Android Anti-Forensics: Modifying Cyanogenmod

Android Anti-Forensics: Modifying Cyanogenmod

2014 47th Hawaii International Conference on System Science Android Anti-forensics: Modifying CyanogenMod Karl-Johan Karlsson William Bradley Glisson University of Glasgow University of South Alabama [email protected] [email protected] Abstract component analysis, an analyst would start by Mobile devices implementing Android operating disassembling the phone and removing the surface systems inherently create opportunities to present mounted memory chips, which is a delicate and environments that are conducive to anti-forensic highly risky procedure. The memory chips can be activities. Previous mobile forensics research focused read by standardized readers, but the interpretation of on applications and data hiding anti-forensics the data depends on the software running on the solutions. In this work, a set of modifications were phone. A much easier method is to let the phone run, developed and implemented on a CyanogenMod and access the data through the normal interfaces community distribution of the Android operating provided by the software. However, this presents a system. The execution of these solutions successfully high risk of data being modified, both as a normal prevented data extractions, blocked the installation of function of the phone and/or by specialized anti- forensic tools, created extraction delays and forensic applications. The savings in time and effort presented false data to industry accepted forensic gained by the utilization of normal interfaces are analysis tools without impacting normal use of the substantial enough that this technique is endorsed by device. The research contribution is an initial the Association of Chief Police Officers (ACPO) [32] empirical analysis of the viability of operating system and the American National Institute of Standards and modifications in an anti-forensics context along with Technology [24]. providing the foundation for future research. Due to this acceptance, forensic analysts rely heavily on the correct functioning of the phone's software when performing analyses. Hence, altering functionality is a way of thwarting an analysis. 1. Introduction Smartphones running operating systems such as Android and iOS are designed to allow the The increasing integration of mobile smartphones, installation of third-party applications. This has in today’s digitally dependant, highly networked, allowed for the development of applications with communication based societies creates an anti-forensic functionality [7, 12, 27]. However, these environment that is conducive to encouraging anti- applications have to work under the restrictions forensics activities. According to the International imposed by the operating system, such as application Telecommunications Union [23], at the end of 2011 isolation and responsiveness demands. If anti- there were almost six billion mobile phone forensic modifications were to be made on a lower subscriptions for a world population of seven billion. level, these restrictions would not apply in the same In the fourth quarter of 2012, 207.7 million way, possibly making more advanced methods smartphones were sold with Android capturing over available. This idea promoted research into the 50% of the operating system market [13]. hypothesis that it is possible to modify the Android Smartphones can be described as general-purpose operating system to present false information to the computers with an attached phone. As such, many forensics tools. Several subsidiary research questions people use smartphones for their daily consumption, were identified in order to explore the hypothesis: storage and communications tasks. This makes 1. Which components of the Android operating smartphones a great source of forensic evidence system do the forensics tools trust? while, simultaneously, presenting interesting analysis 2. Is it possible to modify these components to challenges. present false information? Mobile smartphones are highly integrated devices 3. Can the presence of a forensic analysis tool be that are built from non-standard components, running detected? software which is often proprietary, undocumented 4. Is it possible to make the presentation of false and frequently changed. To perform a component-by- information reversible, such that the phone will 978-1-4799-2504-9/14 $31.00 © 2014 IEEE 4828 DOI 10.1109/HICSS.2014.593 revert to presenting the real information after the Data hiding on mobile devices will implement forensic analysis? substantially similar approaches to that of personal The research contribution is an initial empirical computers like steganography, deleted files, and analysis of the viability of operating system storing data in the cloud or in other users' storage modifications in an anti-forensics context along with space. The caveat with this approach on mobile providing the foundation for future research in this devices is that recovery of deleted files depends on area. The paper is structured as follows: Section 2 the file system. Many mobile devices use a version of discusses relevant approaches to smartphone anti- Yet Another Flash File System (YAFFS) [1], which forensics. Section 3 presents the methodology, and may be unsupported in commercial forensics tools. the experimental design. Section 4 discusses the Specific for Android is the separation between implementation and results. Section 5 draws different applications enforced by the operating conclusions from the research conducted and Section system. Every application is run as its own Linux 6 presents future work. user. Standard Linux file system permissions are used to ensure that no other application can read its files. 2. Relevant Work This also applies to the applications uploaded to the phone by forensic analysis tools. This protection can only be bypassed if the phone is first rooted. If that is Recent research investigates the risk that mobile done, software can use the elevated privilege to read phones present to individual members of society [16] the entire file system. and to the business world [14]. It has also examined On a non-rooted phone, then, information can be some of the challenges these devices present to hidden by having an application store it somewhere forensic investigations [9, 17, 18, 25]. Hence, it is secluded and restore it at a later time (such as when only a matter of time before individuals, the user enters a password). This approach was tested organizations and businesses implement solutions to by Distefano et al. [12]. Their program takes data mitigate these risks through anti-forensics activities. from a number of standard databases on the phone Anti-forensics in this case is broadly defined as (e.g. contact list, call logs, and SMS messages) and “any attempts to compromise the availability or user-specified files, copies this data to files in the usefulness of evidence to the forensics process. program’s directory and deletes the originals. This Compromising evidence availability includes any approach also allows for quick mass deletion, since attempts to prevent evidence from existing, hiding the Android package manager deletes all files private existing evidence or otherwise manipulating evidence to an application if it is uninstalled. to ensure that it is no longer within reach of the They attempted to use the forensics tool Paraben investigator” [19]. While several data extraction Device Seizure [30], but found that this was options exist for mobile devices, research has incompatible with the phone they were using. highlighted the fact that not all extraction solutions Instead, they used backup programs, which require are equal nor do they necessarily provide the ability the phone to be rooted and perform a logical to validate results [15]. This can be attributed to an acquisition of the phone memory. As expected, these array of factors that include numerous mobile phone programs were able to read the private directory hardware configurations and vast numbers of devices where the data had been stored. Had the phone not in the market. Hence, the extractions that are most been rooted, the backup programs would not have likely to be implemented with higher degrees of worked [20]. success are logical and manual extractions. Distefano, et al. [12] say nothing about how their Android is a young operating system, with the data hiding program is triggered, nor when data is put first commercial device, the HTC Dream, also known back. They do, however, include test results for how as the T-Mobile G1, launched in September 2008 long it takes for the hiding process to run. This was [31]. Hence, it is expected that the Android forensics on the order of 10 seconds, depending on the amount and anti-forensics literature will not be as established of data to be hidden. This suggests that the hiding as the ones for Windows PCs. Harris [19] classifies process is action sensitive, which would be the case if anti-forensics into four groups: hiding, destruction, it was triggered by the connection or starting of a source elimination and counterfeiting. Kessler [26] forensics tool. Presumably, the data would then be also categorizes anti-forensics into similar groups manually restored by the user after regaining control which consist of data hiding, artifact wiping, trail over the phone. obfuscation, and attacks against processes and tools. 2.2 Artifact wiping 2.1 Data hiding 4829 Artifact wiping is the act of overwriting data so to make the phone act as if a user is present, thereby that it is impossible to restore, even with un-deletion

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us