KEMBAR78
Android forensics (Manish Chasta) | PDF
ClubHack, profile picture
Uploaded byClubHack
2,908 views

Android forensics (Manish Chasta)

This document provides an overview of Android forensics. It discusses rooting Android devices to gain access for forensic imaging. The forensic process involves seizing the device and accessories, creating a bit-by-bit image of the memory card and device to preserve all data, recovering useful data from the image, analyzing the image by examining key locations like the SQLite database and searching for evidence, and maintaining a proper chain of custody. Indian laws like the IT Act 2000 cover digital crimes using computers as targets or weapons.

Technology
In this document
Powered by AI

Presented by Manish Chasta, the agenda covers Android basics, rooting, seizing devices, forensic steps, chain of custody, and cyber laws.

Android is the most used mobile OS, developed by Google. It had a 36% market share in Q1 of 2011.

Explains Android architecture including Linux kernel and SQLite Database used for applications.

Explores how Android can be involved in cyber crimes such as software theft, terrorism, financial crimes, etc.

Outlines the forensic steps: seizing devices, creating images, and analyzing data while maintaining the chain of custody.Steps for creating a 1:1 image of memory cards and devices, highlighting importance of data preservation.

Stepwise guide to rooting Android devices, detailing software needed and setup procedures.

Explains how to create a low-level image of an Android device using the 'dd' command and viaExtract tool.

Describes methods for recovering and analyzing data from Android images using tools like WinHex.

Focus on analyzing SQLite databases which store critical data, with tools for examination.

Defines chain of custody in forensic investigations, highlighting the need for meticulous evidence handling.

Discusses Indian cyber laws related to digital crimes, including the IT Act and its amendments.

Manish Chasta's contact details for further inquiries regarding the presentation.

Downloaded 324 times
PRESENTED BY Manish Chasta, Principal Consultant, Indusface Android Forensics Manish Chasta, CISSP | CHFI
Agenda Introduction to Android Rooting Android Seizing Android Device Forensic Steps Chain of Custody Indian Cyber Laws
Introduction to Android • Most widely used mobile OS • Developed by Google • OS + Middleware + Applications • Android Open Source Project (AOSP) is responsible for maintenance and further development
Presence in the Market • According to Gartner report, Android captured 36% market share in Q1 of 2011. • Listed as the best selling Smartphone worldwide by Canalys. 4
Android Architecture 5
Android Architecture: Linux Kernel • Linux kernel with system services: – Security – Memory and process management – Network stack • Provide driver to access hardware: – Camera – Display and audio – Wifi – … 6
Android Architecture: Android RunTime • Core Libraries: – Written in Java – Provides the functionality of Java programming language – Interpreted by Dalvik VM • Dalvik VM: – Java based VM, a lightweight substitute to JVM – Unlike JVM, DVM is a register based Virtual Machine – DVM is optimized to run on limited main memory and less CPU usage – Java code (.class files) converted into .dex format to be able to run on Android platform 7
SQLite Database • SQLite Database: – SQLite is a widely used, lightweight database – Used by most mobile OS i.e. iPhone, Android, Symbian, webOS – SQLite is a free to use and open source database – Zero-configuration - no setup or administration needed. – A complete database is stored in a single cross- platform disk file. 8
How Android can be used in Cyber Crime? • Software Theft • Terrorism Activity • Pornography / Child Pornography • Financial Crime • Sexual harassment Cases • Murder or other Criminal activities 9
Forensic Process: An Open Source Approach • Seizing the device • Creating 1:1 image • Recovering the useful data • Analyzing the image to discover evidences • Maintain Chain of Custody 10
Seizing Android Device • If device is Off – Do not turn ‘ON’ • If device is On – Let it ON and keep device charging • Take photos and display of the device • Seize all other accessories available i.e. Memory card, cables etc. • Label all evidences and document everything 11
Creating 1:1 Image • Creating Image of Memory Card • Creating Image of Device 12
Creating Image of Memory Card • Fat 32 file system • Easy to create image • In most cases, applications wont store any sensitive data in memory card • Number of commercials and open source tools are available 13
Creating Image of Memory Card • Using Winhex 14
Creating Image of the Device • Android’s file systems • Importance of rooting • Rooting Samsung Galaxy device 15
Rooting Android Device Step 1: Download CF Rooted Karnal files and Odin3 Software 16
Rooting Android Device • Step 2: Keep handset on debugging mode 17
Rooting Android Device • Step 3: Run Odin3 18
Rooting Android Device • Step 4: Reboot the phone in download mode • Step 5: Connect to the PC 19
Rooting Android Device • Step 6: Select required file i.e: PDA, Phone, CSC files • Step 7: Click on Auto Reboot and F. Reset Time and hit Start button 20
Rooting Android Device • If your phone is Rooted... You will see PASS!! In Odin3 21
Creating Image of the Device • Taking backup with DD – low-level copying and conversion of raw data – Create bit by bit image of disk – Output Can be readable by any forensic tool – Typical Syntax : dd if=/dev/SDA of=/sdcard/SDA.dd – Interesting Locations • datadata • datasystem 22
Creating Image of the Device 23
Creating Image of the Device • Taking image with viaExtract tool 24
Recovering Data • Using WinHex 25
Analysing Image • Reading the Image • Looking for KEY data • Searching techniques (DT Search) 26
Analysing Image • Winhex • Manual Intelligence • viaExtract 27
Analyzing SQLite • SQLite stores most critical information • Interesting place for Investigators • Tools – Epilog – sqlite database browser – sqlite_analyzer 28
Analyzing SQLite • Epilog 29
Maintaining ‘Chain of Custody’ • What is Chain of Custody? • CoC can have following information:  What is the evidence?  How did you get it?  When was it collected?  Who has handled it?  Why did that person handle it?  Where has it travelled, and where was it ultimately stored? 30
Indian Laws covering Digital Crimes • We can categorize Cyber crimes in two ways: – The Computer as a Target – The computer as a weapon • Indian Laws: – IT Act 2000 – IT(Amendment) Act, 2008 – Rules under section 6A, 43A and 79 • MIT site: http://mit.gov.in/content/cyber-laws 31
Manish Chasta manish.chasta@owasp.org chasta.manish@gmail.com

More Related Content

PPTX
Forensic Investigation of Android Operating System
bynishant24894
 
PPTX
Cyber forensic-Evedidence collection tools
byN.Jagadish Kumar
 
PPTX
Mobile Forensics
byprimeteacher32
 
PDF
Digital forensic principles and procedure
bynewbie2019
 
PPTX
Browser forensics
byPrince Boonlia
 
PDF
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
ODT
Operating System Forensics
byArunJS5
 
PPTX
Mobile Forensics
byabdullah roomi
 
Forensic Investigation of Android Operating System
bynishant24894
 
Cyber forensic-Evedidence collection tools
byN.Jagadish Kumar
 
Mobile Forensics
byprimeteacher32
 
Digital forensic principles and procedure
bynewbie2019
 
Browser forensics
byPrince Boonlia
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
Operating System Forensics
byArunJS5
 
Mobile Forensics
byabdullah roomi
 

What's hot

PDF
Current Forensic Tools
byJyothishmathi Institute of Technology and Science Karimnagar
 
PPTX
Computer forensics powerpoint presentation
bySomya Johri
 
PPSX
Security policies
byNishant Pahad
 
PPT
Security policy
byDhani Ahmad
 
PPTX
Processing Crimes and Incident Scenes
byprimeteacher32
 
PDF
CS6004 Cyber Forensics
byKathirvel Ayyaswamy
 
PPTX
Viruses, worms, and trojan horses
byEILLEN IVY PORTUGUEZ
 
PPT
Digital Forensic
byCleverence Kombe
 
PDF
Network Security Fundamentals
byRahmat Suhatman
 
PDF
CNIT 121: 8 Forensic Duplication
bySam Bowne
 
PPTX
Network forensics and investigating logs
byanilinvns
 
PDF
Digital Evidence in Computer Forensic Investigations
byFilip Maertens
 
PPT
Data protection
byLewis Silkin
 
PPTX
Network security - Defense in Depth
byDilum Bandara
 
PPTX
Email investigation
byAnimesh Shaw
 
PDF
Social engineering attacks
byRamiro Cid
 
PPTX
Router forensics
byTaruna Chauhan
 
PDF
CS6004 Cyber Forensics
byKathirvel Ayyaswamy
 
PDF
Android Forensics: Exploring Android Internals and Android Apps
byMoe Tanabian
 
PDF
LTEC 2013 - EnCase v7.08.01 presentation
byDamir Delija
 
Current Forensic Tools
byJyothishmathi Institute of Technology and Science Karimnagar
 
Computer forensics powerpoint presentation
bySomya Johri
 
Security policies
byNishant Pahad
 
Security policy
byDhani Ahmad
 
Processing Crimes and Incident Scenes
byprimeteacher32
 
CS6004 Cyber Forensics
byKathirvel Ayyaswamy
 
Viruses, worms, and trojan horses
byEILLEN IVY PORTUGUEZ
 
Digital Forensic
byCleverence Kombe
 
Network Security Fundamentals
byRahmat Suhatman
 
CNIT 121: 8 Forensic Duplication
bySam Bowne
 
Network forensics and investigating logs
byanilinvns
 
Digital Evidence in Computer Forensic Investigations
byFilip Maertens
 
Data protection
byLewis Silkin
 
Network security - Defense in Depth
byDilum Bandara
 
Email investigation
byAnimesh Shaw
 
Social engineering attacks
byRamiro Cid
 
Router forensics
byTaruna Chauhan
 
CS6004 Cyber Forensics
byKathirvel Ayyaswamy
 
Android Forensics: Exploring Android Internals and Android Apps
byMoe Tanabian
 
LTEC 2013 - EnCase v7.08.01 presentation
byDamir Delija
 

Similar to Android forensics (Manish Chasta)

PPT
Manish Chasta - Android forensics
byPositive Hack Days
 
PDF
Android forensics
byInfosys
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PPTX
Android– forensics and security testing
bySanthosh Kumar
 
PPT
Android basics – Key Codes – ADB – Rooting Android – Boot Process – File Syst...
byManiMaran230751
 
PPT
1668170.ppt
by230405
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
PDF
Mobile operating systems
byNicolas Demetriou
 
PPTX
Module 1- MOBILE DEVICE DATA ACQUISITION.pptx
byAnandkumar105685
 
PDF
A Survey on Mobile Forensic for Android Smartphones
byIOSR Journals
 
PDF
A Survey on Mobile Forensic for Android Smartphones
byIOSR Journals
 
PDF
C017211519
byIOSR Journals
 
PDF
Android
byLeo Liang
 
PPTX
Why cant all_data_be_the_same
bySkyler Lewis
 
PPTX
128-ch4.pptx
bySankalpKabra
 
PPT
My androidpresentation
byniteshnarayanlal
 
PPTX
Android System Architecture And  Pen-testing of Android applications
byyavuzwb
 
PDF
CNIT 128 Ch 4: Android
bySam Bowne
 
PDF
Forensic Tool for Android Mobile Device
byIRJET Journal
 
PDF
Accessing Forensic Images
byCTIN
 
Manish Chasta - Android forensics
byPositive Hack Days
 
Android forensics
byInfosys
 
Android village @nullcon 2012
byhakersinfo
 
Android– forensics and security testing
bySanthosh Kumar
 
Android basics – Key Codes – ADB – Rooting Android – Boot Process – File Syst...
byManiMaran230751
 
1668170.ppt
by230405
 
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
Mobile operating systems
byNicolas Demetriou
 
Module 1- MOBILE DEVICE DATA ACQUISITION.pptx
byAnandkumar105685
 
A Survey on Mobile Forensic for Android Smartphones
byIOSR Journals
 
A Survey on Mobile Forensic for Android Smartphones
byIOSR Journals
 
C017211519
byIOSR Journals
 
Android
byLeo Liang
 
Why cant all_data_be_the_same
bySkyler Lewis
 
128-ch4.pptx
bySankalpKabra
 
My androidpresentation
byniteshnarayanlal
 
Android System Architecture And  Pen-testing of Android applications
byyavuzwb
 
CNIT 128 Ch 4: Android
bySam Bowne
 
Forensic Tool for Android Mobile Device
byIRJET Journal
 
Accessing Forensic Images
byCTIN
 

More from ClubHack

PDF
India legal 31 october 2014
byClubHack
 
PPTX
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
byClubHack
 
PPT
Cyber Insurance
byClubHack
 
PPTX
Summarising Snowden and Snowden as internal threat
byClubHack
 
PPTX
Fatcat Automatic Web SQL Injector by Sandeep Kamble
byClubHack
 
PDF
The Difference Between the Reality and Feeling of Security by Thomas Kurian
byClubHack
 
PDF
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
byClubHack
 
PPTX
Smart Grid Security by Falgun Rathod
byClubHack
 
PPTX
Legal Nuances to the Cloud by Ritambhara Agrawal
byClubHack
 
PPT
Infrastructure Security by Sivamurthy Hiremath
byClubHack
 
PDF
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
byClubHack
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
PPTX
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
PPTX
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
byClubHack
 
PDF
XSS Shell by Vandan Joshi
byClubHack
 
PDF
Clubhack Magazine Issue February 2012
byClubHack
 
PDF
ClubHack Magazine issue 26 March 2012
byClubHack
 
PDF
ClubHack Magazine issue April 2012
byClubHack
 
PDF
ClubHack Magazine Issue May 2012
byClubHack
 
PDF
ClubHack Magazine – December 2011
byClubHack
 
India legal 31 october 2014
byClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
byClubHack
 
Cyber Insurance
byClubHack
 
Summarising Snowden and Snowden as internal threat
byClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
byClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
byClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
byClubHack
 
Smart Grid Security by Falgun Rathod
byClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
byClubHack
 
Infrastructure Security by Sivamurthy Hiremath
byClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
byClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
byClubHack
 
XSS Shell by Vandan Joshi
byClubHack
 
Clubhack Magazine Issue February 2012
byClubHack
 
ClubHack Magazine issue 26 March 2012
byClubHack
 
ClubHack Magazine issue April 2012
byClubHack
 
ClubHack Magazine Issue May 2012
byClubHack
 
ClubHack Magazine – December 2011
byClubHack
 

Recently uploaded

PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
PDF
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
2025 October Patch Tuesday
byIvanti
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
Data Structure - 12 Graph
byAndiNurkholis1
 

Android forensics (Manish Chasta)

  • 1.
    PRESENTED BY Manish Chasta, Principal Consultant, Indusface Android Forensics Manish Chasta, CISSP | CHFI
  • 2.
    Agenda Introduction to Android Rooting Android Seizing Android Device Forensic Steps Chain of Custody Indian Cyber Laws
  • 3.
    Introduction to Android • Most widely used mobile OS • Developed by Google • OS + Middleware + Applications • Android Open Source Project (AOSP) is responsible for maintenance and further development
  • 4.
    Presence in theMarket • According to Gartner report, Android captured 36% market share in Q1 of 2011. • Listed as the best selling Smartphone worldwide by Canalys. 4
  • 5.
  • 6.
    Android Architecture: LinuxKernel • Linux kernel with system services: – Security – Memory and process management – Network stack • Provide driver to access hardware: – Camera – Display and audio – Wifi – … 6
  • 7.
    Android Architecture: AndroidRunTime • Core Libraries: – Written in Java – Provides the functionality of Java programming language – Interpreted by Dalvik VM • Dalvik VM: – Java based VM, a lightweight substitute to JVM – Unlike JVM, DVM is a register based Virtual Machine – DVM is optimized to run on limited main memory and less CPU usage – Java code (.class files) converted into .dex format to be able to run on Android platform 7
  • 8.
    SQLite Database • SQLiteDatabase: – SQLite is a widely used, lightweight database – Used by most mobile OS i.e. iPhone, Android, Symbian, webOS – SQLite is a free to use and open source database – Zero-configuration - no setup or administration needed. – A complete database is stored in a single cross- platform disk file. 8
  • 9.
    How Android canbe used in Cyber Crime? • Software Theft • Terrorism Activity • Pornography / Child Pornography • Financial Crime • Sexual harassment Cases • Murder or other Criminal activities 9
  • 10.
    Forensic Process: AnOpen Source Approach • Seizing the device • Creating 1:1 image • Recovering the useful data • Analyzing the image to discover evidences • Maintain Chain of Custody 10
  • 11.
    Seizing Android Device •If device is Off – Do not turn ‘ON’ • If device is On – Let it ON and keep device charging • Take photos and display of the device • Seize all other accessories available i.e. Memory card, cables etc. • Label all evidences and document everything 11
  • 12.
    Creating 1:1 Image •Creating Image of Memory Card • Creating Image of Device 12
  • 13.
    Creating Image ofMemory Card • Fat 32 file system • Easy to create image • In most cases, applications wont store any sensitive data in memory card • Number of commercials and open source tools are available 13
  • 14.
    Creating Image ofMemory Card • Using Winhex 14
  • 15.
    Creating Image ofthe Device • Android’s file systems • Importance of rooting • Rooting Samsung Galaxy device 15
  • 16.
    Rooting Android Device Step1: Download CF Rooted Karnal files and Odin3 Software 16
  • 17.
    Rooting Android Device •Step 2: Keep handset on debugging mode 17
  • 18.
    Rooting Android Device •Step 3: Run Odin3 18
  • 19.
    Rooting Android Device •Step 4: Reboot the phone in download mode • Step 5: Connect to the PC 19
  • 20.
    Rooting Android Device •Step 6: Select required file i.e: PDA, Phone, CSC files • Step 7: Click on Auto Reboot and F. Reset Time and hit Start button 20
  • 21.
    Rooting Android Device •If your phone is Rooted... You will see PASS!! In Odin3 21
  • 22.
    Creating Image ofthe Device • Taking backup with DD – low-level copying and conversion of raw data – Create bit by bit image of disk – Output Can be readable by any forensic tool – Typical Syntax : dd if=/dev/SDA of=/sdcard/SDA.dd – Interesting Locations • datadata • datasystem 22
  • 23.
    Creating Image ofthe Device 23
  • 24.
    Creating Image ofthe Device • Taking image with viaExtract tool 24
  • 25.
  • 26.
    Analysing Image • Readingthe Image • Looking for KEY data • Searching techniques (DT Search) 26
  • 27.
    Analysing Image • Winhex •Manual Intelligence • viaExtract 27
  • 28.
    Analyzing SQLite • SQLitestores most critical information • Interesting place for Investigators • Tools – Epilog – sqlite database browser – sqlite_analyzer 28
  • 29.
  • 30.
    Maintaining ‘Chain ofCustody’ • What is Chain of Custody? • CoC can have following information:  What is the evidence?  How did you get it?  When was it collected?  Who has handled it?  Why did that person handle it?  Where has it travelled, and where was it ultimately stored? 30
  • 31.
    Indian Laws coveringDigital Crimes • We can categorize Cyber crimes in two ways: – The Computer as a Target – The computer as a weapon • Indian Laws: – IT Act 2000 – IT(Amendment) Act, 2008 – Rules under section 6A, 43A and 79 • MIT site: http://mit.gov.in/content/cyber-laws 31
  • 32.
    Manish Chasta manish.chasta@owasp.org chasta.manish@gmail.com