lOMoARcPSD|43100750

DMF UNIT 5 - Notes

Digital and Mobile Forensics (Anna University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Pradeepa Umapathy ([email protected])
 lOMoARcPSD|43100750

5. Android forensics

• Android forensics is essential. Forensics for Android includes approaches,

techniques, and tools. Many tools are covered in this chapter, but also extensive use
of the Android debugging bridge(ADB).
• The focus is on free tools or low cost tools. In this chapter, some material from
chapter %ve is repeated. This is due to the fact that some readers will only be
interested in iOS forensics, or in Android forensics, and some of the information
overlaps.
• One reason why mobile devices provide so much evidence is the ubiquitous nature of
such devices. Many people would not think of going anywhere without their
smartphone. Others carry a tablet with them everywhere. More and more of our lives
are conducted on our devices. From ordering food to communicating with friends.
Because of the pervasive nature of mobile devices, mobile forensics is important in all
types of investigations. Items you should attempt to recover from a mobile device
include the following:
• • Call history
• • Emails, texts, and/or other messages
• • Photos and videos
• • Phone information
• • Global positioning system (GPS) information
• • Network information

• smartphones also allow text messages and email. There is also a wide range of chat
apps such as Snapchat, Viber, WhatsApp, WeChat, Signal, etc. Many phone forensics
tools will retrieve information from some apps. However, given there are hundreds of
apps, no tool could possibly retrieve data from all of them. In fact, most tools only get
data from a few dozen.
• Information about the phone should be one of the %rst things you document in your
investigation. This will include model number, IMEI number, serial number of the SIM
card, operating system, and other similar information. The more detailed, descriptive
information you can document, the better. It is important to fully document the details
of the phone. Global positioning system information has become increasingly
important in a variety of cases. GPS information, even if it is not exact. can determine if
a suspect was in a particular area at the time of the crime.
• The use of Wi-Fi along with GPS will improve accuracy of GPS. The reason for this is
that various organizations, including Google, track the Basic Service Set Identi%er
(BSSID) used by wireless routers, and correlate it with physical addresses.

Downloaded by Pradeepa Umapathy ([email protected])

 lOMoARcPSD|43100750

foensic Procedures

• There are various standards that provide guidelines for forensic examinations. Mobile
forensics is no exception. One standard procedure that you should absolutely follow is
to put the phone in airplane mode while working with it. You do not want anyone to be
able to remotely access the device. It is also important that you make as few changes
on any device you are examining, and airplane mode will assist you with that. One
group that is at the forefront of digital forensics procedures is the Scienti%c Working
Group on Digital Evidence (https://www.swgde.org/). SWGDE provides guidance on
many digital forensics topics. Related to mobile device forensics, SWGDE provides a
general overview of the types of phone forensic investigations: Mobile Forensics
Pyramid – The level of extraction and analysis required depends on the request and the
speci%cs of the investigation. Higher levels require a more comprehensive
examination, additional skills and may not be applicable or possible for every phone or
situation. Each level of the Mobile Forensics Pyramid has its own corresponding skill
set. The levels are:

• 1. Manual – A process that involves the manual operation of the keypad and
handset. display to document data present in the phone’s internal memory.

• 2. Logical – A process that extracts a portion of the %le system.

• 3. File System – A process that provides access to the %le system.

4. Physical (Non-Invasive) – A process that provides physical acquisition of a phone’s data
without requiring opening the case ofthe phone.
• 5. Physical (Invasive) – A process that provides physical acquisition of a phone’s data
requiring disassembly of the phone providing access to the circuit board (e.g.,
JTAG).
• 6. Chip-Off – A process that involves the removal and reading of a
memory chip to conduct analysis.
• 7. MicroRead – A process that involves the use of a high-power microscope to
provide a physical view of memory cells.

• It is also important to have the appropriate tools for the examination. The United States
National Institute of Standards (NIST) provides guidance on this issue. The NIST-
sponsored CFTT – Computer Forensics Tool Testing Program (http://www.cftt.nist.gov/)
provides a measure of assurance that the tools used in the investigations of computer-
related crimes produce valid results. Testing includes a set of core requirements as well
as optional requirements. It is a good idea to refer to these standards when selecting a
tool.

Downloaded by Pradeepa Umapathy ([email protected])

 lOMoARcPSD|43100750

• NIST also provides general guidelines on how to write a report for a mobile device forensic
report.
The guidelines are of what to include are:
• • Descriptive list of items submitted for examination, including serial number, make, and
model.
• • Identity and signature of the examiner.
• • The equipment and setup used in the examination.
• • Brief description of steps taken during examination, such as string searches,
graphics imagesearches, and recovering erased %les.
• • Supporting materials, such as printouts of particular items of evidence, digital copies of
evidence,
and chain of custody documentation.
• • Details of %ndings:
• • Speci%c %les related to the request.
• • Other %les, including deleted %les, that support the %ndings.
• • String searches, keyword searches, and text string searches.
• • Internet-related evidence, such as website traf%c analysis, chat logs, cache %les, email, and
news
group activity.
• • Graphic image analysis.
• • Indicators of ownership, which could include program registration data.
• • Data analysis.
• • Description of relevant programs on the examined items.
• • Techniques used to hide or mask data, such as encryption, steganography, hidden attributes,
hidden partitions, and %le name anomalies.
• • Report conclusions

ADB(Android Debugging Bridge)

• Android Debugging Bridge was used specifically to conduct forensic examinations of

Android devices. If you require a refresher on ADB, please revisit chapter 4. When you
start an adb client, the client first checks whether there is an adb server process already
running.
• If there isn’t, it starts the server process. When the server starts, it binds to local TCP
port 5037 and listens for commands sent from adb clients – all adb clients use port
5037 to communicate with theadb server.
• When a device is connected to a computer that has ADB, the first step is to list all
connected devices. One of the first tasks you should do is to make a backup of the
device. The general format of the command is: adb backup -all -f backup. A specific
example would be: adb backup -all -f c:\phonebackup\.
Downloaded by Pradeepa Umapathy ([email protected])
 lOMoARcPSD|43100750

• There are specific directories you will want to look for evidence in. These are
described in the following subsections.
• /DATA This partition contains the user’s data like your contacts, sms, settings, and all
android applications that you have installed. Should you perform factory reset on your
device, this partition will be wiped out. This directory is likely to have much of the
evidence you are seeking. Some of it will be in SQLite Databases which we will
explore in chapter
• The sub=directory /data/app contains apps installed but not by the vendor. /data/
data//databases has the databases for specific apps. This is where you will find the
SQLite database we will examine in chapter
• /CACHE This is the partition where Android stores frequently accessed data and app
components. Wiping the cache doesn’t affect your personal data but simply gets rid of
the existing data there, which gets automatically rebuilt as you continue using the
device. This can sometimes reveal interesting evidence in a case. /MISC This partition
contains miscellaneous system settings in form of on/off switches. These settings may
include CID (Carrier or Region ID), USB configuration and certain hardware settings
etc.

• /MNT
• If there is an SD card, internal or external, you will FInd its stat here. This is a very
important place tocheck as it could potentially have quite a bit of evidence. While there
can be variations between models, in general the subdirectories you will

%nd are listed here: /mmt/asec (encrypted apps)

/mmt/emmc (internal SD Card) /mmt/sdcard(external/Internal SD Card)

/mmt/sdcard/external_sd (external SD Card)

ANDROID TOOLS

• This is far more versatile than All-In-One and is a free download from
https://Sourceforge.net/projects/android-tools/. The main screen is shown in
Figure
• To anyone familiar with ADB this should look quite familiar. You can see various
ADB commands simply at the touch of the button. You can also launch a shell console
to perform your own Linux commands if you need to. So, you have all the bene%ts of a
GUI, and still can use the Linux shell. There is a tab for fastboot commands that can
allow you to attempt to unlock or root the phone. Just as when you perform this
manually, there is no guarantee it will work. But you can see the fastboot tab in Figure
6.12. The advanced tab is very interesting. Among other things it allows you to work
with various ADB backup %les. This can be quite useful. This tab is shown in Figure
Downloaded by Pradeepa Umapathy ([email protected])
 lOMoARcPSD|43100750

6.13. We are not describing every feature of this tool for two reasons. The %rst is that it
is automating ADB. And from chapter 4 and the %rst part of this chapter, you should
be comfortable with ADB. Secondly, the interface is so intuitive to use that minimal
instruction is needed.

Autopsy
• Perhaps the most well-
known open-source
forensics software is
Autopsy. This tool is
designed for PC forensics
but can analyze mobile
phone images. You can
download Autopsy for free
from
https://www.autopsy.com/.
• Android won’t extract
from your phone, but if
you have an image from
an Android phone you
can examine it with
Autopsy. The first step is
to add an image. This is
shown in Figure 6.14.
You can see in Figure
Downloaded by Pradeepa Umapathy ([email protected])
 lOMoARcPSD|43100750

6.15, that Autopsy can

extract quite a bit of
information. Results are
shown in Figure 6.16.
• As you can see the call logs, contacts, messages, GPS
track points and more is retrieved.
• BITPIM
• This is an open-source tool
you can freely download
from https://sourceforge.net/
projects/bitpim/. However,
it is limited in the phones it
can recognize. The basic
landing screen is shown in
Figure 6.17. This tool does
come with a very useful
help %le that is easy to
navigate and shown in
Figure 6.18.

OSAF

• Open-Source Android Forensics is a virtual machine you can download for free from
https://sourceforge.net/projects/osaftoolkit/. It is Ubuntu Linux with a great many pre-
loaded Android forensics tools. The default password is forensics. The desktop is
shown inFigure 6.19.

ANDROID DECOMPILING

• Forensics frequently involves understanding the apps on the phone. The apps could be
malware for some time. In other instances, someone might claim that malware on their
phone is responsible for illegal content, and it is necessary to be able to view the app to
determine if this is true or not. Itis fortunately quite easy to decompile Android apps.
• One such online decompiler can be found at http://www.javadecompilers.com/ apk.
You simply browse to the APK in question then upload it to the website. You can see
this in Figure

Downloaded by Pradeepa Umapathy ([email protected])

 lOMoARcPSD|43100750

• When the tool is done you will be able to download the source code for that APK. This
is shown in Figure 6.30. It is also possible to use the Android Studio to decompile and
debug apps. It is one of the options on the main screen. This is shown in Figure 6.31.
This starts a user-friendly wizard that guides you to select the apk you wish to
decompile. You can see this in Figure 6.32. There are other decompilers you can try
online:
• • http://www.decompileandroid.com/

• • https://www.apkdecompilers.com/ The speci%c decompiler you use is less

important than analyzing the code. Most Android apps are written in either Java or
Kotlin programming languages. One need not be an expert programmer in order to
follow along with the code. However, at least basic programming skills are required.
It is beyond the scope of this bookto teach programming.
• It may be that you will require a consultant who is a programmer to
interpret the decompiled code.

Downloaded by Pradeepa Umapathy ([email protected])