sign in sign up
<<
Home , Google Voice, StumbleUpon, Temple Run 2, Tethering, YAFFS

Android Forensics

Written by Maegan Katz Researched by Maegan Katz, David Leberfinger, Olivia Hatalsky

The Senator Patrick Leahy Center for Digital Investigation Champlain College

April 3, 2013

Patrick Leahy Center for Digital Investigation (LCDI)

Disclaimer:

This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated.

Page 1 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

Contents Contents ...... 2 1 Introduction ...... 4 1.1 Background ...... 4 1.1.1 Android Distributions ...... 4 1.2 Terminology ...... 5 1.3 Research Questions ...... 5 2 Methodology and Methods ...... 5 2.1.1 Factory Reset Option ...... 6 2.2 Android ...... 7 2.2.1 Malware Detection on Android Devices ...... 8 2.3 Android ...... 8 2.4 Data Collection ...... 8 2.4.1 Equipment Used ...... 9 2.5 Analysis ...... 10 3 Results ...... 10 3.1 Cellebrite ...... 10 3.1.1 Types of Data Extracted ...... 10 3.1.2 GoSMS Data ...... 11 3.1.3 Candy Crush Data ...... 11 3.1.4 Deleted Data ...... 11 3.1.5 Deleted Picture Found in Cache...... 11 3.1.6 Extracted Lock Pin ...... 12 3.1.7 Zombie Smashers ...... 12 3.1.8 Deleted Data ...... 12 3.1.9 Deleted Picture Found as Thumbnail ...... 12 3.1.10 Extracted Lock Pin ...... 12 3.1.11 Email – Deleted or Intact and Read or Unread ...... 12 3.1.12 Deleted Data ...... 13 3.1.13 Deleted Picture Found as Thumbnail ...... 13 3.1.14 Extracted Lock Pattern ...... 13

Page 2 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

3.1.15 Email – Deleted or Intact and Read or Unread ...... 13 3.2 XRY ...... 14 4 Conclusion ...... 14 5 Further Work ...... 14 6 Appendix A ...... 15 6.1.1 Generated Data: Test Phone 1 – Avail ...... 15 6.1.2 Generated Data: Test Phone 2 – Fusion 2 ...... 17 6.1.3 Generated Data: Test Phone 3 – Galaxy Appeal ...... 19 7 References ...... 22

Page 3 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

1 Introduction have become extremely popular in recent years due to their capabilities. These phones can be used to perform any number of different tasks, such as sending text and emails, browsing the internet, taking pictures and videos, and downloading applications. As of the time this report was written, Android is currently the number one platform with a 61 percent market share (Whitney). With Android making up such a large percentage of the market, it is important to understand how to perform forensic tests on devices that run Android operating systems.

The main purpose of this project is to learn as much as possible about Android forensics, allowing for more successful analyses of these mobile devices. Android OS is widely used, and it is important to understand how to work with it forensically. This means understanding the structure of the phones being used, as well as understanding the Android Operating System and the file system.

1.1 Background The phones that we are working with during this project are the AT&T Avail, the AT&T Fusion 2, and the AT&T Galaxy Appeal. The Avail has Android version 2.3.4, and the Fusion 2 and Galaxy have Android version 2.3.6. All of these fall under Gingerbread, the distribution that makes up over fifty percent of Android devices (Figure 1.1.1).

1.1.1 Android Distributions

(“Android (Operating System)”)

Prior work has been done with Android version 1.5, also known as Cupcake, as seen in the report Android Forensics: Simplifying Cell Phone Examinations by Jeff Lessard and Gary Kessler. Lessard and Kessler address that there is a continually growing use of smartphones, and the capabilities of these devices are only increasing. They acknowledge that at the time of their writing this report, there was a general lack of hardware, , and interface standardization in the industry. After going into some detail about the

Page 4 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

Android OS, Lessard and Kessler walk through how they examined a Sprint HTC Hero. They mention that although the phone’s system data is likely not stored on the memory card, it is still valuable to image.

They used FTK Imager v2.5.1 to image the memory card once the phone was connected to a write blocker and the examination machine. To save the image, they used FTK’s “export disk image” option, and received output as a raw dd image file. To do this, the devices had to be rooted, as this was the only way to get a raw dd image. Additionally, at the point which this article was written, Cellebrite supported the logical extraction of some Android phones, but not physical extraction.

Even though Lessard and Kessler’s report is only from a few years ago, smartphones have changed greatly and so has the technology used to acquire them. Technology has made it so that it is not always necessary to root a phone to acquire it, and there are now many tools that have simple, easy to use interfaces.

1.2 Terminology Application Programming Interface (API) Level: API levels, when referring to Android, are integers that denote the amount of functionality in a particular release of the OS. For example, the Android 1.0 (the base version) had an API level of 1, while 2.3.4 has an API level of 10 because new functionality and features have been added. The most recent version, Android 4.2, has an API level of 17. API levels hold the most significance for working with the Android platform. It lets the programmers know what functions they have available to them, as well as which version of the platform their software may or may not be viable on. If a program was made with an API level of 10, then it would work on any platform with an equal or greater API, while it might not work on a platform with a lesser value (“What is API Level?”).

Cellebrite (UFED Physical Pro): The Cellebrite is a forensics tool that allows for logical, physical, file system, and password extraction of data from mobile devices.

NAND: NAND is a type of non-volatile storage technology that does not require power to retain data (Rouse).

USB Debugging: This is a function available on the Android platform. USB debugging allows for a user to copy data between a computer and the device, install applications on the device with notifications, and also read log data (“USB Debugging Mode”).

1.3 Research Questions · Can data be physically and logically extracted from the phones? · What data can be extracted from the phones? · Will Cellebrite extract deleted ?

2 Methodology and Methods The following steps were used to answer the research questions:

Page 5 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

Step 1 – Research: The first step was to research the file systems and operating systems of the test phones. The purpose of this was to get a better idea of the capabilities of the three phones, as understanding the file system allows for a better understanding of how the phone stores data.

By going to the settings of the phones, we determined that the OS versions we were dealing with were versions 2.3.4 and 2.3.6. Android phones that have the Android version 2.3 operating system have a file system which is either YAFFS or . EXT4 is found primarily on newer Android phones, while YAFFS is mainly used on older Android phones. EXT4 was introduced when the developers came out with Android version 2.3. With that information, we did research on Android versions 2.3.4 and 2.3.6 and on the YAFFS and EXT4 file systems (See sections 2.2 and 2.3).

Step 2 – Factory Reset We reset the phones to their factory settings and ran a physical, logical, and file system extraction using the Cellebrite. This emulates the usage of a new phone and allows for a basic understanding of how the file system is structured.

2.1.1 Factory Reset Option

Step 3 – Generate Data Data was added to the phones, including pictures, text messages, videos, notes, apps, browsing history, contacts, and calendar events. Some of this data was then deleted in order to see if it could be recovered by the Cellebrite. See Appendix A for a chart of the generated data broken down by device. Page 6 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

Step 4 – Cellebrite The next step was to run the Cellebrite on the phones again, getting logs from the physical extraction, logical extraction, and file system extraction. The results were then reviewed to see what data was extracted from the phones. Mainly, the data we were looking for was nonuser generated data, deleted data, and user generated data to confirm that the Cellebrite performed as it was intended to (See section 2.4). For the Fusion 2 and the Galaxy Appeal, the Cellebrite was unable to extract any data using the physical extraction.

Step 5 – XRY The final step in extracting data was to use the XRY. The idea was to validate the results from the Cellebrite with a similar mobile forensic tool. We were interested in seeing if there were any differences between the data extracted from the Cellebrite and the data extracted from the XRY. There were no logs to review from the XRY because the three test phones were not supported by the XRY.

2.2 Android Operating System OS Version 2.3.4: Android version 2.3.4 is a maintenance release on Gingerbread, API level 10. It specifically addresses bugs with the Nexus and (“Android 2.3.4 ”). In addition to bug fixes, the update to 2.3.4 included the ability to use Talk, with video and voice chat on phones with front facing cameras, as well as a security update from Google ("Official Android 2.3.4 Update List”). On May 18, 2011, Google acknowledged that there were worries over Android data leaks using 2.3.3, and had fixed the problem for calendar and contacts in the software of 2.3.4. The flaws this update addressed would have potentially allowed third party access to data available in the phone’s calendar and contacts. The fix was implemented on Google’s servers and required no action by the users to apply (Merrett). Potentially, data could have been changed in the calendar or contacts by third party applications without the user even knowing it.

2.3.4 also brought support for Open Accessory API to mobile devices. The Open Accessory API allows external USB hardware to interact with Android powered devices. An example of this implementation on an Android phone would be plugging an Android device into an accessory, like an exercise bike, and having it automatically detect an app that would be able to interact with it (Myers). Because 2.3.4 is a simple maintenance release, the main characteristics of the OS are the same as those found in 2.3.3.

OS Version 2.3.6: Android version 2.3.6 is a further extension of 2.3.3 and is still Gingerbread, API level 10. The new features that 2.3.6 brought with it varied from device to device, but the most noticeable difference was battery life. User Reviews claim that they have found they have more free RAM, and their phones began responding better and faster. Others have claimed that screen issues, such as having the home screen go blank for 5-10 seconds after exiting heavy apps, was resolved.

One of the downsides to the 2.3.6, as addressed by Kaspersky lab in an article from November 2, 2012, is that 2.3.6 is a very appealing target for cybercriminals due to its widespread use. Android 2.3.6 was responsible for

Page 7 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

28% of malware detection on Android devices (Figure 2.2.12.2.1) (“Malware Targeting Android Has a Taste for Gingerbread and Ice Cream Sandwich”).

2.2.1 Malware Detection on Android Devices

Another downside of the 2.3.6 update is that it caused problems with WiFi and USB tethering on a number of devices (Molen).

2.3 Android File System The file system of the phone can be determined with the Cellebrite through a physical extraction. After we used a physical extraction, we were able to determine the file system for the Avail is YAFFS. We were not able to determine the file systems of the other two test phones.

YAFFS (Yet Another ): YAFFS is the file system that is used on many versions of Android. YAFFS1 was the first version that was released, dealing with NAND chips that had 512 byte pages. The release of newer NAND chips brought larger pages, 2048 bytes, and stricter write requirements. YAFFS2 was created to handle the new NAND chips. YAFFS2 was created off of the original YAFFS source code with a few changes, specifically that the new file system does not assume a page size of 512 bytes. This also allows for better scalability in the future when larger than 2048 byte page sizes are used (“Yaffs Overview”).

EXT4 (Fourth ): Android now uses EXT4 as its file system. This upgrade replaced the former file system, YAFFS. The former file system was made to be used with flash storage; however it is a single threaded file system, meaning that users would see little improvement in performance between a single core and multi core system. EXT4 utilized multi-threading and was already in use by Google in their own systems.

Google switched its entire storage infrastructure from to EXT4 on January 15, 2010. Google announced on December 14, 2010 that they would also be using EXT4 on Android 2.3. The new file system allows for much larger file sizes and supported volume sizes. Volumes can be up to 1 exbibyte (260 bytes) and files can be up to 16 tebibytes (240 bytes) (Smith).

2.4 Data Collection See Appendix A for a detailed list of data generated on the test phones.

Page 8 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

2.4.1 Equipment Used Item Identifier Size / Specifications Device Images Test Android ATT Avail Phone 1 002 Model: ZTE-Z990 Android Version: 2.3.4 Kernel Version: 2.6.35.7 Internal Memory: 512 MB ROM, 512 MB RAM File System: YAFFS2

Test Android ATT Fusion 2 Phone 2 003 Model: Huawei-U8665 Android Version: 2.3.6 Kernel Version: 2.6.38.6 Internal Memory: 4 GB, 512 MB RAM

Test Android Samsung Galaxy Appeal Phone 3 004 Model: SAMSUNG-SGH-I827 Android Version: 2.3.6 Kernel Version: 2.6.38.6 Internal Memory: 4 GB, 512 GB RAM, 1.8 GB ROM

Cellebrite UFED-01 UFED Physical Pro Software Version: 3.6.0.31

Page 9 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

XRY XRY-01 XRY Complete Software Version: 6.4.1

2.5 Analysis In order to review the Cellebrite data, we took each Cellebrite .ufd file from the phones with generated data and looked to see if undeleted data for a particular section was extracted. If it was, we then examined it further to see if deleted data was extracted as well. Additionally, we compared each of the different types of logs to ensure that the data extracted was consistent throughout. The logical extraction logs were mostly used as a control group. Generally, a basic logical extraction, called “Extract Phone Data” on the Cellebrite, is not very detailed and is not expected to extract as much data as a physical extraction or file system extraction. This is because a logical extraction only extracts logical storage objects, such as directories and files, while the file system extraction looks at the file system as a whole. A physical extraction extracts a copy of the whole physical memory. The main goal of the logical extraction was to see if it could extract undeleted user generated data such as images, contacts, calls, videos, audio, and calendar events. The file system extraction seemed to give us the best results for each of the phones, but a physical extraction, if it had been possible, most likely would have yielded the best results. The logs showed information such as certain deleted files, screen lock pin and patterns, and a substantial amount of picture data.

3 Results

3.1 Cellebrite

3.1.1 Types of Data Extracted Test Phone 1 – Avail Test Phone 2 – Fusion 2 Test Phone 3 – Galaxy Appeal Extract Phone Data (E) Yes Yes Yes Physical Extraction (P) Yes No No File System Extraction (FS) Yes Yes Yes Screen Lock Yes w/ FS Yes w/ FS Yes w/ FS Deleted Data Some w/ P, FS Some w/ FS Some w/ FS Pictures/ Images Yes w/ E, P, FS Yes w/ E, FS Yes w/ E, FS Videos Yes w/ E, P, FS Yes w/ E, FS Yes w/ E, FS Audio Yes w/ E, P, FS Yes w/ FS Yes w/ FS N/A Yes w/ E Yes w/ E Calendar Events Yes w/ E, FS Yes w/ E, FS N/A Bookmarks/ History Yes w/ FS Yes w/ FS Yes w/ FS Cookies Yes w/ FS Yes w/ FS Yes w/ FS Wireless Networks Yes w/ FS Yes w/ FS Yes w/ FS Applications Yes w/ P No No Page 10 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

Notes/ Tasks No No No GPS Location Yes w/ FS No No Documents N/A N/A No Text Messages Yes w/ E, FS Yes w/ E, FS Yes w/ E, FS Calls Yes w/ E, FS N/A N/A Contacts Yes w/ E, FS Yes w/ E, FS Yes w/ E, FS Email Yes w/ FS Yes w/ FS Yes w/ FS Accounts Yes w/ FS Yes w/ FS Yes w/ FS

Test Phone 1 – Overall Results for Avail: - Data from GOSMS application still on phone even after being uninstalled (Figure 3.1.2) - Minimal Data from Candy Crush even though it was never installed (Figure 3.1.3) - Able to extract deleted calls, texts, cookies, and bookmarks with a file system extraction (Figure 3.1.4) - Unable to extract deleted photos and videos, but the photos and a screenshot of the video show up in the cache (Figure 3.1.5) - Able to extract screen lock pin with file system extraction (Figure 3.1.6) - Physical extraction shows file system as being YAFFS2

3.1.2 GoSMS Data

3.1.3 Candy Crush Data

3.1.4 Deleted Data

3.1.5 Deleted Picture Found in Cache

Page 11 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

3.1.6 Extracted Lock Pin

Test Phone 2 – Overall Results for Fusion 2: - Minimal Data (looks to be ads) from Zombie Smashers even though it was never installed (Figure 3.1.7) - Able to extract deleted cookies and bookmarks with a file system extraction (Figure 3.1.8) - Unable to extract deleted photos and videos, but the photos and a screenshot of the video show up in the cache or as thumbnails (Figure 3.1.9) - Able to extract screen lock pin with file system extraction (Figure 3.1.10) - Shows emails as being read or unread (Figure 3.1.11) - Physical Extraction was unable to extract any data - No trace of deleted Bubble Pop App

3.1.7 Zombie Smashers

3.1.8 Deleted Data

3.1.9 Deleted Picture Found as Thumbnail

3.1.10 Extracted Lock Pin

3.1.11 Email – Deleted or Intact and Read or Unread

Page 12 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

Test Phone 3 – Overall Results for Galaxy Appeal: - Able to extract deleted cookies and bookmarks with a file system extraction (Figure 3.1.12) - Unable to extract deleted photos and videos, but the photos and a screenshot of the video show up in the cache or as thumbnails (Figure 3.1.13) - Able to extract screen pattern lock with file system extraction (Figure 3.1.14) - Shows emails as being read/unread or deleted/intact, but it does not seem reliable (emails that are unread showing up as read, not all emails extracted, etc.) (Figure3.1.15) - No trace of deleted App - Physical Extraction was unable to extract any data

3.1.12 Deleted Data

3.1.13 Deleted Picture Found as Thumbnail

3.1.14 Extracted Lock Pattern

3.1.15 Email – Deleted or Intact and Read or Unread

Page 13 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

3.2 XRY XRY supports over 5,000 mobile devices, but did not recognize any of the three test devices, and none of the test devices were listed on the supported device list provided by XRY upon inquiry. The Cellebrite’s supported device list, however, does show that all three phones are supported with the UFED Logical (hardware), and that the Avail and Galaxy Appeal are supported with the UFED Ultimate (hardware). See the links below for the full supported devices lists.

Cellebrite supported devices list: http://www.cellebrite.com/mobile-forensic-support/ufed-supported- phones.html XRY supported devices list available via request: http://www.msab.com/support/faq

4 Conclusion The results for each of the test phones had certain consistencies, but there were several differences in the data extraction methods. Data was able to be logically extracted from all of the phones, but was only able to be extracted physically from Test Phone 1 (AT&T Avail). Based on our research done so far, we have concluded it is not possible to extract all types of deleted data, such as original videos or pictures, but data such as deleted cookies, bookmarks, and emails certainly could be recovered using a physical or file system extraction with the Cellebrite.

There were multiple types of data that we were able to extract via the Cellebrite, including pictures, text messages, calls, calendar events, videos, bookmarks, screen lock, cookies from the default browser, emails, GPS locations, and wireless networks. The logical extraction consistently extracted pictures, videos, text messages, and contacts from all three of the test phones. Upon looking at the data, we believe this means that Cellebrite has the capability to extract similar data from three different Android phones running Gingerbread, and based on this evidence, we can conclude that the Cellebrite will most likely be able to extract the same information from similar Android phones.

The Cellebrite is undeniably important for mobile forensic examinations. Just like any tool, it is not perfect and was not able to extract all of the data on every phone. Ideally, the perfect tool would be able to extract data logically and physically from all types of Android phones. Cellebrite would be most beneficial if used with another tool, such as the XRY or Oxygen. This would add validity to the results from the Cellebrite and potentially get information that the Cellebrite may have missed.

5 Further Work There is still more work that can be done with Android forensics. One possible research project would be to take this work a step further and root the phones. a phone gives the user root access (administrator privileges) to the phone, which in turn gives the user access to more data on the phone. Rooting the phones could allow us to make an image of the data, which could be used with a number of forensics tools. It would also allow for the use of Encase 7, which requires phones to be rooted in order to physically extract them.

Page 14 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

Another possible project would be to go through the same steps we outlined with newer Android phones that run Ice Cream Sandwich or Jelly Bean (Android versions 4.0 and later). Some newer phones that are on the XRY supported list include the Samsung Galaxy S II , Sony Xperia Tipo, and LG Optimus L5.

6 Appendix A

6.1.1 Generated Data: Test Phone 1 – Avail Date Time Description Related Figure 1/14/2013 4:16pm Connected to "champlainlab" wireless network. 4:18pm Text Message to (xxx) xxx 3464 (My cell phone) - "Hi" 4:19pm Call to (570) 317 3464 - Failed to connect, service is unavailable. 4:21pm Added Contact - David Leberfinger, (xxx) xxx 3464 Created - Name: LCDI Avail : [email protected] Password: androidforensics (Didn’t work on 4:23pm phone, did it on Google.com) 4:27pm Call to (xxx) xxx 9486 - Failed to connect, service is unavailable. Connected Google Account to Gmail (which allowed for Google 5:00pm Play use) 5:56pm Downloaded and Installed Created Facebook Account - Name: LCDI Avail Email: 6:00pm [email protected] Password: androidforensics 6:01pm Accessed Gmail Account to get Facebook Registration Code 1/15/2013 5:36pm Downloaded and Installed Ruzzle(a word game) Create Ruzzle Account - Username: lcdiavail Email: 5:38pm [email protected] Password: androidforensics Challenged a Random Opponent on Ruzzle (Opponent found at 5:41pm 5:54pm) 5:44pm Posted Facebook Status 5:47pm Downloaded and Installed GO SMS Pro (For texting over WiFi) Text Message to (xxx) xxx 9486 using GO SMS Pro - Text Message 5:50pm "Failed" Uninstalled GO SMS Pro (Text messages sent using this app still 5:53pm show up in phones messaging app) 3.1.2 6:45om Took Picture of Pen 6:46pm Deleted Picture of Pen 3.1.5 6:47pm Took Picture of Phone Box 6:49pm Took 10 Sec Video of Bus 6:51pm Took 21 Sec Video of Keyboard 6:52pm Deleted Video of Bus 6:53pm Text Message to (xxx) xxx-9486 Page 15 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

6:54pm Deleted Text Message to (xxx) xxx 9486 from 6:53pm, 1/15/13 6:56pm Added Event to Calendar - Wed, Jan 30, Dentist 6:58pm Browsed Internet - Googled: Turtle Eating Strawberry Downloaded Image of Turtle Eating Strawberry - Saved in 6:59pm Downloads 7:04pm Added Note to Notepad about Shopping 7:07pm Deleted Call to (xxx) xxx 9486 from 4:27pm, 1/14/13 7:10pm Searched for Champlain College on Application Used Google Maps Application to get Directions from my Location 7:11pm to Champlain College 7:13pm Watched Family Guy Clip on YouTube Application 1/16/2013 11:15am Changed the photo box on the desktop 4. 11:16am Took a photo of computer screen. IMG_20130116_111631 11:17am Watched video of keyboard. 11:18am Downloaded StumbleUpon App. 11:19am Moved StumbleUpon App to desktop 4. Signed up for StumbleUpon with Google account. Set birthday to 14 Jan 1994. Too young to put in date associated with the Google 11:20am account. Set interests. Animals, Arts, Bizzarre/Oddities, Cars, Design, Dogs, Electronic Devices, Fitness, Futurism, Gadgets, Humor, Internet, 11:22am Nature, Outdoors, Photography, Technology. 11:24am Started "stumbling". 11:25am Downloaded Moon.jpg. 11:29am Opened browser, searched for Ferrari 275 GTB. 11:30am Went to Ferrari 275 page. 11:31am Checked email via notification. 11:32am Opened "Welcome to StumbleUpon" email and deleted it. 11:33am Opened Ruzzle. Played round 2 against YELP. 11:37am Searched for and downloaded Spotify app. 11:38am Downloaded Google Voice. 11:38am Opened Spotify. 11:39am Logged in with Facebook. 11:41am Listened to "Wings". 11:42am Listened to "Thrift Shop". 11:42am Opened Google Voice. 11:42am Signed in with Google account. 11:43am Set voicemail pin to 2013. 11:44am Failed to set up Google Voice. Couldn't verify phone number -

Page 16 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

Probably because of no service. Sent email To "[email protected]" Subject "Test" Body 11:45am "This is a test." 11:47am Listened to "Money Talks". 11:49am Listened to "The Gambler". 11:50am Opened Facebook. 11:54am Opened Task Manager. Closed some applications. Uninstalled Google Voice via Application Manager in the Settings 11:56am menu. 11:58am Set up lock screen pin number to 2013. 3.1.6 11:59am Replaced Email app on desktop 3 with Gmail app. 12:03pm Plugged phone into computer to charge. 12:15pm Created note in Notepad - Stuff. 12:17pm Created note in Notepad - All kinds of stuff. 12:18pm Deleted note in Notepad - All kinds of stuff. 12:19pm Searched for Hulu on the Market. Read reply from "[email protected]" body "This isn't a 12:22pm test." Deleted the email. Opened NFS Shift. Asked to download, allowed it to download the 12:23pm app. 12:29pm App finished downloading, opened app. Played 1 race, closed app. 12:32pm Opened . Created Twitter account Name Lcdi Avail Username Lcdiavail 12:33pm Password androidforensics 12:35pm Tweeted "This is a twit about tweeter". 12:36pm Read email "Confirm your Twitter account, lcdiavail!". 12:37pm Clicked link in email to confirm account. Opened up Play Store - Did 11 Automatic Updates and 5 Manual 1/18/2012 1:11pm Updates 1:35pm Only some up the updates were successful due to limited space 1:38pm Moved Word Doc from computer to downloads folder 1:55pm Shared picture of limes via 1:56pm Set wallpaper as lime picture

6.1.2 Generated Data: Test Phone 2 – Fusion 2 Date Time Description Related Figure 2/1/13 1:13pm Connected to “champlainlab” network Created Google Account – Name: LCDI Fusion Email: 1:16pm [email protected] Password: androidforensics Bday: Feb 14,

Page 17 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

1992 Added LCDI Galaxy as contact under gmail account option in 1:21pm phonebook 1:26pm Added LCDI Avail as contact in phonebook Created Facebook Account - Name: John Smith Email: [email protected] Password: androidforensics Alternate 1:45pm Name: LCDI 2/1/13 3:25pm Opened browser and went to Google 3:26pm Searched Kitten playing with yarn 3:28pm Downloaded picture of Kitten playing with yarn 3:29pm Watched video of Kitten playing with yarn on YouTube 3:31pm Opened the Play Store and agreed to the terms and services 3:32pm Downloaded Shoot Bubble Deluxe 3:33pm Opened and played Shoot Bubble Deluxe 3:41pm Sent a text message to (xxx) xxx 1379 (Olivia’s phone) 3:43pm Took a picture of my phone, and the computer mouse Took a 30 second video of a YouTube video that was on the 3:44pm computer 3:46pm Created calendar event “Free Movie Night” for Feb 7th at 8:45pm 3:49pm Text message still says sending, deleted text 3:51pm Created contact for “Olivia” phone number (xxx) xxx 1379 3:53pm Created a shortcut on desktop 2 for Shoot Bubble Deluxe 3:53pm Opened task manager 3:54pm Ended all running tasks 3:54pm Created a shortcut on desktop 3 for bejeweled 2 3:55pm Opened Bejeweled 2 4:02pm Ended demo of Bejeweled, app auto closed 4:04pm Deleted the picture of my phone and the mouse 4:05pm Opened the Play Music app 4:05pm Linked the fusion’s email with Music 4:05pm Visited the Play Store to browse for free tracks 4:08pm Exited Play Music and Google Play 4:09pm Opened YouTube app 4:10pm Searched for and watched True Love by Motion City Soundtrack 4:19pm Closed YouTube app 4:22pm Took a picture of the computer screen Attempted to send another text to my (Olivia) phone, service was 4:23pm unavailable 4:23pm Deleted text Page 18 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

4:24pm Googled “weather for Burlington VT” 4:25pm Opened the Play Store app and searched for “weather channel” 4:26pm Downloaded the free Weather Channel app 4:27pm Downloaded Temple Run 2 4:28pm Added The Weather Channel app to desktop 1 4:28pm Turned GPS on 4:30pm Added Temple Run 2 to desktop 2 4:30pm Opened Temple Run 2 4:36pm Quit Temple Run 2 4:36pm Entered Task Manager and closed all running applications Opened Maps, used My Location to get directions to 246 South 4:38pm Willard St, Burlington VT 4:40pm Deleted Kitten playing with yarn 3.1.9 4:42pm for: purple wallpaper for android 4:44pm Web browser crashed when I tried to set an image as my wallpaper 4:44pm Repeated my search with the same criteria 4:45pm Saved image 2448-1-com.custom.lep.purpleflo.jpg 4:46pm Set 2448-1-com.custom.lep.purpleflo.jpg as the wallpaper 4:47pm Deleted the Bejeweled 2 shortcut from desktop 3 4:51pm Uninstalled Shoot Bubble Deluxe 4:53pm Opened Temple Run 2 5:00pm Exited Temple Run 2 2/4/13 3:40pm Created note: “This is a new note” 3:41pm Created note: “delete me” – deleted note 3:42pm Created note in rich pad: “Shopping List” Created note in rich pad: “don’t forget to pick up milk” – deleted 3:44pm note 3:47pm Received picture via Bluetooth 3:49pm Posted FB Status 3:51pm Sent text to (xxx) xxx 9486 “Hey there” 3:57pm Set pin to 2013 3.1.10

6.1.3 Generated Data: Test Phone 3 – Galaxy Appeal Date Time Description Related Figure 1/30/13 1:32pm Connected to “champlainlab” network 1:33pm Set time zone to EST Deleted 3 contacts that were on SIM and weren’t removed during 2:20pm system restore 2/1/13 12:58pm Created Google Account – Name: LCDI Galaxy Email:

Page 19 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

[email protected] Password: androidforensics Bday: Feb 14, 1992 Added LCDI Fusion as contact under Gmail account option in 1:20pm phonebook 1:24pm Added LCDI Avail as contact in phonebook Created Facebook Account - Name: Jane Smith Email: [email protected] Password: androidforensics – Unable to 2:00pm verify account on computer so it will not log in on phone Create Facebook page (regular Facebook account doesn’t work) Name: LCDI Galaxy Email: [email protected] Password: 2/4/13 6:12pm androidforensics 6:15pm Logged into Facebook page 2/5/13 3:29pm Took a picture of a keyboard Changed sound settings so that Media System and Notification 3:30pm sounds are silent and the phone is in 3:32om Opened the Play Store 3:33pm Connection to Google Play timed out, retried connection 3:34pm Searched Apps on Google play for Pandora- connection timed out 3:35pm Disconnected Wi-Fi from champlainlab 3:36pm Reconnected to champlainlab 3:40pm Opened web browser but have no Wi-Fi signal to connect with 3:41pm Attempted to access google.com, still no connection 3:43pm Disconnected from champlainlab and connected to student 3:44pm Opened Google Play Store and searched “Pandora” Began download of Pandora Internet Radio app – Connection 3:45pm timed out 3:49pm Connected to champstudent 3:49pm Resumed download of Pandora Stopped Pandora download because there was no internet 3:53pm connection 3:54pm Tried to refresh Google webpage 2/8/13 1:00pm Attempted to download Pandora – WiFi kept cutting out Sent text to (xxx) xxx 9486 - “Hello” and “What’s up” – Deleted 1:02pm “Hello” text 1:02pm Searched for “Monkeys” in browser 1:03pm Viewed Wikipedia link from the results 1:07pm Bookmarked picture of monkey 2/11/13 1:56pm Pandora installed successfully 2:01pm Moved Play Store App to desktop 1

Page 20 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

2:02pm Visited Google.com 2:04pm Set www.google.com as the browser homepage 2:05pm Made “Olivia” a phone number contact 2:08pm Changed camera settings to shoot in negative 2:09pm Took two pictures, one of a table, the other of a paper note pad 2:10pm Set notepad picture as lock screen wallpaper 2:12pm Searched Google for “india painted elephants” 2:13pm Saved painted elephants picture from national geographic 2:14pm Cropped pictures of elephants 2:15pm Deleted uncropped elephants picture 2:16pm Switched to a Google image search for pictures 2:17pm Saved a picture of a young painted elephant 2:19pm Set picture of the young elephant as home screen wallpaper 2:20pm Accessed Play Store 2:22pm Began download of Temple Run 2:24pm Opened Temple Run 2:27pm Closed Temple Run 2:29pm Took a 15 second video of the lobby 2:29pm Watched video of the lobby 2:30pm Deleted video of lobby 3:53pm Create memo – “Don’t forget…” 3:53pm Create memo – “Lock box combo…” – Deleted memo 3:55pm Took video of window 3:56pm Deleted picture of foosball table 3.1.13 3:58pm Created folder “Test” on SD Card Saved “Test.docx” to SD Card – deleted from SD Card and resaved 3:59pm in “Test” folder 4:01pm Set screen lock pattern to a “Z” 3.1.14 4:04pm Received picture of flat tire via Bluetooth 4:06pm Sent message to contact LCDI Avail – “Hello” Created tasks – “Sort pictures” and “Make bed” – deleted task 4:08pm “Make bed” 4:10pm Retrieved email on Gmail app 4:11pm Added StumbleUpon app 4:12pm Deleted Temple Run app Signed into StumbleUpon with Google account – picked interests - 4:13pm Stumbled 4:15pm Created 15 sec voice recording 4:18pm Created Facebook status update via the Facebook mobile site Page 21 of 23 Patrick Leahy Center for Digital Investigation (LCDI)

7 References

"Android 2.3.4 APIs." Android Developers. N.p., n.d. Web. 25 Mar. 2013. "Android (Operating System)." Wikipedia. Wikimedia Foundation, 25 Mar. 2013. Web. 25 Mar. 2013. Hollister, Sean. "Google Disables Contact Sync in Facebook for Android, but Only Nexus S for Now." Engadget. N.p., 22 Feb. 2011. Web. 25 Mar. 2013. "Malware Targeting Android Has a Taste for Gingerbread and Ice Cream Sandwich." Kaspersky. N.p., 2 Nov. 2012. Web. 25 Mar. 2013.

Merrett, Andy. "Android Security Fears Prompt Back-end Fix from Google." CNET UK. N.p., 19 May 2011. Web.

25 Mar. 2013. Molen, Brad. "Android 2.3.6 Begins Rolling out to Samsung Nexus S, Fixes Voice Search Concerns." Engadget. N.p., 2 Sept. 2011. Web. 25 Mar. 2013. Myers, Courtney Boyd. "Google I/O: Announcing the Android Open Accessory API." TNW. N.p., 10 May 2011. Web. 25 Mar. 2013. "Official Android 2.3.4 Update List." Droid Life. N.p., 28 Apr. 2011. Web. 25 Mar. 2013.

Rouse, Margaret. "NAND Flash Memory." WhatIs. N.p., Apr. 2013. Web. 12 June 2013. Smith, Roderick. "Migrating to Ext4." DeveloperWorks. IBM, 30 Apr. 2008. Web. 12 June 2013. "USB Debugging Mode." Wireless. N.p., 2013. Web. 25 Mar. 2013. Vasile, Cosmin. "Verizon Confirms Android 2.3.6 Gingerbread Update for LG Spectrum." Softpedia. N.p., 20 Apr. 2012. Web. 25 Mar. 2013. Westaway, Luke. "Android Updated Guide: All the Features of Every Version." CNET UK. N.p., 2 July 2012. Web. 25 Mar. 2013.

"What Is API Level?" Android Developers. N.p., n.d. Web. 25 Mar. 2013. Whitney, Lance. "Android Reclaims 61 Percent of All U.S. Smartphone Sales." CNET News. CBS Interactive, 07 May 2012. Web. 25 Mar. 2013.

"Yaffs Overview." Yaffs. N.p., n.d. Web. 25 Mar. 2013.

Page 22 of 23