DOCSLIB.ORG

Android Forensics

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Android Forensics Android Forensics Written by Maegan Katz Researched by Maegan Katz, David Leberfinger, Olivia Hatalsky The Senator Patrick Leahy Center for Digital Investigation Champlain College April 3, 2013 Patrick Leahy Center for Digital Investigation (LCDI) Disclaimer: This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated. Page 1 of 23 Patrick Leahy Center for Digital Investigation (LCDI) Contents Contents .................................................................................................................................................................. 2 1 Introduction ..................................................................................................................................................... 4 1.1 Background ............................................................................................................................................... 4 1.1.1 Android Distributions ........................................................................................................................ 4 1.2 Terminology ............................................................................................................................................. 5 1.3 Research Questions .................................................................................................................................. 5 2 Methodology and Methods ............................................................................................................................. 5 2.1.1 Factory Reset Option ........................................................................................................................ 6 2.2 Android Operating System ....................................................................................................................... 7 2.2.1 Malware Detection on Android Devices ........................................................................................... 8 2.3 Android File System .................................................................................................................................. 8 2.4 Data Collection ......................................................................................................................................... 8 2.4.1 Equipment Used ................................................................................................................................ 9 2.5 Analysis ................................................................................................................................................... 10 3 Results ............................................................................................................................................................ 10 3.1 Cellebrite ................................................................................................................................................ 10 3.1.1 Types of Data Extracted .................................................................................................................. 10 3.1.2 GoSMS Data .................................................................................................................................... 11 3.1.3 Candy Crush Data ............................................................................................................................ 11 3.1.4 Deleted Data ................................................................................................................................... 11 3.1.5 Deleted Picture Found in Cache...................................................................................................... 11 3.1.6 Extracted Lock Pin ........................................................................................................................... 12 3.1.7 Zombie Smashers ............................................................................................................................ 12 3.1.8 Deleted Data ................................................................................................................................... 12 3.1.9 Deleted Picture Found as Thumbnail .............................................................................................. 12 3.1.10 Extracted Lock Pin ........................................................................................................................... 12 3.1.11 Email – Deleted or Intact and Read or Unread ............................................................................... 12 3.1.12 Deleted Data ................................................................................................................................... 13 3.1.13 Deleted Picture Found as Thumbnail .............................................................................................. 13 3.1.14 Extracted Lock Pattern .................................................................................................................... 13 Page 2 of 23 Patrick Leahy Center for Digital Investigation (LCDI) 3.1.15 Email – Deleted or Intact and Read or Unread ............................................................................... 13 3.2 XRY .......................................................................................................................................................... 14 4 Conclusion ..................................................................................................................................................... 14 5 Further Work ................................................................................................................................................. 14 6 Appendix A ..................................................................................................................................................... 15 6.1.1 Generated Data: Test Phone 1 – Avail ............................................................................................ 15 6.1.2 Generated Data: Test Phone 2 – Fusion 2 ...................................................................................... 17 6.1.3 Generated Data: Test Phone 3 – Galaxy Appeal ............................................................................. 19 7 References ..................................................................................................................................................... 22 Page 3 of 23 Patrick Leahy Center for Digital Investigation (LCDI) 1 Introduction Smartphones have become extremely popular in recent years due to their capabilities. These phones can be used to perform any number of different tasks, such as sending text messages and emails, browsing the internet, taking pictures and videos, and downloading applications. As of the time this report was written, Android is currently the number one smartphone platform with a 61 percent market share (Whitney). With Android making up such a large percentage of the market, it is important to understand how to perform forensic tests on devices that run Android operating systems. The main purpose of this project is to learn as much as possible about Android forensics, allowing for more successful analyses of these mobile devices. Android OS is widely used, and it is important to understand how to work with it forensically. This means understanding the structure of the phones being used, as well as understanding the Android Operating System and the file system. 1.1 Background The phones that we are working with during this project are the AT&T Avail, the AT&T Fusion 2, and the AT&T Galaxy Appeal. The Avail has Android version 2.3.4, and the Fusion 2 and Galaxy have Android version 2.3.6. All of these fall under Gingerbread, the distribution that makes up over fifty percent of Android devices (Figure 1.1.1). 1.1.1 Android Distributions (“Android (Operating System)”) Prior work has been done with Android version 1.5, also known as Cupcake, as seen in the report Android Forensics: Simplifying Cell Phone Examinations by Jeff Lessard and Gary Kessler. Lessard and Kessler address that there is a continually growing use of smartphones, and the capabilities of these devices are only increasing. They acknowledge that at the time of their writing this report, there was a general lack of hardware, software, and interface standardization in the industry. After going into some detail about the Page 4 of 23 Patrick Leahy Center for Digital Investigation (LCDI) Android OS, Lessard and Kessler walk through how they examined a Sprint HTC Hero. They mention that although the phone’s system data is likely not stored on the memory card, it is still valuable to image. They used FTK Imager v2.5.1 to image the memory card once the phone was connected to a write blocker and the examination machine. To save the image, they used FTK’s “export disk image”
Load more

Recommended publications
  • TECHNOLOGY TOOLS of the TRAD E
    TECHNOLOGY TOOLS of the TRAD E element lens, also with profile. The screen is a 5.5", of on-board memory and a face detection, auto - 1,280 720 resolution, Super MicroSD slot that expands the focus, and backside illu - AMOLED HD touch surface memory up to 48GB. An 8- mination. Both cameras that’s driven by a quad-core megapixel camera can record have photo and video 1.6GHz processor. Another video at 1,080p, and there’s a geotagging. Video advantage of the Note’s size is 1.9-megapixel front-facing cam. recording is 1,080p HD that it accommodates one of There’s Multi-shot Camera featuring video stabiliza - the largest battery capacities in Mode that will take bursts of tion and tap-to-focus a phone—a 3,100 mAh battery stills from which you select the while recording. The bat - powering up to 16 hours of talk best, as well as a built-in flash Apple iPad Mini tery provides up to 10 hours of time. The S-Pen works smoothly and Panorama Mode to stitch The smaller version of Apple’s surfing the Web on Wi-Fi, on the touch screen. You draw widescreen images. Other Note iPad tablet, the just-released watching video, or listening to on photos, hand-write notes, cut II extras include Bluetooth, GPS iPad Mini, is actually larger than music, and charging is either and paste marked up areas of with navigation capability, most of the subset of smaller through the power adapter or your screen to send to someone, Microsoft Outlook sync, and tablets.
    [Show full text]
  • Temple Run 2 Usain Bolt Price
    Temple run 2 usain bolt price click here to download Usain-Bolt-Temple-Run-2 Like many characters in Temple Run 2, Usain has a special ability you can Ordinarily, GasBuddy shows you nearby fuel prices. Usain Bolt is a character in Temple Run 2. In August, he was available for purchase with real money for a limited-time ($), though this was later made permanent. He has a special powerup called Bolt Distance, which is, in essence, the combined powers of the Boost Distance and. Dev Imangi Studios announced it's signed up Jamaican sprint star Usain bolt to be a playable character in Temple Run 2, probably the biggest. For a limited time, the makers of Temple Run 2 are offering users the opportunity to play as the world's fastest man, Usain Bolt. image (3). 12 months have passed since the glory of London Jessica Ennis is now appearing in skin care ads. Olympic Park is being dismantled. Temple Run is easily among the best runner games we have today, and the application is available for iOS and Android devices. The Temple. Temple Run 2 is an endless running video game developed and published by Imangi Studios. In August , Usain Bolt was made available for purchase for a limited- time, though this was later made permanent. In December, Santa Claus. Usain Bolt is a playable character in Temple Run 2, and comes with his very own powerup naturally called.. BOLT! The Bolt powerup is actually. Daily App: Temple Run 2: Usain Bolt (iOS, Android) – Bolt from the Blue.
    [Show full text]
  • Android (Operating System) 1 Android (Operating System)
    Android (operating system) 1 Android (operating system) Android Home screen displayed by Samsung Nexus S with Google running Android 2.3 "Gingerbread" Company / developer Google Inc., Open Handset Alliance [1] Programmed in C (core), C++ (some third-party libraries), Java (UI) Working state Current [2] Source model Free and open source software (3.0 is currently in closed development) Initial release 21 October 2008 Latest stable release Tablets: [3] 3.0.1 (Honeycomb) Phones: [3] 2.3.3 (Gingerbread) / 24 February 2011 [4] Supported platforms ARM, MIPS, Power, x86 Kernel type Monolithic, modified Linux kernel Default user interface Graphical [5] License Apache 2.0, Linux kernel patches are under GPL v2 Official website [www.android.com www.android.com] Android is a software stack for mobile devices that includes an operating system, middleware and key applications.[6] [7] Google Inc. purchased the initial developer of the software, Android Inc., in 2005.[8] Android's mobile operating system is based on a modified version of the Linux kernel. Google and other members of the Open Handset Alliance collaborated on Android's development and release.[9] [10] The Android Open Source Project (AOSP) is tasked with the maintenance and further development of Android.[11] The Android operating system is the world's best-selling Smartphone platform.[12] [13] Android has a large community of developers writing applications ("apps") that extend the functionality of the devices. There are currently over 150,000 apps available for Android.[14] [15] Android Market is the online app store run by Google, though apps can also be downloaded from third-party sites.
    [Show full text]
  • Justspeak: Enabling Universal Voice Control on Android
    JustSpeak: Enabling Universal Voice Control on Android Yu Zhong1, T.V. Raman2, Casey Burkhardt2, Fadi Biadsy2 and Jeffrey P. Bigham1;3 Computer Science, ROCHCI1 Google Research2 Human-Computer Interaction Institute3 University of Rochester Mountain View, CA, 94043 Carnegie Mellon University Rochester, NY, 14627 framan, caseyburkhardt, Pittsburgh, PA, 15213 [email protected] [email protected] [email protected] ABSTRACT or hindered, or for users with dexterity issues, it is dif- In this paper we introduce JustSpeak, a universal voice ficult to point at a target so they are often less effec- control solution for non-visual access to the Android op- tive. For blind and motion-impaired people this issue erating system. JustSpeak offers two contributions as is more obvious, but other people also often face this compared to existing systems. First, it enables system problem, e.g, when driving or using a smartphone under wide voice control on Android that can accommodate bright sunshine. Voice control is an effective and efficient any application. JustSpeak constructs the set of avail- alternative non-visual interaction mode which does not able voice commands based on application context; these require target locating and pointing. Reliable and natu- commands are directly synthesized from on-screen labels ral voice commands can significantly reduce costs of time and accessibility metadata, and require no further inter- and effort and enable direct manipulation of graphic user vention from the application developer. Second, it pro- interface. vides more efficient and natural interaction with support In graphical user interfaces (GUI), objects, such as but- of multiple voice commands in the same utterance.
    [Show full text]
  • Social Media Why You Should Care What Is Social Media? Social Network
    Social Media Why You Should Care IST 331 - Olivier Georgeon, Frank Ritter 31 oct 15 • eMarketer (2007) estimated by 2011 one-half Examples of all Internet users will use social networking • Facebook regulary. • YouTube • By 2015, 75% use • Myspace • Twitter • Del.icio.us • Digg • Etc… 2 What is Social Media? Social Network • Social Network • Online communities of people who share • User Generated Content (UGC) interests and activities, • Social Bookmarking • … or who are interested in exploring the interests and activities of others. • Examples: Facebook, MySpace, LinkedIn, Orkut • Falls to analysis with tools in Ch. 9 3 4 User Generated Content (UGC) Social Bookmarking • A method for Internet users to store, organize, search, • or Consumer Generated Media (CGM) and manage bookmarks of web pages on the Internet with the help of metadata. • Based on communities; • Defined: Media content that is publicly – The more people who bookmark a piece of content, the more available and produced by end-users (user). value it is determined to have. • Examples: Digg, Del.icio.us, StumbleUpon, and reddit….and now combinations • Usually supported by a social network • Examples: Blogs, Micro-blogs, YouTube video, Flickr photos, Wiki content, Facebook wall posts, reddit, Second Life… 5 6 Social Media Principles Generate an activity stream • Automatic • Who you are – Google History, Google Analytics – Personalization • Blog • Who you know • Micro-blog – Browse network – Twitter, yammer, identi.ca • What you do • Mailing groups – Generate an activity stream
    [Show full text]
  • Energy Efficient Wifi Tethering on a Smartphone
    Energy Efficient Wifi Tethering on a Smartphone Kyoung-Hak Jung†, Yuepeng Qi†, Chansu Yu†‡, and Young-Joo Suh† †Department of Computer Science and Engineering & Division of IT Convergence Engineering Pohang Univ. of Science and Tech., Pohang, 790-784, Republic of Korea Email: {yeopki81, yuepengqi, yjsuh}@postech.ac.kr ‡Department of Electrical and Computer Engineering Cleveland State University, Cleveland, Ohio 44115 Email: [email protected] Abstract—While numerous efforts have been made to save energy of “client” devices but it has not been addressed for access points (APs) as they are assumed to be supported by AC power. This paper proposes E-MAP, which is an energy saving algorithm for a tethering smartphone that plays a role of mobile AP (MAP) temporarily. It saves MAP’s energy by introducing the sleep cycle as in power save mode (PSM) in 802.11 but successfully keeps clients from transmitting while it sleeps. One (a) Nexus One with traffic (b) iPhone 4 with traffic important design goal of E-MAP is backward compatibility, i.e., it requires no modification on the client side and supports PSM and adaptive PSM (A-PSM) as well as normal constant awake mode (CAM) clients. Experiments show that E-MAP reduces the energy consumption of a Wifi tethering smartphone by up to 54% with a little impact on packet delay under various traffic patterns derived from real-life traces. (c) Nexus One without traffic (d) iPhone 4 without traffic Fig. 1: Power consumption measurements using Monsoon Power I. INTRODUCTION Monitor [11]. (Each figure compares power consumption of a smart- While the coverage of cellular networks is much larger phone when it is used as a 3G client, a Wifi client, and a MAP with than that of Wifi networks in the US (99% vs.
    [Show full text]
  • POPULAR SOCIAL MEDIA SITES Below Is a List of Some of the Most Commonly Used Youth and Teen Social Networking Sites and Tools
    POPULAR SOCIAL MEDIA SITES Below is a list of some of the most commonly used youth and teen social networking sites and tools. Ask.fm (http://ask.fm) Participants log on, post a question anonymously and anyone may answer anonymously. “Do you think I am fat?” or “Would you date me?” are examples of questions posted in the past. There have also been examples in which individuals were encouraged to kill themselves. The site has courted controversy by not having workable reporting, tracking or parental control processes, which have become the norm on other social media websites. Twitter (https://twitter.com) An online social networking and microblogging service that enables users to send and read "tweets", which are text messages limited to 140 characters. Instagram (http://instagram.com) A photo-sharing app for iPhone. Kik (http://kik.com) Kik is as an alternative to email or text messaging and its popularity has grown in the last two years. Kik is accessible on smartphones and supports over 4 million users, called “Kicksters.” Users are not restricted to sending text messages with Kik. Images, videos, sketches, emoticions and more may be sent. A user can block users on Kik from contacting them. Wanelo (http://wanelo.com) Wanelo (from Want, Need, Love) sells unique products online, all posted by users. Products posted for sale range from dishes, clothing, intimate wear and other potentially “R-Rated” products. Vine (https://vine.co) Vine is used to create and share free and instant six-second videos. Topic and content ranges. Snapchat (http://www.snapchat.com) A photo messaging application.
    [Show full text]
  • Project Plan
    INTELLIGENT VOICE ASSISTANT Bachelor Thesis Spring 2012 School of Health and Society Department Computer Science Computer Software Development Intelligent Voice Assistant Writer Shen Hui Song Qunying Instructor Andreas Nilsson Examiner Christian Andersson INTELLIGENT VOICE ASSISTANT School of Health and Society Department Computer Science Kristianstad University SE-291 88 Kristianstad Sweden Author, Program and Year: Song Qunying, Bachelor in Computer Software Development 2012 Shen Hui, Bachelor in Computer Software Development 2012 Instructor: Andreas Nilsson, School of Health and Society, HKr Examination: This graduation work on 15 higher education credits is a part of the requirements for a Degree of Bachelor in Computer Software Development (as specified in the English translation) Title: Intelligent Voice Assistant Abstract: This project includes an implementation of an intelligent voice recognition assistant for Android where functionality on current existing applications on other platforms is compared. Until this day, there has not been any good alternative for Android, so this project aims to implement a voice assistant for the Android platform while describing the difficulties and challenges that lies in this task. Language: English Approved by: _____________________________________ Christian Andersson Date Examiner I INTELLIGENT VOICE ASSISTANT Table of Contents Page Document page I Abstract I Table of Contents II 1 Introduction 1 1.1 Context 1 1.2 Aim and Purpose 2 1.3 Method and Resources 3 1.4 Project Work Organization 7
    [Show full text]
  • Google Voice and Google Spreadsheets
    Google Voice And Google Spreadsheets Diphthongic Salomo jump-off some reprehensibility and incommode his haematosis so maladroitly! Gaven never aestivating any crumple wainscotstrajects credulously, her brimfulness is Turner circulates stomachy thereafter. and metacarpal enough? Thurstan paginates incommensurably as unappreciative Gordan Trying to install the company that could have more you need a glance, google voice and spreadsheets Add remove remove AutoCorrect entries in that Office Support. Darrell used by the bottom of pirated apps, entertainment destination worksheet and spreadsheets so you can use wherever you put data on your current setup. How to speech-to-text in Google Docs TechRepublic. Crowdsourcing market for voice! Set a jumbled mix, just like contact group of android are also simplifies travel plans available in google spreadsheets! Each day after individual length. Massive speed increase when loading SMS conversations with a raw number of individual messages. There are google voice and google spreadsheets. 572 Google Voice jobs in United States 117 new LinkedIn. Once you choose the file, improve your SEO, just swipe on the left twist of the screen and choose Offline. Stop spending time managing multiple vendor contracts and streamline your operations with G Suite and Voice. There are other alternative software that can also dump raw XML data. All that you can do is hope that you get lucky. Modify spreadsheets and ever to-do lists by using Google GOOG. Voice Typing in Google Docs. Entering an error publishing company essentially leases out voice application with talk strategy and spreadsheets. Triggered when a new journey is added to the bottom provide a spreadsheet.
    [Show full text]
  • Dozyap: Power-Efficient Wi-Fi Tethering
    DozyAP: Power-Efficient Wi-Fi Tethering Hao Han1,2, Yunxin Liu1, Guobin Shen1, Yongguang Zhang1, Qun Li2 1Microsoft Research Asia, Beijing, China 2College of William and Mary, Williamsburg, VA, USA ABSTRACT Wi-Fi tethering (i.e., sharing the Internet connection of a mobile phone via its Wi-Fi interface) is a useful functionali- ty and is widely supported on commercial smartphones. Yet existing Wi-Fi tethering schemes consume excessive power: they keep the Wi-Fi interface in a high power state regard- less if there is ongoing traffic or not. In this paper we pro- pose DozyAP to improve the power efficiency of Wi-Fi tethering. Based on measurements in typical applications, we identify many opportunities that a tethering phone could sleep to save power. We design a simple yet reliable sleep Figure 1: Wi-Fi tethering. protocol to coordinate the sleep schedule of the tethering phone with its clients without requiring tight time synchro- vices can connect to the mobile SoftAP through their Wi-Fi nization. Furthermore, we develop a two-stage, sleep inter- interfaces. The mobile SoftAP routes the data packets be- val adaptation algorithm to automatically adapt the sleep tween its 3G interface and its Wi-Fi interface. Consequent- intervals to ongoing traffic patterns of various applications. ly, all the devices connected to the mobile SoftAP are able DozyAP does not require any changes to the 802.11 proto- to access the Internet. col and is incrementally deployable through software up- Wi-Fi tethering is highly desired. For example, even be- dates. We have implemented DozyAP on commercial fore the Android platform provided built-in support on Wi- smartphones.
    [Show full text]
  • CS 152: Computer Systems Architecture Storage Technologies
    CS 152: Computer Systems Architecture Storage Technologies Sang-Woo Jun Winter 2019 Storage Used To be a Secondary Concern Typically, storage was not a first order citizen of a computer system o As alluded to by its name “secondary storage” o Its job was to load programs and data to memory, and disappear o Most applications only worked with CPU and system memory (DRAM) o Extreme applications like DBMSs were the exception Because conventional secondary storage was very slow o Things are changing! Some (Pre)History Magnetic core memory Rope memory (ROM) 1960’s Drum memory 1950~1970s 72 KiB per cubic foot! 100s of KiB (1024 bits in photo) Hand-woven to program the 1950’s Apollo guidance computer Photos from Wikipedia Some (More Recent) History Floppy disk drives 1970’s~2000’s 100 KiBs to 1.44 MiB Hard disk drives 1950’s to present MBs to TBs Photos from Wikipedia Some (Current) History Solid State Drives Non-Volatile Memory 2000’s to present 2010’s to present GB to TBs GBs Hard Disk Drives Dominant storage medium for the longest time o Still the largest capacity share Data organized into multiple magnetic platters o Mechanical head needs to move to where data is, to read it o Good sequential access, terrible random access • 100s of MB/s sequential, maybe 1 MB/s 4 KB random o Time for the head to move to the right location (“seek time”) may be ms long • 1000,000s of cycles! Typically “ATA” (Including IDE and EIDE), and later “SATA” interfaces o Connected via “South bridge” chipset Ding Yuan, “Operating Systems ECE344 Lecture 11: File
    [Show full text]
  • BEC Brochure for Partners
    3724 Heron Way, Palo Alto, CA 94303, USA +1 (650) 272-03-84 (USA and Canada) +7 (812) 926-64-74 (Europe and other regions) BELKASOFT EVIDENCE CENTER All-in-one forensic solution for locating, extracting, and analyzing digital evidence stored inside computers and mobile devices and mobile devices, RAM and cloud. Belkasoft Evidence Center is designed with forensic experts and investigators in mind: it automatically performs multiple tasks without requiring your presence, allowing you to speed up the investigation; at the same time, the product has convenient interface, making it a powerful, yet easy-to-use tool for data extraction, search, and analysis. INCLUDES Fully automated extraction and Advanced low-level expertise analysis of 1000+ types of evidence Concise and adjustable reports, Destroyed and hidden evidence accepted by courts recovery via data carving Case Management and a possibility Live RAM analysis to create a portable case to share with a colleague at no cost TYPES OF EVIDENCE SUPPORTED BY EVIDENCE CENTER Office documents System files, including Windows 10 Email clients timeline and TOAST, macOS plists, smartphone Wi-Fi and Bluetooth Pictures and videos configurations etc. Mobile application data Cryptocurrencies Web browser histories, cookies, cache, passwords, etc. Registry files Chats and instant messenger histories SQLite databases Social networks and cloud services Peer-to-peer software Encrypted files and volumes Plist files TYPES OF ANALYSIS PERFORMED BY EVIDENCE CENTER Existing files search and analysis. Low-level investigation using Hex Viewer Timeline analysis - ability to display and filter all user activities and system events in a single aggregated view Full-text search through all types of collected evidence.
    [Show full text]