting feature to the newer Android devices is Clipboard. The option to copy pictures and paste them Figure 12: Screenshots from Screenshots directory later in another application is quite useful. In , clipboard data is considered volatile, which means it is lost once a system is powered down. For the camera, deleted. This picture was not pasted anywhere and then though, clipboard data is stored directly onto the device. the camera was shut off. The picture was still found in the Every time pictures or text were copied, they were written clipboard directory in full tact. to the \data\clipboard directory. Even all screenshots were found in this directory, although the camera stores those in a separate location as well. It was ensured the screenshots found in the Clipboard directory were the same as those in the Screenshot directory (\data\media\ Pictures\Screenshots) by comparing the hashes (Figure 11 and 12). All of the hashes matched and it was noted that the last written times for the screenshots found in the Screenshot directory were a tenth of second sooner than the last written times in the clipboard directory. Because of this, it has been concluded that when a screenshot is taken, it is first stored to the Screenshot directory and then held in the camera’s clipboard less than a second later, most likely for easy sharing purposes. The picture 20130228_192931.JPG (Figure 13) was Figure 13. copied to the clipboard and then the original picture was

continued on next page GALAXY, continued

Chrome. Unfortunately, this journal file can only be viewed within Along with social media and applications, EnCase and is not very pretty to look at. probably one the largest used mobile features is the . The Samsung Galaxy camera comes equipped with both Chrome and its own default internet browser. To get the full effect of what a user can do with Chrome, numerous Google searches were conducted, bookmarks were made, and incognito windows were used. At 10:08 AM, a new incognito tab was open in and a search was made for “best hiding places”. The URL www.wikihow.com/Find-Good-Hiding- Spots was clicked on. Five minutes later, a search was made for “parks in Burlington”. Upon doing a keyword search in EnCase for “hiding places” and “parks in Burlington”, nothing significant was found. The only data associated with these two searches was found in Figure 15. xT9CdbData.dat, which is located in data\data\com. sec.android.inputmethod\app_xT9DB. Contacts. Within the .dat file was a list of words typed by the Although the Samsung Galaxy camera is not meant user (Figure 14) in various applications. Some words to be a phone, there is still a built in option for contacts. correspond to Tweets, Facebook statuses, emails, This feature is mostly for storing Facebook, Twitter and Google Searches and calendar events. Although the email contacts. Contacts from other applications like words “hiding places” and “parks in Burlington” were Talkatone or Google Voice can also be stored here. A full found in this location, there is no evidence linking these list of all contacts on the camera was found in contacts2. words to a Google Chrome incognito page. No other db located under data\data\com.android.providers. data pertaining to incognito windows was found on the contacts\databases. When this file was opened in a camera. database viewer, the list of contacts was found under View Raw Contacts. Two contacts, Sarah and Chloe, were deleted from the camera but their names still showed up in the database (Figure 16).

Figure 14.

As for data created in a normal Chrome window, Google searches and bookmarks were found in the path data/data/com.android.chrome/app_chrome/ Default/-journal. Although the history had been cleared on the camera, Google searches for “champlain. edu”, “dogs”, “how many people are in the world”, “jobs in Burlington”, “long island rail road”, and “heady topper” were all found. Even the deleted for “jobs in Burlington” was present in the file (Figure 15). Figure 16.

continued on next page GALAXY, continued

The 1 in the deleted column also indicates that these contacts have been deleted.

Default Browser. Since the Samsung Galaxy camera comes with two different web browsers, it was pertinent to analyze both, as different users will have different preferences. Like the artifacts found with Google Chrome, the default browser stores a lot of data in its own database file called browser2.db. This file was found at data\data\com.android.browser\databases. While looking through the database file, bookmarks from both Google Chrome and the default browser were found along with their created timestamps. Although the database showed bookmarks from Google Chrome, it only showed deleted bookmarks coming from the default browser (Figure 17 highlighted) and not the deleted ones coming from Chrome.

Figure 17. Figure 18.

Referring again to Appendix A, there were Google searches made for “dinner recipes”, “tattoo Burlington”, “how big is the earth”, “New York Islanders”, “what movies are playing”, “android phones”, “teddy bear” and “Barack Obama”. The URL “baseball.com” was also typed into the default browser. After those words were searched for and were clicked for them, the default browser’s history and cache was cleared. Much like the database file found for Chrome, browser2.db did not show the complete web history in a database browser. Instead, taking a look at browser2. db-wal provided all internet searches (Figure 18). Incognito pages were used in this browser as well. The only incognito Google search that was found was “fish tank”. This piece of data was found in the directory data\data\com.google.android. Figure 19. googlequicksearchbox\cache\http. The file name for this search is c0f4d2b80c1a2e84bfc574014997b7d9.0 xT9CdbData dat file. (Figure 19). While the file does not directly state it’s from an incognito page, the URL “google.com/proxy” may Downloads. suggest that it is. The Google search for “how long do fish Data downloaded to the downloads application was live” was not found anywhere relating to Google. found in the sisodownloads.db file located at \data\ It was only found in the previously mentioned data\com.sec.android.providers.downloads\databases.

continued on next page GALAXY, continued

Appendix A states that five pictures were downloaded While scrolling through the pictures Cellebrite from the internet on March 14, 2013. They were of a found, the white phone was present. Its file name is white android phone, an android phone chart, two bears .thumbdata3—1967290299_embedded_105.jpg. The together, a bear with a heart, and the bear from Ted. In full path to the deleted picture is shown in Figure 23. Figure 20, the names of three downloads can be found.

Figure 20. Figure 23.

To determine what these pictures actually are, a The path was followed within EnCase and the file search in EnCase was conducted (Figure 21). Only three name was found. The only problem was the picture itself downloads were found because the other two were did not show up in EnCase’s picture viewer because it deleted. The picture of Ted (Figure 22) was eventually was embedded. That means the file has more than one found in \data\media\Android\data\com.sec.android. image stored in it. The file was copied out of EnCase and gallery3d\cache\nearby_cache, but the picture of the then edited with the software Hex Workshop in order to white android phone was nowhere in EnCase. restore the picture back to its original structure. This was done by finding the hex header, FF D8 and hex trailer, FF D9. All JPEG images have these same hex headers and trailers. By copying the contents within these hex values and saving them as their own file, the image can be recreated. This was done so successfully and the image of the deleted white android phone was officially found. While analyzing the contents of the file system Figure 21. dump from Cellebrite, the directory “tdata” (Figure 24) was spotted. This directory did not show up in EnCase and in it were hundreds of embedded pictures separated into three folders: imgcache.0.EMBEDDED, imgcacheMicro.0.EMBEDDED, and imgcacheMini.0.EMBEDDED. Both the picture of Ted and the picture of the white android phone were found in the folder imgcacheMicro.0.EMBEDDED (Figure 25).

Figure 22.

Since the deleted Ted picture was found, it was likely that the picture of the white android phone was somewhere on the device. Because EnCase did not seem to find it, the file system dump done with the Cellebrite UFED Pro was analyzed to understand where the deleted file was stored. Figure 24.

continued on next page GALAXY, continued

Figure 25.

Dropbox. From the moment the camera was received, a Dropbox account was created and was set to sync every time a picture was taken. Dropbox artifacts are found in the directory data\data\com.dropbox.android and a database file called, db.db has a list of all uploaded pictures and documents. Nothing was really done with the Figure 27. Dropbox application. No data associated with Dropbox was deleted, so there was not much to find. more information. The receiver’s email address, the Email. email’s timestamp, the email’s body and subject text On February 21, a Hotmail account was made using were all found there (Figure 28). The timestamp found, the camera’s Email application. An email was created 1361460813811, converted to February 21, 2013 at from the camera with the subject “Hi” and the body 10:33 AM which was when the email attempted to send. “look at this!”. Attached to the email was the picture, While the picture in Figure 27 is found in this document, 20130201_130354_resized.jpg. The email failed it is not directly linked to any email account. Since it is in to send and the email account was then removed from the email database, it can be assumed that this picture the camera. Although the Hotmail account created was was sent or received as an attachment, but there is no removed, the data from the failed email was found in way to definitively know. several locations. A notification of the failed email is found in the file SendingFailNotification., located in the path data\data\com.android.email\shared_prefs (Figure 26).

Figure 26. Figure 28.

Unfortunately, the notification does not detail who the Facebook. email was being sent to or what the body of the email Facebook is the number one social networking site in consisted of. Green plating the parent directory, com. the world (AlexaRank). With over one billion users, it is at android.email, in EnCase allows all the files within the top of list for retrieving data. Artifacts from Facebook that directory to be previewed. By doing this the file are stored in data\data\com.facebook.katana. Over 20130201_130354_resized.jpg was found (Figure 27). 1,000 files were found in this directory. Of these files, the The last piece of evidence that connects the picture and database users_db2 is where to find all Facebook friends, failed email notification to a Hotmail account is found in even the deleted ones (Figure 29). the emailprovider.db file, which is in Figure 29 data\data\com.android.email\databases. When this The names highlighted in yellow are the users that were database was exported, it showed up empty in the deleted. In the threads_db2 database, Facebook chats database browser. Viewing it in EnCase provided and messages were found. While deleted chats were

continued on next page GALAXY, continued

not found, there are entries with zeros in them that may directory. It is odd that the only two pictures sent through indicate messages were deleted Facebook chat are the only two pictures found in that directory (Figure 31). That indicated that files stored in the com.facebook.katana\files directory came from Facebook chats, as all other pictures uploaded to Facebook by the camera were not found there. As for deleted status’, there were no artifacts found within EnCase or Cellebrite.

Figure 29. Figure 31.

Gallery. Since the Samsung Galaxy camera is firstly a camera, it is crucial to examine any and all picture data provided. The camera comes with impressive WiFi sharing features, so determining where a picture came from is key to an investigation. When pictures are taken on the camera they are stored under numerous folders within the Gallery. These folders are created according to use. If an Instagram account is created, photos uploaded to Figure 30. Instagram are found in the Instagram folder in the Gallery. For this project, the folders on the camera are Camera, Download, Bluetooth, Instagram, Paper Pictures, Photo Within data\data\com.facebook.katana\files, two Wizard, Screenshots, Share via WiFi, Facebook Mobile images starting with the file name temp-compose-photo Uploads and Facebook Profile Pictures. were found. These two images were the only images EnCase successfully found all of the pictures that were sent via Facebook Messenger. While there is nothing currently present on the camera, but did not find any associating these pictures with a Facebook user or pictures that were deleted. False positives were found, as with any timestamps, they are still found in a Facebook the camera was synced with Dropbox from the beginning

continued on next page GALAXY, continued

of the project. Photos were automatically uploaded to found. This included deleted pictures, S Memo notes, Dropbox once they were taken and were stored there. screenshots, downloaded pictures and pictures shared When pictures were deleted from the Gallery, they were over WiFi. The imgcacheMicro.0 folder was embedded, still found by EnCase in the Camera Uploads folder for so numerous pictures were found in one file. To have Dropbox. a better viewing of all the pictures in this location, the Manually navigating through the photos on the camera imgcaceMicro.0 folder was exported from Cellebrite’s with EnCase, three pictures were found in \data\media\ Physical Analyzer and was saved to an external drive. DCIM\.thumbnails. The pictures were taken on January The folder imgcacheMirco.0.EMBEDDED was created 1, 2012 before the camera was received for this project. and the pictures were easily accessible. By looking It was later found out that these pictures came from a user through the contents of the imgcacheMicro.0.EMBEEDED who had the camera first and then reset it for this project. folder, the deleted pictures mentioned in Appendix A were Aside from those three pictures, no other deleted pictures available for viewing (Figure 33). taken by the camera were found in the thumbnails folder. Delving back into the file system dump provided by Cellebrite, the previously mentioned directory “tdata” (Figure 32) was looked into more thoroughly. That was the location of the deleted downloaded picture of the bear Ted, so it was the next logical place to look.

Figure 33.

Gmail. Like most Android devices, the camera comes with two email applications; Email and Gmail. It is crucial to investigate artifacts from both applications, as it is typical for people to have more than one email address. Navigating to the path data\data\com.google.android. gm\databases resulted in finding of the database Figure 32. [email protected]. By exporting and viewing this file in SQLite Spy, only one deleted email was found (Figure 34). The file within this directory that was most prominent in Looking at the database’s contents within EnCase finding deleted pictures was imgcacheMicro.0. It was provided the rest of the deleted emails. The only problem here that all pictures ever taken with the camera were with that was there was no indication of who was

continued on next page GALAXY, continued

sending what, when emails were sent or received, or The searches for “turtles” and “North Babylon High what emails were deleted (Figure 35). School” were found through the path data\data\com. google.android.googlequicksearchbox\shared_prefs\ SearchSettings.xml (Figure 36).

Figure 34.

Figure 36.

That information was not too useful at all, as no timestamps were provided for the individual searches and the rest of the searches made were not found in the XML file. In fact, the other searches weren’t found anywhere in the com.google.android.googlequicksearchbox directory at all. The search for “Toyota Prius” was found in Chrome’s Favicons-journal file, which was also where Chrome’s internet history was located (Figure 37). The search for “turtles” was found there too, but as aforementioned, there was no indication that these came from Google searches and no timestamps were associated with them. In short, the data found here is useless from an investigators point of view.

Figure 35.

Google Search Bar using Voice. The Google search bar installed on the camera automatically uses the Chrome browser and there is Figure 37. no option to use the default browser. The voice feature was looked into to see if any artifacts left from the voice Google Voice. commands could be found. It was clear from the analysis Since this camera in particular did not come with a of Chrome that Google searches in general could be SIM card or data plan, the only way to make calls or retrieved, but evidence coming from voice searches was send text messages was to use WiFi. Because of that, the an unknown. Referring back to Appendix A, a Google applications enabling call and text options needed to be search using the search bar and voice feature was made closely looked at. Google Voice is a great application on March 14 at 5:28 PM for “turtles”. Other searches that provides a user with their own phone number and were made that day for “windex”, “North Babylon High the ability to make calls, send text messages, and receive School”, and “Toyota Prius”. The search for “windex” was voicemails. In this case, the camera’s phone number was not found anywhere on the camera. This was the only 802-448-0816. Multiple text messages were sent and voice search that a link wasn’t clicked on afterward. Even received using Google Voice. While no conversations so, the Google search itself should have been present. were deleted from the application, there were no

continued on next page GALAXY, continued

artifacts found. Data for Google Voice gets stored in \ Figure 40 shows the response “Do it” coming from the data\data\com.google.android.apps.googlevoice. camera. Unfortunately, the Last Written times for the .map In this directory, a number of different databases are files are not accurate (only the dates are) and there was found. The SMS outbox database is empty, along with no other way of telling when these text messages were conversationsDatabase and model.db. It is unknown as to sent. Furthermore, the deleted conversation from the user why data wasn’t present in the com.google.android.apps. “Alyse” was not found. googlevoice directory. A keyword search in EnCase was done for known sent text message content, but the search resulted in nothing.

Talkatone. Talkatone is an application with the same functionality as Google Voice, except it does not provide the user with a phone number. Unlike Google Voice, artifacts from conversations created on the camera were found. The conversations are stored as .map files, which get recognized by EnCase as picture files. These files were Figure 39. found in data/data/com.talkatone.android\files\- messages. The .map files are categorized by phone number (Figure 38). By looking at the files in EnCase’s Transcript viewer, the contents of the conversations currently on the camera were found in plaintext (Figure 39).

Figure 40.

In the History folder in the directory data/data/com. talkatone.android\files, all phone calls with accurate timestamps were present. None of the calls were deleted from the logs, but since no deleted text messages were found it was likely that deleted call logs would not have been found either.

Maps/Navigation. Multiple searches were made using and the built in navigation application. Nothing from these applications was deleted, but search queries, along with accurate timestamps, were found in two database files located in data\data\com.google.android\apps\maps: Figure 38. search_history.db (Figure 41) and da_destination_history. db (Figure 42). Search_history provides data coming from Google Map searches, while da_destination_history Highlighted in blue is number of the person who sent contains data about any directions given by the built in the text message “I’m gonna catfish you” to the camera. navigation system.

continued on next page GALAXY, continued

The primary concern surrounding this feature was finding anything that connects the camera to the other device taking the pictures. This information was discovered in the directory data\misc\dhcp. The file dnsmasq.leases (Figure 45) provides a timestamp of the last time RVF was connected to WiFi (highlighted in blue), the MAC address of the device it connects to (highlighted Figure 41. in yellow), and the IP address of the network being used.

Figure 42. Figure 45.

Remote View Finder. The timestamp converted to March 16, 2013 at 3:12 Probably the most noteworthy feature of the Samsung PM which, according to Appendix A, is when numerous Galaxy camera is Remote View Finder (RVF). It is used pictures were taken using Remote View Finder. Doing a when the camera is in camera mode and the Share button temporal analysis on any pictures at that time resulted in is pressed. One of the options provided is Remote View finding all of the pictures taken with Remote View Finder Finder. This allows another device running RVF to connect on March 16 at 3:12 PM (Figure 46* and 47). with the camera via WiFi. The camera can then be taken outside, down the hall, or elsewhere in a building using the same WiFi network. The device running RVF (in this case the Droid Bionic) can see what the camera sees and can control the camera’s functionality (Figures 43 and 44). Once a picture is taken by the camera via another device, the picture gets stored on both devices. Pictures taken using this feature were not deleted.

Figure 43: Viewfrom Samsung Galaxy Figure 46. camera Figure 44: View from Droid Bionic

continued on next page GALAXY, continued

Figure 47. Figure 48. *Please note: The content highlighted in green in Figure 46 is incorrect. The filename 20130316_151235.jpg should be highlighted and not dnsmasq.leases S Voice. The application S Voice is similar to the iPhone S Planner. feature, Siri. S Voice allows a user to communicate with The calendar application for Samsung devices is known their device with the press of a button. S Voice will look as S Planner. Events stored in the calendar can sometimes up directions, conduct internet searches, browse contacts, provide crucial information during an investigation. A or even post a social network update. Various artifacts person’s future or even past whereabouts can be found on coming from S Voice are found in the directories data\ the S Planner application and could possibly validate or data\com.android.chrome\app_chrome\Default\ dispute someone’s alibi. Favicons and \Default\History 2013-03 (Figure 49). Data stored for S Planner was found in the database Unfortunately, these searches are only found because S file calendar.db, located in \data\data\com.android. Voice accessed Google in order to conduct them. There providers.calendar\databases. The contents of the file is no evidence to indicate that these found searches did were viewed with SQLiteSpy and three deleted events in fact come directly from S Voice. The searches do show were found (highlighted). Accurate timestamps for each the title Google Custom Search, which is what S Voice of the created events were also present (Figure 48). The uses, but that still does not allow for a positive conclusion 1 in the “deleted” column indicates the event is actually to be made. deleted.

continued on next page GALAXY, continued

Figure 51.

This database also contained deleted Tweets coming from Figure 49. the Samsung Galaxy camera (Figure 51), but the data was not presented as concisely as the direct messages.

Twitter. The second largest social media site, next to Facebook, WiFi Direct. is Twitter (AlexaRank). A ton of unnecessary and unrelated The other appealing feature built into the camera is data was found in Twitter’s database. All of “Sammy WiFi Direct. This allows two Android devices installed Sung’s” followers, along with their followers and updates, with WiFi Drect to connect over the same WiFi network were provided. Even popular searches conducted by and share pictures, applications, music, and other media. users unassociated with Sammy Sung were present in the Unfortunately, this feature was only tested once, as only database file. This very large chunk of data was found in one other person at the LCDI had an Android phone the database 1138036112.db, located in the directory that was equipped with WiFi Direct. The device used data\data\com.twitter.android\databases. The number for testing was a Samsung Galaxy Note III and four files title (1138036112) for the database file may change were sent to the camera: mylife.mp3, thriftshop.mp3, according to dates and devices, but that has not been vavavoom.mp3 and 2013130_154630.jpg. The file tested. The number was converted, as it seemed like mylife.mp3 was then deleted from the camera. a timestamp, but it converted to January 23, 2006 at The other two music files and the image were located 12:08 PM, which had nothing to do with this project. in the external.db database, found in the directory \ Aside from a lot of unimportant data within the data\data\com.android.providers.media\databases database file, the deleted direct message from the Twitter (Figure 52). Highlighted in yellow is a potential artifact account Cat_Stamm to sammysung131 was found with of the deleted file, mylife.mp3. The timestamp under date Cellebrite (Figure 50). What’s interesting is that other modified converts to March 14, 2013 at 5:15 PM. direct messages were sent between the two users, but they According to Appendix A, that was the time mylife.mp3 were not found anywhere within EnCase or Cellebrite. was deleted. While it makes sense that this entry would update its modified timestamp once the file was deleted, there is no real evidence that determines the entry is associated with the file mylife.mp3.

Figure 52.

Since media can so easily be transferred to surrounding devices using WiFi Direct, it was decided that analysis of the picture being sent to the camera was needed. The picture 2013130_154630.jpg was sent to the camera Figure 50. on February 2, 2013 at 9:43 AM and was found in

continued on next page GALAXY, continued

forensic techniques can be used to analyze the camera. This discovery will help investigators decide on a starting place and will hopefully ease their process, as Android forensics is solidly researched. In conclusion, forensically examining the Samsung Galaxy camera proved to be successful and will be useful, as well as applicable, to future forensic investigations for this device.

Appendix A. Timeline Figure 53. January 31, 2013 4:25 PM Create Gmail and Samsung accounts ([email protected]) the folder Share via Wifi (data\media\). By looking at 4:30 PM Create Facebook (used sammysung131@gmail. this picture in the Transcript viewer, data known as EXIF com) data can be seen (Figure 53). EXIF data is essentially 4:50 PM post “hello everyone!” on Facebook , or data about data. EXIF data is stored in 4:54 PM Email sent from [email protected] to most digital pictures and provides information about the Sammy Sung with attachment of a boy on cell phone camera which did the picture taking. For example, the (sammysung.jpg) Picture was downloaded camera’s make and model, what time the picture was 4:57 PM Change profile picture to Sammy Sung taken, exposure time, and even possibly a GPS location 5:05 PM Create Twitter (@sammysung131) can all be found within EXIF data. Highlighted in green is 5:06 PM Twitter - post “please follow me i am lonely” the make of the device sending the picture and in yellow 5:15 PM Download Talkatone is the model number. Knowing that the model number of 5:18 PM Talkatone – Sammy calls 631-291-XXXX for 3 the Samsung Galaxy camera is EK-GC100, it can be seconds concluded that the picture 20130130_154630.jpg was 5:24 PM Talkatone – Sammy calls 631-291-XXXX for 8 not originally taken with the Galaxy camera. seconds

5:20 PM Created Google Voice account (802-448-XXXX) Conclusion. 5:22 PM Received voicemail from Google Voice By the end of this project, it has been undoubtedly 5:26 PM Google Voice – received text message from the concluded that the Samsung Galaxy camera can be application Talkatone forensically acquired. Even with minimal support available 5:42 PM Facebook - tagged by cat stamm for this new device from some of the industry’s leading 6:30 PM Google Voice – received text from Caitlin “it’s forensic tools, data extraction is still 100% possible. Caitlin stamm” Following the successful acquisition of the Samsung 6:32 PM Google Voice – Sammy responds to Caitlin Galaxy camera, this paper was able to outline a “thanks for helping me out!” forensics guide for future investigators and be considered 6:35 PM Google Voice – Caitlin replies “if you need any a preliminary source when forensics on this device is help let me know!” necessary during a case. Due to simulation of an average 6:36 PM Facebook – post I’m getting so many friends user throughout the project, the forensics breakdown of 6:42 PM Facebook - Pagina posts “wanna be in a the data is realistic and is able to be compared and relationship” utilized in field work. All information about the data found 6:56 PM Facebook - post picture of Alyse and Laura is organized so investigators may find their work on the sitting on the couch with the caption “Alyse doesn’t look Galaxy camera easier and more productive. happy” Based on the results of this project, it did not seem 7:02 PM Facebook - post from Christine “did you get the that the camera stored data any differently than other camera today” Android devices. Due to this, some of the same Android 7:02 PM Facebook – Message Alex “be my friend”

continued on next page GALAXY, continued

7:18 PM Google Voice – Received text from Chloe 10:06 AM Google Voice – Text Mommy sung “Sammy “Sammy my boy” sung here.. I see you” 7:23 PM Google Voice – Sammy replies to Chloe “haha 10:07 AM Google Voice – Text from Mommy Sung “do hey whats up” you really see me?” 7:33 PM Google Voice – Chloe responds “can you get 10:16 AM Facebook – post status “don’t hate me cause texts off a phone after theyre deleted?” I’m beautiful” 7:35 PM Google Voice - Sammy texts Chloe “yup 10:18 AM Facebook – post picture of text message with usually” Mommy Sung 8:08 PM Google Voice – Receive voicemail from Dad 10:26 AM Maps – search for Japanese restaurant, select “this is mr spam (stamm) from Babylon, give me a call koto steak house and get directions please” 10:31 AM Google Voice – Receive text from Alyse 8:21 PM Google Voice – Received text from Sarah “thanks Sammy” “whats up it’s your favorite ginger” February 10, 2013 8:38 PM Facebook - post from Alyse “any chance you’re 4:53 PM Facebook – post from Alyse “happy birthday Japanese” old man” 8:43 PM Facebook - post from Alex a picture of a rabbit 4:58 PM Facebook – post from Laura “happy birthday! 9:22 PM Facebook – post from Alyse “look at this girl she See you tonight to celebrate?” might be crazy” picture of Cat making a phone call with 5:00 PM Facebook – post from Julie “ahh Sammy sung the camera happy birthday old man!!” 9:56 PM Twitter - post “@catstamm hello~” 10:37 PM Facebook – post from Pagina “you’ll get your February 1, 2013 birthday present on valentines day” 8:59 AM: Google Voice – text from Alyse “hope you and February 11, 2013 your blazer get on tv today” 9:42 AM Facebook – post status “thanks for all the 9:00 AM: Google Voice – respond to Alyse “thank you!” birthday wishes!” 9:03 AM Facebook – post status “cat stamm just got 48 9:48 AM Camera – Take picture of TrueCrypt icon GB on dropbox for free” 10:39 AM S Planner – Created event “Valentine’s Day” 10:24 AM Twitter – post picture of Kyle cleaning his 10:40 AM S Planner – Created event “California” iPhone February 14, 2013 1:03 PM Camera – picture of the Irish flag was taken 10:58 AM Facebook – Change profile picture to 1:04 PM Camera – picture of Chobi yogurt was taken Samsung Galaxy Camera 8:15 PM Facebook – post from Trevin “<3 February 21, 2013 sammysung!!!!” 9:52 AM Default Browser – Search for dinner recipes, February 2, 2013 click 2nd Google page, click 30 minute dinner recipes 7:52 PM Camera – Picture of Julie sitting on the couch – recipes and cooking, foodnetwork.com – upon clicking with a pink blanket is taken you get a screen for chrome or internet – CHOSE 8:03 PM Twitter – post “girl you trippin” INTERNET 8:21 PM Facebook – “hahahah I can’t be imaged!!” 9:58 AM Default Browser – Type in URL bar “tattoo February 5, 2013 Burlington” – click Vermont custom tattoo and piercing 1:43 PM Facebook – post from Cat Stamm “whattup – click website – bookmark – options to save in brah” [email protected], Samsung account, or my February 6, 2013 device – chose my device 9:41 AM Facebook – post from Kyle “article on Samsung 10:01 AM Default Browser – Type in URL bar “how big is galaxy camera” the earth” – click first link (space.com) – add bookmark – February 7, 2013 choose sammysung131 9:40 AM Twitter – retweet Joe Stamm “ 182 10:04 AM Default Browser – Search “New York pandora is on point” Islanders” – click first link islanders.nhl.com - bookmark – 9:49 AM Twitter – post “me so Sammy Sammy” choose Samsung account 9:54 AM Twitter – post “my uncle came to visit today!” 10:12 AM Default Browser – Search “what movies are with picture of Galaxy Camera box playing” – click moviefone.com – bookmark to my device 10:05 PM Google Voice – Text Alyse “have fun at the – long hold – delete bookmark gym” March 4, 2013

continued on next page GALAXY, continued

6:09 PM Bluetooth – Galaxy camera and Droid Bionic chips are paired 1:18 PM Facebook – Alex responds “why?” 6:10 PM Bluetooth – Sent picture of Alex waving to 1:19 PM Delete voicemail from Google Voice Bionic (20130304_173931.jpg) 1:20 PM Delete Google Voice conversation with Alex 6:16 PM Bluetooth – Sent GSR.docx paper from Bionic to 1:30 PM Delete email from Groupon “76% off earbuds” Samsung camera 1:30 PM Delete email from Facebook “christine wants to 6:18 PM Clipboard - Took a picture of the San Fran hotel be your friend” and copied it to the clipboard. Didn’t put it anywhere, 1:31 PM Delete email from talkatone “welcome” deleted the picture from the gallery, and shut off the 1:31 PM Delete email to jjs2 “Hi Dad” camera 1:40 PM Delete Talkatone conversation with Alyse 1:41 PM Delete contacts Sarah and Chloe March 5, 2013 1:45 PM Maps – Search for North Babylon and click 2:14 PM Camera – take picture of a pepsi cup directions, use the navigator 2:16 PM Camera – take picture of a laptop with a peace 3:50 PM Default Browser – Google search android sign on it phones, click images, and download pictures of a white March 6, 2013 android phone and an android phone comparison chart 2:37 PM Twitter – post “Logs are awesome!!” 3:51 PM Default Browser - Google search teddy bear, March 13, 2013 click images, download 2 bears together, download 1 8:33 PM Facebook – tagged by cat stamm “Sammy sung bear that says I love you with a heart, and download a will always remember his facebook friends!” picture of Ted March 14, 2013 4:20 PM Twitter – post a picture of Alex’s laptop 1:01 PM Gallery – Delete pictures of truecrypt icon, 5:01 PM S Planner – Created event “Kip Moore” pepsi cup, Julie on the couch, the irish flag, and Chobi 5:01 PM S Planner – Created event “Graduation” yogurt 5:01 PM S Planner – Created event “Last day of class” 1:03 PM Facebook – Post status “It’s almost time to go 5:02 PM S Planner – Deleted events “Kip Moore” back in the box :(” “Graduation” and “Last day of class” 1:04 PM Facebook – Delete mobile upload picture of 5:15 PM – Music delete mylife.mp3 Alyse and Laura on the couch 5:17 PM Twitter – post “@cat_stamm what am I doing?” 1:04 PM Facebook – Delete status “thanks for all the 5:20 PM Twitter – Direct message from sammysung131 birthday wishes!” to cat_stamm “im hungry” sent 1:05 PM Facebook – Delete message to Alex “be my 5:28 Google Search Bar with Voice – search for turtles friend” click on Wikipedia page 1:06 PM Facebook – Message Cat Stamm “Hey!” 5:29 PM Google Search Bar with Voice – search for 1:06 PM Facebook – Receive message from Cat Stamm windex, click on no links “hey Sammy what’s up” 5:30 PM Google search Bar with voice – search north 1:06 PM Facebook – Respond to Cat “nothing really just Babylon high school, click link working” 5:30 PM Google Search bar with Voice – search Toyota 1:07 PM Facebook – Cat sends “well that’s cool. Hows prius and click Toyota.com your project going” 5:40 PM Default Browser – Google search Barack 1:07 PM Facebook – Sammy replies “it’s fine! I’m really Obama – click barackobama.com – click menu, save for close to finishing” offline reading and click back arrow 1:10 PM Facebook – Cat Stamm replies “well good 5:41 PM Default Browser – Click Wikipedia page on luck!” Barack Obama, save it for offline reading 1:11 PM Facebook – Delete 3 Facebook friends: Sara, 5:43 PM Default Browser – Type in URL “baseball.com” Kody and Toni and click back arrow 1:13 PM Facebook – Sammy messages Cat Stamm a 5:43 PM Default Browser – Start a new Incognito page, picture of Leonardo’s pizza box and then deletes it type in “fish tank” and click petsmart.com 1:13 PM Facebook – Cat Stamm responds “that looks 5:45 PM Default Brower – In incognito page: search for good” “how long do fish live” click on no links 1:13 PM Facebook – Sammy replies back “It was!” Clear all history and cache for Default Browser 1:15 PM Facebook – Message Alex a picture of lay’s March 16, 2013

continued on next page GALAXY, continued

3:12 PM Remote View Finder – take picture of Alex’s 2) and the process continued. The next step research paper, take a picture of the LCDI board and of to gaining full access to the camera was to plug the the black expo pen device into a computer and open Odin3. The ID:COM March 20, 2013 section needed to turn yellow before beginning root, as 3:14 PM Twitter – Direct message from cat_stamm to it indicated the software had recognized the camera. sammysung131 “hey buddy!” was sent Once that section was yellow, the PDA section (Figure 3:16 PM Twitter – Direct message from sammysung131 3) had to be filled with the path to CF-Auto-Root. The to Cat_stamm “hello” was sent rooting process began once start was pressed and then 3:17 PM Twitter – Direct message from cat_stamm to in a matter of minutes the camera rebooted and started sammysung131 “hows it going” sent as normal. To validate that the camera was rooted, an 3:18 PM Twitter – Delete direct message “hey buddy!” application called SuperSU was found on the camera itself. Appendix B. Root As previously mentioned, the Samsung Galaxy camera was rooted. When trying to figure out how to root the camera, an article was found by XDA developer, Adam Outler (McGee). He recently came up with a method to root the camera using Odin3 and CF-Auto- Root. Rooting Android devices allows a user to obtain full access to the operating system. This is typically necessary for forensic examiners, as most mobile forensic tools require root access in order to function. To root the camera, Odin3 and CF-Auto-Root must be downloaded. Once the necessary packages were downloaded, the Volume Down, Camera, and Power buttons were pressed simultaneously (Figure 1).

Figure 2.

Figure 1.

Figure 3. The camera then went into download mode (Figure

continued on next page GALAXY, continued

Works Cited.

“Android ADB.” Developer. Android Developer, n.d. Web. 10 Apr. 2013. . Kivu Consulting, combines technical and “Android Forensics Tool: AFLogical.” ViaForensics. ViaForensics, n.d. Web. 8 Apr. 2013. legal expertise to deliver investigative, dis- . covery and forensic solutions worldwide. Kivu’s digital forensics professionals “Android SDK.” Developer. Android Developer, n.d. Web. 10 Apr. 2013. . are experts in collecting, analyzing and processing computer data. Organizations “Best Computer Forensics Tool.” SC Magazine. SC Magazine, 15 Feb. 2011. Web. 8 are storing information on ever-increasing Apr. numbers of devices, operating systems and 2013. . shared platforms. These range from mobile devices to distributed “cloud networks.” The “Samsung Galaxy Camera GC100 Specs.” Full Phone Specifications. GSM , n.d. result has been an explosion in vulnerabil- Web. 9 ity to data theft and the potential cost of Apr. 2013. . e-discovery. Kivu is unique in understanding the legal “Top Sites.” Alexa Top 500 Global Sites. Alexa Rank, n.d. Web. 10 Apr. 2013. implications and advising on the technical . and practical challenges of digital forensics in the modern workplace. Our in-house “UFED Touch Ultimate.” Cellebrite: Mobile Forensics. Cellebrite, n.d. Web. 10 Apr. 2013. team has testified as experts and worked

Kswartz. “.” HOW TO: Forensically Examine an Android Device with AFLogical OSE on Santoku Linux. Santoku-Linux, n.d. Web. 3 Feb. 2013. .

About the Author Catherine Stamm is a Digital Forensic Analyst at Kivu Consulting. Catherine has worked on cases involving theft of trade secrets, Internet harassment, and workplace investigations. Catherine has extensive experience in the forensic analysis of PC and Mac OS systems, mobile forensics, forensics and RAM analysis. Previously, she was a forensics researcher at the Senator Patrick Leahy Center for Digital Investigation (LCDI). Catherine has also served as a certified Crisis Worker in Vermont. Catherine can be reached by email at [email protected]. kivuconsulting.com [email protected] 415.524.7320