Evaluation and Identification of Authentic Smartphone Data
Total Page:16
File Type:pdf, Size:1020Kb
Evaluation and Identification of Authentic Smartphone Data by Helo¨ısePieterse Submitted in fulfilment of the requirements for the degree Philosophiae Doctor (Computer Science) in the Faculty of Engineering, Built Environment and Information Technology University of Pretoria, Pretoria July 2019 Publication data: Helo¨ısePieterse. Evaluation and Identification of Authentic Smartphone Data. Doctoral thesis, University of Pretoria, Department of Computer Science, Pretoria, South Africa, July 2019. Electronic, hyperlinked versions of this thesis are available online, as Adobe PDF files, at: http://repository.up.ac.za Evaluation and Identification of Authentic Smartphone Data by Helo¨ısePieterse E-mail: [email protected] Abstract Mobile technology continues to evolve in the 21st century, providing end-users with mo- bile devices that support improved capabilities and advance functionality. This ever- improving technology allows smartphone platforms, such as Google Android and Apple iOS, to become prominent and popular among end-users. The reliance on and ubiquitous use of smartphones render these devices rich sources of digital data. This data becomes increasingly important when smartphones form part of regulatory matters, security inci- dents, criminal or civil cases. Digital data is, however, susceptible to change and can be altered intentionally or accidentally by end-users or installed applications. It becomes, therefore, essential to evaluate the authenticity of data residing on smartphones before submitting the data as potential digital evidence. This thesis focuses on digital data found on smartphones that have been created by smartphone applications and the techniques that can be used to evaluate and identify authentic data. Identification of authentic smartphone data necessitates a better under- standing of the smartphone, the related smartphone applications and the environment in which the smartphone operates. Derived from the conducted research and gathered knowledge are the requirements for authentic smartphone data. These requirements are captured in the smartphone data evaluation model to assist digital forensic profession- als with the assessment of smartphone data. The smartphone data evaluation model, however, only stipulates how to evaluate the smartphone data and not what the out- come of the evaluation is. Therefore, a classification model is constructed using the identified requirements and the smartphone data evaluation model. The classification model presents a formal classification of the evaluated smartphone data, which is an ordered pair of values. The first value represents the grade of the authenticity of the data and the second value describes the completeness of the evaluation. Collectively, these models form the basis for the developed Smartphone Application Data Authentic- ity Classifier (SADAC) tool, a proof of concept digital forensic tool that assists with the evaluation and classification of smartphone data. To conclude, the evaluation and classification models are assessed to determine the effectiveness and efficiency of the models to evaluate and identify authentic smartphone data. The assessment involved two attack scenarios to manipulate smartphone data and the subsequent evaluation of the effects of these attack scenarios using the SADAC tool. The results produced by evaluating the smartphone data associated with each attack scenario confirmed the classification of the authenticity of smartphone data is feasible. Digital forensic professionals can use the provided models and developed SADAC tool to evaluate and identify authentic smartphone data. The outcome of this thesis provides a scientific and strategic approach for evaluating and identifying authentic smartphone data, offering needed assistance to digital forensic professionals. This research also adds to the field of digital forensics by providing insights into smartphone forensics, architectural components of smartphone applications and the nature of authentic smartphone data. Keywords: Digital forensics, Mobile forensics, Smartphones, Smartphone applications, Smartphone data, Authenticity, Evidence, Reference architecture, Android, iOS. Supervisor : Prof. M. S. Olivier Co-Supervisor : Dr. R. P. van Heerden Department : Department of Computer Science Degree : Philosophiae Doctor To My Mother For continuously being a guiding light in my life. \The grey rain curtain of this world rolls back, and all turns to silver glass...and then you see it. White shores. And beyond...a far green country under a swift sunrise." Gandalf the White - The Lord of the Rings: The Return of the King (2003) Acknowledgements My sincere gratitude to God, the Almighty, for providing me with the skills, opportunity and determination to complete this work. You carried me during times of great difficulty and I am forever grateful to You. I would also like to express my appreciation and gratitude to Professor Martin Olivier for his professional insight, guidance and support. Thank you for all your assistance and for helping me to complete this journey. I hope to continue collaborating in the near future. My thanks to Dr. Renier van Heerden for his continuous guidance and inspiring sugges- tions. All your contributions have been extremely valuable and improved the quality of the thesis. Words would not express my gratitude to my parents, Marius and Ria Pieterse, for their continued love and unwavering belief in my success. Thank you for all the words of encouragement and support when I needed it most. Thanks to all my friends and family for their love and support during many years of hard work. A special word of thanks to Tielman Meyer and Mari Pieterse. I would also like to take this opportunity to say a big thank you to all my colleagues at the Cyber Warfare Research Group, Defence and Security, CSIR, for their advice and ideas. A special word of thanks to Dr Jabu Mtsweni, for providing me with valuable time to complete my thesis and to Ivan Burke, for his mathematical support. I am grateful for the financial support that I received from the Council for Scientific and Industrial Research and the University of Pretoria. To everyone else that has played a part in the success of this research, thank you very much. Contents List of Figures vi List of Tables viii 1 Introduction1 1.1 Motivation...................................2 1.2 Problem Statement..............................4 1.3 Scope of the Research.............................5 1.4 Objectives...................................6 1.5 Research Methodology............................7 1.6 Terminology..................................8 1.7 Thesis Layout................................. 10 1.8 Summary................................... 12 2 Mobile Device Forensics 13 2.1 Mobile Device Classification......................... 14 2.2 Mobile Operating Systems.......................... 17 2.2.1 Active Mobile Operating Systems.................. 17 2.2.2 Discontinued Mobile Operating Systems.............. 19 2.3 Need for Mobile Device Forensics...................... 20 2.4 Purpose of Mobile Device Forensics..................... 22 2.5 Forensic Examination of Mobile Devices.................. 22 2.5.1 Sources of Mobile Device Data.................... 23 2.5.2 Classification of Acquisition Tools.................. 24 i 2.5.3 Mobile Forensic Toolkits....................... 28 2.5.4 Forensic Investigation Process Models for Mobile Devices..... 30 2.6 Mobile Device Forensic Challenges...................... 33 2.6.1 Diversity of Mobile Devices..................... 33 2.6.2 Mobile Device Design......................... 34 2.6.3 Improving Mobile Device Technology................ 34 2.7 Summary................................... 35 3 Smartphone Forensics 36 3.1 Smartphone Operating Systems....................... 37 3.1.1 Google Android............................ 37 3.1.2 Apple iOS............................... 41 3.2 Forensic Examination of Smartphones.................... 43 3.2.1 Android Forensics........................... 44 3.2.2 iOS Forensics............................. 51 3.3 Challenges for Smartphone Forensics.................... 57 3.3.1 Acquisition Challenges........................ 57 3.3.2 Malicious Applications........................ 58 3.3.3 Anti-Forensics............................. 59 3.4 Summary................................... 61 4 Smartphone Data 62 4.1 What is Smartphone Data?......................... 63 4.2 Sources of Smartphone Data......................... 63 4.2.1 SIM Card Data............................ 64 4.2.2 Device-specific Data......................... 64 4.2.3 User-created Data........................... 65 4.2.4 Sensor Data.............................. 66 4.2.5 Application-related Data....................... 66 4.3 Storage Structures for Smartphone Data.................. 67 4.3.1 Plain Text Files............................ 67 4.3.2 Extensible Markup Language (XML)................ 68 ii 4.3.3 Property Lists............................. 68 4.3.4 SQLite Databases........................... 70 4.4 Value of Analysed Smartphone Data.................... 72 4.5 Measures to Ascertain the Authenticity of Smartphone Data....... 74 4.6 Limitations of Authenticity Measures.................... 76 4.7 Summary................................... 77 5 Reference Architecture for Smartphone Applications 78 5.1 Existing Reference Architectures....................... 79 5.2 Reference Architecture Derivation Process................. 81 5.2.1 Conceptual Architecture of Android Applications......... 82 5.2.2 Conceptual Architecture of