E-Book, Englisch, 322 Seiten
Tamma Learning Android Forensics
1. Auflage 2024
ISBN: 978-1-78217-444-8
Verlag: De Gruyter
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
A hands-on guide to Android forensics, from setting up the forensic workstation to analyzing key forensic artifacts
E-Book, Englisch, 322 Seiten
ISBN: 978-1-78217-444-8
Verlag: De Gruyter
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
If you are a forensic analyst or an information security professional wanting to develop your knowledge of Android forensics, then this is the book for you. Some basic knowledge of the Android mobile platform is expected.
Autoren/Hrsg.
Fachgebiete
- Mathematik | Informatik EDV | Informatik Technische Informatik Computersicherheit
- Mathematik | Informatik EDV | Informatik Digital Lifestyle Mobiltelefone
- Mathematik | Informatik EDV | Informatik Programmierung | Softwareentwicklung Handheld Programmierung
- Mathematik | Informatik EDV | Informatik Digital Lifestyle Handheld, Smartphone, Tablet
Weitere Infos & Material
Table of Contents - Introducing Android forensics
- Setting Up Android Forensic Environment
- Setting up your Android forensic environmentÿ
- Extracting data logically from Androiddevices
- Extracting data physically from Androiddevices
- Recovering deleted data from Android devices
- Forensic Analysis of Android apps
- Android Forensic Tools Overview
The mobile forensics approach
Once the data is extracted from a device, different methods of analysis are used based on the underlying case. As each investigation is distinct, it is not possible to have a single definitive procedure for all cases. However, the overall process can be broken into five phases as shown in the following diagram:
Phases in mobile forensics
The following section discusses each phase in detail:
Investigation Preparation
This phase begins when a request for examination is received. It involves preparing all of the paperwork and forms required to document the chain of custody, ownership information, the device model, its purpose, the information that the requestor is seeking, and so on. The chain of custody refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. From the details submitted by the requestor, it's important to have a clear understanding of the objective for each examination.
Seizure and Isolation
Handling the device during seizure is one of the important steps while performing forensic analysis. The evidence is usually transported using anti-static bags which are designed to protect electronic components against damages produced by static electricity. As soon as the device is seized, care should be taken to make sure that our actions don't result in any data modification on the device. At the same time, any opportunity that can aid the investigation should also not be missed.
Following are some of the points that need to be considered while handling an Android device during this phase:
- With increasing user awareness on security and privacy, most of the devices now have screen lock enabled. During the time of seizure, if there is a chance to do so, disable the passcode. Some devices do not ask the user to re-enter the passcode while disabling the lock screen option.
- If the device is unlocked, try to change the settings of the device to allow greater access to the device. Some of the settings that can be considered to achieve this are as follows:
- Enable USB debugging: Enabling this option gives greater access to the device through Android debug bridge (adb) connection. We are going to cover adb connection in detail in Chapter 2, . This will greatly aid the forensic investigator during the data extraction process. In Android devices, this option is usually found under Settings | Developer options, as shown in the following screenshot. In later Android versions starting from 4.2, the developer options are hidden by default. To enable them, navigate to Settings | About Phone and tap on Build number 7 times.
- Enable stay awake setting: Enabling this option and charging the device will make the device stay awake which means that, it doesn't get locked. In Android devices, this option is usually found under Settings | Developer options, as shown in the following screenshot:
Stay awake and USB debugging options
- Increase Screen timeout: This is the time for which the device will be active once it is unlocked. Depending on the device model, this time can be set up to 30 minutes. In most devices, it can be accessed under Settings | Display | Screen timeout, as shown in the following screenshot:
Note
Please note that the location to access this item changes across different versions and models of Android phones.
Screen timeout option on an Android device
In mobile forensics, it is of critical importance to protect the seized device so that our interaction with the evidence (or for that matter, an attacker's attempt to remotely interact with the device) does not change the evidence. In computer forensics, we have software and hardware write blockers that can perform this function. But in mobile forensics, since we need to interact with the device to pull the data, these write blockers are not of any use. Another important aspect is that we also need to prevent the device from interacting with wireless radio networks. As mentioned earlier, there is a high probability that an attacker can issue remote wipe commands to delete all data, including e-mails, applications, photos, contacts, and other files on the device.
The Android Device Manager (ADM) and several other third-party apps allow the phone to be remotely wiped or locked. This can be done by signing into the Google account that is configured on the mobile device. Using this software, an attacker can also locate the device, which could pose a security risk. For all these reasons, isolating the device from all communication sources is very important.
Tip
Have you thought about remote wipe options that do not require internet access? Mobile Device Management (MDM) software provides a remote wipe feature just by sending an SMS. Isolating the device from all communication options is crucial.
To isolate the device from a network, we can put the device in Airplane mode if there is access to the device. Airplane mode disables a device's wireless transmission functions, such as cellular radio, Wi-Fi, and Bluetooth. However, this may not always be possible because most of the devices are screen-locked. Also, as Wi-Fi is now available in airplanes, some devices now allow Wi-Fi access in Airplane mode. Hence, an alternate solution would be to use a Faraday bag or RF isolation box, as both effectively block signals to and from the mobile phone. But, one concern with these isolation methods however, is that once they're employed, it is difficult to work with the phone because you cannot see through them to use the touch screen or keypad. For this reason, Faraday tents and rooms exist, as shown in the following screenshot (taken from http://www.technicalprotection.co.uk/), but are very expensive.
Pyramid-shaped Faraday tent
Even after taking all these precautions, certain automatic functions, such as alarms can trigger. If such a situation is encountered, it must be properly documented.
Acquisition
The acquisition phase refers to the extraction of data from the device. Due to the inherent security features of mobile devices, extracting data is not always straight forward. Depending on the operating system, make, and model of the device, the extraction method is decided. The following types of acquisition methods can be used to extract data from a device:
- Manual acquisition: This is the simplest of all acquisition methods. The examiner uses the user interface of the phone to browse and investigate. No special tools or techniques are required here, but the limitation is that only those files and data that are visible through a normal user interface can be extracted. Data extracted through other methods can also be verified using this.
- Logical acquisition: This is also called logical extraction. This generally refers to extracting the files that are present on a logical store such as a filesystem partition. This involves obtaining data types, such as text messages, call history, pictures and so on, from a phone. The logical extraction technique works by using the original equipment manufacturer's APIs for synchronizing the phone's contents with a computer. This technique usually involves extracting the following evidence:
- Call Logs
- SMS
- MMS
- Browser history
- People
- Contact methods
- Contacts extensions
- Contacts groups
- Contacts phones
- Contacts setting
- External image media (metadata)
- External image thumbnail media (metadata)
- External media, audio, and misc. (metadata)
- External videos (meta data)
- MMSParts (includes full images sent via MMS)
- Location details (GPS data)
- Internet activity
- Organizations
- List of all applications installed, along with their version
- Social networking apps data such as WhatsApp, Skype, Facebook, and so on.
- Filesystem acquisition: This is a logical procedure and generally refers to the extraction of a full file system from a mobile device. File system acquisition can sometimes help in recovering deleted contents (stored in SQLite files) that are deleted from the device.
- Physical acquisition: This involves making a bit-by-bit copy of the entire flash memory. The data extracted using this method is usually in the form of raw data (as a hexadecimal dump), which can then be further parsed to obtain file...
