Jessica Hyde

Every Step You Take:

Application and Network Usage in Android

Jessica Hyde
Director of Forensics – Magnet Forensics
Adjunct Professor – George Mason University

June 8, 2018
 Jessica
Director Forensics, Magnet Forensics
Adjunct Professor, George Mason University

Previous:
• Basis Technology
• Ernst and Young
• American Systems
• United States Marine Corps

SANS DFIR Summit - 2018

 Traditional Mobile Analysis

Focus on App analysis

Artifacts First
Looks

● Web Browsers
● Chat App
● Email

SANS DFIR Summit - 2018

 Traditional Mobile Analysis
Digging for Application Data
● Taught in courses, ie FOR585
Looks
● Methodology for unsupported app data
○ Discover
○ Test
○ Find
○ Parse
○ Script
SANS DFIR Summit - 2018
 Why Android Application Usage Analysis

● We do this for computer

investigations!
Looks

○ OS Artifacts
● Why don’t we apply this
concept to our Android
applications?
● Why would it be useful?
SANS DFIR Summit - 2018
 Using Application Analysis

● Pattern of Life Analysis

Looks

SANS DFIR Summit - 2018

 Using Application Analysis

● Pattern of Life Analysis

● Showing a lack of a particular usage
Looks

SANS DFIR Summit 2018

 Using Application Analysis

● Pattern of Life Analysis

● Showing a lack of a particular usage
Looks

● Supporting artifacts for sync’d data

SANS DFIR Summit - 2018

 com.vending.Android

Looks

SANS DFIR Summit - 2018

 com.vending.Android

● Tracks purchases BUT

● It LIES!
Looks

○ Multi-user
○ Second Device
● \data\com.android.vending\databases\library.db

SANS DFIR Summit - 2018

 Android Usagestats

● Tells you what file was in the

foreground, background, etc.
Looks

● \data\system\usagestats\0\
● ..\daily, \monthly. \weekly,
\yearly
● .xml file named as epoch
timestamp
SANS DFIR Summit - 2018
 Android Usage History

● https://developer.android.com/reference/and
roid/app/usage/UsageEvents.Event
Looks

○ User Interaction
○ Move to Foreground
○ Move to Background
○ Configuration Change

SANS DFIR Summit - 2018

 Android Usagestats

Looks

SANS DFIR Summit - 2018

 Android Usagestats

Looks

SANS DFIR Summit - 2018

 Battery Status

● Monitors Battery usage

● system\batterystats-daily.xml
Looks

● \data\data\com.google.androi
d.gms\shared_prefs\Batterysta
ts.xml
● Think of this as SRUM for
Android
SANS DFIR Summit - 2018
 Battery Status

● \data\data\com.google.android.gms\shared_
prefs\Batterystats.xml
Looks

SANS DFIR Summit - 2018

 BatterystatsDumpsysTask

● \data\data\com.google.android.gms\files
\BatterystatsDumpsysTask.gz
Looks

SANS DFIR Summit - 2018

 BatterystatsDumpsysTask

Looks

SANS DFIR Summit - 2018

 BatterystatsDumpsysTask

Looks

SANS DFIR Summit - 2018

 Recent Images

● \system_ce\0\recent_images
Looks

SANS DFIR Summit - 2018

 Recent Images

● \system_ce\0\recent_images
Looks

SANS DFIR Summit - 2018

 Recent Images

Looks

SANS DFIR Summit - 2018

 Recent Tasks

● \system_ce\0\recent_tasks
Looks

SANS DFIR Summit - 2018

 Recent Tasks

● \system_ce\0\recent_tasks
Looks

SANS DFIR Summit - 2018

 Recent Tasks

Looks

SANS DFIR Summit - 2018

 Recent Tasks

Looks

SANS DFIR Summit - 2018

 Recent Tasks

Looks

SANS DFIR Summit - 2018

 Recent Tasks

Looks

SANS DFIR Summit - 2018

 Recent Tasks

Looks

SANS DFIR Summit - 2018

 Recent Tasks
● task_id - 244
● effective_uid = 10103
Looks

● first active time = 1526045035484

May 11, 2018 1:23:55:484 PM
● last active time = 1526045600000
May 11, 2018 1:33:20 PM
● last time moved = 1526045563392
● May 11, 2018 1:32:43:392 SANS DFIR Summit - 2018
 Snapshots

● \system_ce\0\shortcut_service\ snapshots
Looks

SANS DFIR Summit - 2018

 Snapshots

Looks

SANS DFIR Summit - 2018

 Snapshots

Looks

SANS DFIR Summit - 2018

 Snapshots

Looks

SANS DFIR Summit - 2018

 3rd Party

● com.cleanmaster.security
○ On lots of devices
Looks

○ Logs battery usage

○ Logs application usage

SANS DFIR Summit - 2018

 Cheetah Mobile Apps

media\0\Android\data\com.cleanmaster.se
curity\files\logs\
Looks

SANS DFIR Summit - 2018

 Cheetah Mobile Apps

media\0\Android\data\com.cleanmaster.security
\files\logs\AppLockLog
Looks

SANS DFIR Summit - 2018

 Cheetah Mobile Apps

Looks

SANS DFIR Summit - 2018

 Cheetah Mobile Apps

Looks

SANS DFIR Summit - 2018

 Cheetah Mobile Apps
media\0\Android\data\com.cleanmaster.security
\files\logs\PerfMetricsReport
Looks

SANS DFIR Summit - 2018

 Cheetah Mobile Apps

Looks

SANS DFIR Summit - 2018

 Cheetah Mobile Apps

Looks

SANS DFIR Summit - 2018

 Google Cloud Activity

● Takeout
○ Download “My Activity” from
Looks

https://takeout.google.com/u/1/setting
s/takeout with credentials

SANS DFIR Summit - 2018

 Google Cloud Activity

Looks

SANS DFIR Summit - 2018

 Google Cloud Activity

Looks

SANS DFIR Summit - 2018

 Google Cloud Activity

Looks

SANS DFIR Summit - 2018

 Google Cloud Activity

Looks

SANS DFIR Summit - 2018

 Google Cloud Activity

Looks

SANS DFIR Summit - 2018

 Putting it all together
Artifact Task ID Effective app Event UNIX Timestamp Time Date
UID

com.vending.android com.twitter.android Purchase 1524064586032 4/18/18 3:16 PM

uid stats 10103 com.twitter.android UID Stats Twitter Cell 1526040000 5/11/18 12:00 PM

recent tasks 244 10103 com.twitter.android first active time 1526045035484 5/11/18 1:23 PM

snapshots 244 Twitter jpg of @CollinRusty 5/11/18 1:25 PM

twitterpage

snapshots 244 Twitter reduced .jpg of 5/11/18 1:25 PM

@CollinRusty

recent tasks 244 10103 com.twitter.android last time moved 1526045563392 5/11/18 1:32 PM

snapshots 244 Twitter .proto file 5/11/18 1:32 PM

recent tasks 244 10103 com.twitter.android last active time 1526045600000 5/11/18 1:33 PM

uid netstats 10103 com.twitter.android UID Stats Twitter Cell 1526040000 5/11/18 2:00 PM

SANS DFIR Summit - 2018

SANS DFIR Summit - 2018
• Founded in 2007
• Headquartered in San Francisco, California, USA
• On December 7, 2016, Fitbit officially announced that they acquired assets from Pebble
• January 2017, Fitbit acquired Romania-based smartwatch startup Vector Watch SRL
• June 2011: Fitbit criticized for its website's default activity-sharing settings, which made users'
manually-entered physical activities available for public viewing
• Some users were including details about their sex lives in their daily exercise logs, and this
information was, by default, publicly available

SANS DFIR Summit - 2018

• Fitbit as evidence in investigations:

• “Woman’s fitness watch disproved rape report”

• http://abc27.com/2015/06/19/police-womans-fitness-watch-disproved-rape-report/
• http://fusion.net/story/158292/fitbit-data-just-undermined-a-womans-rape-claim/

• “When Fitbit Is the Expert Witness” (personal trainer – civil case)

• https://www.theatlantic.com/technology/archive/2014/11/when-fitbit-is-the-expert-
witness/382936/
• http://theconversation.com/how-your-fitbit-data-can-and-will-be-used-against-you-in-a-
court-of-law-34580

SANS DFIR Summit - 2018

• Fitbit as evidence in investigations:

• “Big Brother was definitely watching as George Burch killed Nicole VanderHyden”
• https://www.greenbaypressgazette.com/story/news/2018/03/04/big-brother-phone-
george-burch-nicole-vanderheyden-murder-trial-gps-fitbit-snapshot-google/390236002/

SANS DFIR Summit - 2018

Profiles

SANS DFIR Summit - 2018

Profiles

SANS DFIR Summit - 2018

Fitbit – Profiles

SANS DFIR Summit - 2018

Fitbit – Profiles

SANS DFIR Summit - 2018

Profiles
How this could help
• Name associated to
User ID
• Personal info / profile
pic
• Stride length could
come in handy
depending on your
case
SANS DFIR Summit - 2018
Profiles
Caveats
• Stride length calculated
by using your gender
and height (user entered)
• Can be adjusted
• https://help.fitbit.com/arti
cles/en_US/Help_article/
1135

SANS DFIR Summit - 2018

Steps

Steps

SANS DFIR Summit - 2018

Steps

Steps

SANS DFIR Summit - 2018

Fitbit – Steps

SANS DFIR Summit - 2018

Steps
How this could help
• Great evidence to show
a person’s level of
activity, time of activity,
and amount at a
particular time
• Ties back to the false
rape case
• Presence/lack of
movement during a
crime
SANS DFIR Summit - 2018
Floors Climbed

Floors
Climbed

SANS DFIR Summit - 2018

Floors Climbed

SANS DFIR Summit - 2018

Fitbit – Floors Climbed

SANS DFIR Summit - 2018

Floors Climbed
How this could help
• Indicates overall activity
for the day
• Can show a trend of
activity over a number of
days

SANS DFIR Summit - 2018

Heart Rate

Heart Rate

SANS DFIR Summit - 2018

Heart Rate

SANS DFIR Summit - 2018

Fitbit – Heart Rate

SANS DFIR Summit - 2018

Heart Rate
How this could help
• Great indicator of the
user’s physical exertion
at points in time (5 min
segments)
• Can especially help if
graphed over time
• Why was there a spike at
specific time? (e.g. time
crime committed)

SANS DFIR Summit - 2018

Sleep

Sleep

SANS DFIR Summit - 2018

Sleep

Sleep

SANS DFIR Summit - 2018

Fitbit - Sleep

SANS DFIR Summit - 2018

Sleep
How this could help
• Another very helpful
indicator
• Remember the false
rape case mentioned
earlier
• Place someone at
specific times
• Some questions around
time awake/time asleep
numbers
SANS DFIR Summit - 2018
 Questions?

Jessica Hyde
Twitter: @B1N2H3X
Email: [email protected]

SANS DFIR Summit - 2018