Mobile Forensics and Investigation Android Forensics

Mobile and Wireless Device
Forensics
Unit 3

Understanding Mobile Device Forensics
• People store a wealth of information on cell phones
• People don’t think about securing their cell phones
• Items stored on cell phones:
• Incoming, outgoing, and missed calls
• Text and Short Message Service (SMS) messages
• E-mail
• Instant-messaging (IM) logs
• Web pages
• Pictures

Understanding Mobile Device Forensics
(continued)
• Items stored on cell phones: (continued)
• Personal calendars
• Address books
• Music files
• Voice recordings
• Investigating cell phones and mobile devices is one of the most challenging tasks
in digital forensics

Inside Mobile Devices
• Mobile devices can range from simple phones to small computers
• Also called smart phones
• Hardware components
• Microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone
and speaker, hardware interfaces, and an LCD display
• Most basic phones have a proprietary OS
• Although smart phones use stripped-down versions of PC operating systems

Inside Mobile Devices (continued)
• Phones store system data in electronically erasable programmable read-only
memory (EEPROM)
• Enables service providers to reprogram phones without having to physically access
memory chips
• OS is stored in ROM
• Nonvolatile memory

• Subscriber identity module (SIM) cards
• Found most commonly in GSM devices
• Microprocessor and from 16 KB to 4 MB EEPROM
• Sometimes even more, up go 1 GB EEPROM
• GSM refers to mobile phones as “mobile stations” and divides a station into two parts:
• The SIM card and the mobile equipment (ME)
• SIM cards come in two sizes
• Portability of information makes SIM cards versatile

• Subscriber identity module (SIM) cards (continued)
• Additional SIM card purposes:
• Identifies the subscriber to the network
• Stores personal information
• Stores address books and messages
• Stores service-related information

Inside PDAs
• Personal digital assistants (PDAs)
• Can be separate devices from mobile phones
• Most users carry them instead of a laptop
• PDAs house a microprocessor, flash ROM, RAM, and various hardware
components
• The amount of information on a PDA varies depending on the model
• Usually, you can retrieve a user’s calendar, address book, Web access,
and other items

Inside PDAs (continued)
• Peripheral memory cards are used with PDAs
• Compact Flash (CF)
• MultiMedia Card (MMC)
• Secure Digital (SD)
• Most PDAs synchronize with a computer
• Built-in slots for that purpose

Understanding Acquisition
Procedures for Cell Phones
and Mobile Devices

Understanding Acquisition Procedures
for Cell Phones and Mobile Devices
• The main concerns with mobile devices are loss of power and
synchronization with PCs
• All mobile devices have volatile memory
• Making sure they don’t lose power before you can retrieve RAM data is
critical
• Mobile device attached to a PC via a cable or cradle/docking station
should be disconnected from the PC immediately
• Depending on the warrant or subpoena, the time of seizure might be
relevant

Understanding Acquisition Procedures for
Cell Phones and Mobile Devices
(continued)
• Messages might be received on the mobile device after seizure
• Isolate the device from incoming signals with one of the following
options:
• Place the device in a paint can
• Use the Paraben Wireless StrongHold Bag
• Use eight layers of antistatic bags to block the signal
• The drawback to using these isolating options is that the mobile device
is put into roaming mode
• Which accelerates battery drainage

(continued)
• Check these areas in the forensics lab :
• Internal memory
• SIM card
• Removable or external memory cards
• System server
• Checking system servers requires a search warrant or subpoena
• SIM card file system is a hierarchical structure

• MF: root of the system
• DF: directory files
• EF: elementary data

(continued)
• Information that can be retrieved:
• Service-related data, such as identifiers for the SIM card and the subscriber
• Call data, such as numbers dialed
• Message information
• Location information
• If power has been lost, PINs or other access codes might be required to view files

Mobile Forensics Equipment
• Mobile forensics is a new science
• Biggest challenge is dealing with constantly changing models of cell phones
• When you’re acquiring evidence, generally you’re performing two tasks:
• Acting as though you’re a PC synchronizing with the device (to download data)
• Reading the SIM card
• First step is to identify the mobile device

(continued)
• Make sure you have installed the mobile device software on your forensic
workstation
• Attach the phone to its power supply and connect the correct cables
• After you’ve connected the device
• Start the forensics program and begin downloading the available information

(continued)
• SIM card readers
• A combination hardware/software device used to access the SIM card
• You need to be in a forensics lab equipped with appropriate antistatic devices
• General procedure is as follows:
• Remove the back panel of the device
• Remove the battery
• Under the battery, remove the SIM card from holder
• Insert the SIM card into the card reader

(continued)
• SIM card readers (continued)
• A variety of SIM card readers are on the market
• Some are forensically sound and some are not
• Documenting messages that haven’t been read yet is critical
• Use a tool that takes pictures of each screen
• Blackberries may require special hardware

iPhone Forensics
• MacLockPick II
• Uses backup files
• It can’t recover deleted files
• MDBackUp Extract
• Analyzes the iTunes mobile sync backup directory

Mobile Forensics Tools
• Paraben Software Device Seizure Toolbox
• Contains cables, SIM card readers, and more
• Data Pilot
• Similar to Paraben
• BitPim
• Can view data on many phones, but it's not intended for forensics
• MOBILedit!
• Has a write-blocker

Mobile Forensics Tools
• SIMCon
• Reads files on SIM cards
• Recoveres deleted text messages
• Archives files with MD5 and SHA-1 hashes
• Software tools differ in the items they display and the level of detail

(continued)

External Memory Dump
• refers to the process of acquiring data from the external memory storage of a
mobile device
• includes the device's microSD card or any other external storage media where
user-generated data such as photos, videos, documents, and application data
may be stored.

Process of External Memory Dump
• Acquisition
• Data Extraction
• Analysis
• can provide insights into a user's behavior, communication patterns,
application usage, and even location information

Physical Data Acquisition of Mobile
Phones
• NAND Flash Memory
• composed of memory cells, organized in a grid-like structure known as a
memory array
• cells are made up of floating-gate transistors and are arranged in blocks, which
are further grouped into pages
• floating-gate transistors can trap electrical charge, representing the 0s and 1s
of digital data.

• When data is written to a NAND flash memory cell, an electrical charge is
applied to the floating gate, altering its state to represent the desired data
• Data is erased from NAND flash memory through a process called block erase,
which resets all the memory cells in a block to a predetermined state
• Fast Access Times
1. High Density and Scalability
• Endurance and Longevity
• Power Efficiency

Process of Physical Data Acquisition
Device Preparation
Data Extraction
Storage of Acquired Data
Analysis and Interpretation

Importance of Physical Data
Acquisition
• enables the thorough examination of a mobile device's internal storage
• complete and unaltered dataset that is essential for establishing the
chronology of events
• reconstructing the user's interactions and behaviors on the device.
• facilitates the retrieval of system logs, application data, facilitates the retrieval
of system logs, application data, cached information

Logical Acquisition
bit-by-bit copies of
logical storage
objects from their
allocated space
the slack spaces
cannot be acquired
not possible to
overcome the
challenge of
obtaining deleted
data
works best on
unrooted mobile
phones
USB debugging
mode needs to be
enabled.

Manual Acquisition
• Without any cables or platforms
• Using the phones touchscreen
• Does not preserve the integrity of the evidence
• Does not extract all the data on the phone
• If off or protected then not possible.

File system extraction
• Android- Ext4 file system
• Identify the file system
• Access the file system structures
• Data extraction and analysis
• Metadata
• Deleted data
• User Activities
• Application data
• Data authenticity

Android
Forensics
Shawn Valle
shawnvalle at gmail dot com
September 2012

Android Overview & History
• Google Mobile SVP Andy Rubin reported that over 2,000,000 Android devices
were being activated each day as of February 2022
• 1,000,000 increase per day over just one year ago
39
Android
Forensi
cs

Date Event
July 1, 2005 Google acquires Android, Inc.
November 12, 2007 Android launched
September 23, 2008 Android 1.0 platform released
February 13, 2009 Android Market: USA takes paid apps
April 15, 2009 Android 1.5 (Cupcake) platform released
September 16, 2009 Android 1.6 (Donut) platform released
October 5, 2009 Android 2.0/2.1 (Eclair) platform released
May 20, 2010 Android 2.2 (Froyo) platform released
December 6, 2010 Android 2.3 (Gingerbread) platform released
February 2, 2011 Android 3.0 (Honeycomb) preview released
November 14, 2011 Android 4.0 (Ice Cream Sandwich), 3.0 source released
July 9, 2012 Android 4.1 (Jelly Bean) platform released 40

• Android Feature Introduction
• More details come later
• 1st Primary feature, always connected: GSM, CDMA, LTE, WiMax, WiFi
• 2nd Market / Play: rich source for forensic analysts
• 3rd Data Storage: Big part of the course
• Flash (or NAND) memory
• External SD card
• Internal SD card
41

• Apps
• As of January 2024, over 3.5 MILLION Android apps have been developed. Doubled
since January 2018.
• Apple maintains tight control over their App Store, requiring developers to submit
to a sometimes lengthy review process and providing Apple with the ﬁnal approval
for an app. Apps can be denied based on a number of criteria, most notably if they
contain any content Apple feels is objectionable.
• Google, on the other hand, requires very little review to publish an app in the
Android Market. While Google has the ability to ban a developer, remove an app
from the Android Market, and even remotely uninstall apps from Android devices,
in general their approach to app management is hands off.
42

Android Open Source Project
• The Android Open Source Project (AOSP) is led by Google, and is tasked with
the maintenance and development of Android.
• It is good experience to download and install AOSP from source.
• Not critical for all forensics analysts to get this deep into Android. May be
helpful for deep analysis.
43

Android & Forensics
• Relatively new, emerged in
~2009
• Best known expert in the field
is Andrew Hoog
• Other leaders in the Android
Security field include Jon
Oberheide and Zach Lanier
• Community is rapidly growing
• In-house investigations on pilot /
prototype apps
• Penetration tests
• Vulnerability assessments
• Funded research
45

Got Android?
http://developer.android.com/guide/basics/what-is-android.html 47
Android
Forensi
cs

Hardware - core
• CPU
• Radio
• Memory (RAM & NAND Flash)
• GPS
• WiFi
• Bluetooth
• SD Card
• Screen
• Camera(s)
• Keyboard
• Battery
• USB
• Accelerometer / Gyroscope
• Speaker
• Microphone
• SIM
49
Android
Forensi
cs

More Memory
• Memory (RAM & NAND Flash)
• Manufactured together into multichip package (MCP)
http://www.hynix.com/products/mobile/mcp.jsp?menuNo=1&m=4&s=4 50
Android
Forensi
cs

Hardware - devices
• Smartphones
• Tablets
• Google TV
• Vehicle Stereos
• Standalone GPS
• Kindle Fire
• B&N Nook
• 700+ Android devices
51
Android
Forensi
cs

ROM & Boot Loaders
• ROM varies by manufacturer
• Contains boot process
• seven key steps to the Android
boot process:
1. Power on and on-chip boot ROM
code execution
2. The boot loader
3. The Linux kernel
4. The init process
5. Zygote and Dalvik
6. The system server
7. Boot complete
Source: “The Android boot process from power on” by Mattias Björnheden of the Android Competence Center at Enea 52
Android
Forensi
cs

ROM & Boot Loaders
Source: “The Android boot process from power on” by Mattias Björnheden of the Android Competence Center at Enea 53
Android
Forensi
cs

Connecting a Device
for Forensics
55

Connecting Device to VM
• Mac OS X with VMWare Fusion
• VirtualBox
Approved for Public Release 56
Android
Forensi
cs

Setting up USB Interfaces
• Each device has different USB setting options when connected to a PC
• Some options are:
• Charge only
• Sync
• Disk drive
• Mobile Broadband Connect
57
Android
Forensi
cs

USB Connection Test
• To ensure the device is connected and passing
through the “host” OS to the Ubuntu VM
• Open a terminal window and type dmesg (display message or driver message)
58
Android
Forensi
cs

USB Forensics Precaution
• Important to disable auto-mount to prevent automatic detection and mounting
of USB mass storage
• Critical to limit and modifications to device when acquiring forensic data (more
later)
• A hardware USB write blocker is an option
• To check for mounted SD cards, use df command.
59
Android
Forensi
cs

SD Card
61
• Most developers store large data files on SD cards.
• Core application data is located in /sdcard/data/data
Android
Forensi
cs

Android Debug Bridge

Android Debug Bridge
• One of the most important pieces of Android forensics.
• Best time to pay attention is now.
• Android Debug Bridge (ADB)
• Developers use this, forensic analysts and security analysts rely on this.
63
Android
Forensi
cs

USB Debugging
• Enable USB debugging on device
• Applications > Development > USB Debugging
• This will run adb daemon (adbd) on device.
• adbd runs as a user account, not an admin account. No root access. Unless your
device is rooted, then adbd will run as root.
• If the device is locked with a pass code, enabling USB debugging is difficult.
64
Android
Forensi
cs

USB Debugging
Source: http://theheatweb.com 65
Android
Forensi
cs

USB Debugging
• Enable USB debugging on device
• Applications > Development > USB Debugging
• This will run adb daemon (adbd) on device.
• adbd runs as a user account, not an admin account. No root access. Unless your
device is rooted, then adbd will run as root.
• If the device is locked with a pass code, enabling USB debugging is difficult.
Android
Forensi
cs

ADB Components
• Three components
• adbd on device
• adbd on workstation
• adb on workstation
• adb is free, open-source, and our primary tool for
Android forensics
Android
Forensi
cs

ADB Devices
• To identify devices connected, use command adb devices
Android
Forensi
cs

Bad ADB
• Sometimes adb doesn’t respond
properly.
• To kill adb, use command
adb kill-server
Android
Forensi
cs

ADB Shell
• To open an adb shell on an Android device, use command adb shell
• Gives full shell access directly on device.
• Once we learn more about file system and directories, adb shell will get you much
of the data needed for forensic analysis
Android
Forensi
cs

• Full list of adb commands at
http://developer.android.com/guide/developing/tools/adb.html
ADB Shell – example
Android
Forensi
cs

REVIEW
• Learned proper technique for connecting Android device to a forensic
workstation
• Became familiar with USB Debugging’s importance to forensics
• Explored ADB and its relevance to successful investigations
Android
Forensi
cs

EXERCISE
• Locate data directory on an Android device
• Connect an Android device to your VM workstation (or startup an AVD)
• Verify USB Debugging is enabled on the device
• Start adb on your forensic workstation
• Using adb shell, locate directories in /data/data
• Jot down the name of some interesting directories for further exploration later
Android
Forensi
cs

File System
& Data

• SMS History
• Deleted SMS
• Contacts (stored in phone memory and on
SIM card)
• Call History
• Received Calls
• Dialed Numbers
• Missed Calls
• Call Dates & Durations
• Datebook
• Scheduler
• Calendar
• To-Do List
• File System (physical memory)
• System Files
• Multimedia Files
• Java Files / Executables
• Deleted Data
• Notepad
• More...
• GPS Waypoints, Tracks, Routes, etc.
• RAM/ROM
• Databases
• E-mail
Page 75
Forensics Data Gathered and Analyzed
Android
Forensi
cs

File System & Data Overview
• File Systems
• Data Storage
• What Data?
• Important Directories
• Five Data Storage Methods
• Shared Preferences
• Internal Storage
• External Storage
• SQLite
• Network
• Where else? Linux Kernel & Android
Stack
• dmesg
• logcat
• Forensically Thinking
Android
Forensi
cs

File Systems
• More than a dozen file
systems in Android
• More than a dozen file
systems in use on Android
• Forensics analysts should
understand the most
important
• EXT
• FAT32
• YAFFS2
• Most user data live in those
• Want to find the file systems on
your device?
• adb shell cat
/proc/filesystems
Android
Forensi
cs

Data Storage
• Explore file systems and virtual
machines
• Learning the Android file systems,
directory structures, and specific
files will be crucial to successful
Android forensics analysis
Android
Forensi
cs

What Data?
• Apps shipped with Android (with the OS) – eg. Browser
• Apps installed by manufacturer – eg. Moto Blur
• Apps installed by wireless carrier – eg. CarrierIQ
• Additional Google/Android apps – eg. Google Play Music, Gmail
• Apps installed by the user, from Play Store or elsewhere
Android
Forensi
cs

Important Directories
• /data/data - Apps data generally installed in a subdirectory
• Example: Android browser is named com.android.browser, data files are stored
at /data/data/com.android.browser
Android
Forensi
cs

Common Subdirectories
• /data/data/<app package name>/
shared_prefs XML of shared preferences
lib Custom library files required by
app
files Developer saved files
cache Files cached by the app
databases SQLite databases and journal files
Android
Forensi
cs

Five Data Storage Methods
• We will be exploring these methods
• Shared preferences
• Internal storage
• External storage
• SQLite
• Network
Source: Hoog 82
Android
Forensi
cs

Shared preferences
• Key-value XML data
• use cat command to view files
Android
Forensi
cs

• Can be source of
data
Android
Forensi
cs

Shared preferences – example
• Android device security application
• Exploring shared_prefs, and SDPrefs_V2.xml, my user name and
password are stored in the clear
Android
Forensi
cs

Shared preferences – example
• MDM product
• Stores entire connection string, including user name, domain, and
password in clear text
Android
Forensi
cs

Internal storage
• Common file systems used: ext3, ext4, yaffs2.
• By default, files stored in /data/data are encrypted, accessed only by the
application. Commonly root access is needed to access these files.
Android
Forensi
cs

Internal storage
• Notice user “app_84” is the owner. That user was created when
Google Maps was installed
• There’s a lot of potential rich forensic maps data in these directories
Android
Forensi
cs

External storage
• External storage (SD Card) have less permission restrictions.
• FAT32 does not have fine-grain permissions of other file systems.
Android
Forensi
cs

SQLite
• Lightweight open-source relational database
• Entire database contained in a single file
• Generally stored on internal storage at /data/data/<packageName>/databases
• Browser subdirectories contain valuable data
Android
Forensi
cs

SQLite – commands
• sqlite3 <database name> Runs SQLite
• .tables Lists available tables
• .headers ON Displays header row
• select * from <table name>; Displays table contents
• CTRL+Z Exits SQLite
Android
Forensi
cs

SQLite – example
• These directories all contain one of more databases of interesting data for
analysis.
• Contents include (app_geolocation) GPS positions for tracking where the device
has traveled, (databases, app_databases and app_cache) stored data from
visited web sites/apps.
Android
Forensi
cs

Network
• Network storage via Java and Android network classes
• Network data is not stored locally on the device, though
configuration files and related databases generally are
locally stored
Android
Forensi
cs

Where else?
• Linux Kernel & Android Stack
• Android is Linux at the kernel…we know that.
• With Linux, there is a kernel log, which may have some interesting data.
• To access the kernel log, command dmesg or “display message”, prints the kernel
messages to the console (avd or adb shell)
Android
Forensi
cs

dmesg
• Notice [KEY] above. Possibly something logging keystrokes. May be
worth further investigation
• Root access is not needed for dmesg, just USB
debugging
Android
Forensi
cs

…more dmesg commands
• dmesg | wc displays word count of log
–l for line count
• dmesg > dmesg.log saves dmesg to a log file
Android
Forensi
cs

dmesg.log
Android
Forensi
cs

logcat
• Displays a live stream of messages, system and app debug message
• Used in the CarrierIQ demonstration video on YouTube
Android
Forensi
cs

logcat
• Message Indicators
Android
Forensi
cs
Message Indicator Description
V Verbose
D Debug
I Information
W Warning
E Error
F Fatal
S Silent

Forensically Thinking
• Now that we have some idea of how to locate data
• Time to start thinking about identifying potential interesting
data, forensically thinking
• What you might look for:
• Time stamps – when was something modified, when did an event occur
• User Information – locate user names and/or passwords in insecure prefs/logs. Locate
user authentication times in log files.
• Image files – identify .JPEG or other picture files, for later assessment of the picture.
• SD Card Files – look for files saved to SD Card
• Call logs – Who has the user been calling / receiving calls from
Android
Forensi
cs

REVIEW
• Explored Android file system, internal and external
• Located common directories for rich forensic information
• Identified five key areas of stored persistent data
• Explored application preference files to locate important forensic data
• Explored databases in search of data for forensics analysis
• Identified sensitive data stored insecurely
Android
Forensi
cs

EXERCISE
• Apply current Android forensics knowledge to locate data of interest
• Using adb shell (or /.android if using an AVD), explore an applications
shared_prefs within /data/data
• Use the cat command to open an xml file and review the contents
• Note anything of interest to share with the class
• Using sqlite3, explore an applications databases within /data/data
• Use .tables and select commands to gather data of interest, which could
identify something specific about the user.
• Note anything of interest to share with the class
Android
Forensi
cs

Learning Objectives
By the end of this course, you will be able to:
 Extract and analyze data from an Android device
 Manipulate Android file systems and directory structures
3. Understand techniques to bypass passcodes NEW!
4. Utilize logical and physical data extraction techniques
5. Reverse engineer Android applications
6. Analyze acquired data
Android
Forensi
cs

Device Handling
& Modification

Device Handling & Modification
• Forensics rule: Avoid modification of the target, at
all costs
• Not so easy for mobile. Drives, RAM, CPU, etc are
all in non-accessible locations
• Just the act of taking the device out of sleep mode
records a log (remember logcat)
• The realization: You cannot get a pristine mobile
device, but take much precaution to minimize
modification to the device
Android
Forensi
cs

Device Acquisition
• Extend screen timeout to max,
immediately (if not already locked)
• Enable Stay Awake while charging and
USB debugging
• Disable network communication
• Do nothing further until in a secure
location with minimal cellular /
network connectivity
Android
Forensi
cs

“What if it’s already off?”
• Boot into recovery mode
• Test for connectivity and root access
• Cross your fingers that USB debugging
is already enabled and/or device is
already rooted
Android
Forensi
cs

Circumventing
Passcodes

Circumventing Passcodes
• Critical capability in forensics and security testing
• Techniques vary from platform-to-platform
• There is no panacea for circumventing passcodes
on Android
• …but we will learn a few potential techniques
Android
Forensi
cs

Passcodes Types
Pattern lock PIN
Alphanumeric
Android
Forensi
cs

New Passcode Type
Facial recognition
Android
Forensi
cs

“How Do We Crack Them?”
• Smudge Attack
• Pattern Lock Vulnerability
• ADB and USB Debugging, with psneuter
• Continues to evolve…
Android
Forensi
cs

Smudge Attack
• Screens are reflective; smudge (aka pattern lock) is
diffuse.
• Directional lighting and a camera capturing photos
overexposed by two to three f-stops (4 to 8 times
“correct” exposure)
• Creates an image displaying pattern lock
• Not 100% accurate, since other swipes of the screen
may have damaged the pattern lock smudge
Android
Forensi
cs

Smudge Attack
Android
Forensi
cs
http://bcove.me/7ozhp9u4

Pattern Lock Crack
Source: http://www.youtube.com/user/SecurityCompass 115
Android
Forensi
cs
• Pattern Lock creates a file
gesture.key
• Hash of the pattern stored
• If custom recovery ROM is installed
(i.e. ClockWork Recovery)
• Remove & recreate key to bypass
pattern

Gaining Root

Gaining Root
• Needed for many forensic techniques, including physical
acquisition
• Not enabled on any device by default
• Not possible on all devices
• Gaining root isn’t always the best choice in forensics
• It will change data on the device, possibly altering evidence
• It will be time consuming to gain root, as it’s implemented differently across most
devices
• Root makes the device vulnerable to many exploits
Android
Forensi
cs

Three Common Types of Root
• Temp root – roots the device only until it is
rebooted, which then disables root
• Perm root – root persists after reboots.
Commonly enabled with custom ROMs
• Recovery mode root – flashing (installing) a
custom recovery partition, allowing root to run
only in recovery mode
Android
Forensi
cs

Temp Root
• For forensics, temp root is what we want to
enable, if needed
• Suggest testing these procedures many times,
not, on your primary / target device
Android
Forensi
cs

Temp Root
• Is USB debugging enabled?
• Is it already rooted?
• adb shell su
• permission denied – no root
• # - root
MyTouch 4G – custom ROM
Droid X – stock OS
• If not rooted, start searching xda-developers.com
Android
Forensi
cs

Property Service Neuter
• Psneuter is a form of a malicious app, but for our good
• Uses a vulnerability in Android to gain superuser access, and ultimately root
• To gain root shell (or temp root) with psneuter:
• adb devices
• adb push psneuter /data/local/tmp
• adb shell
• $ cd /data/local/tmp
• $ chmod 777 psneuter
• $ ./psneuter
Android
Forensi
cs

Permanent Root
• Not as common for
forensics
• We want to limit the
footprint
• Perm root leaves a
HUGE footprint
Android
Forensi
cs

Busy Box
• “The Swiss Army Knife
of Embedded Linux”
• # mount -o remount,rw -t rfs /dev/block/st19 /system
• # exit
• adb push busybox /system/bin
• adb push su /system/bin
• adb install Superuser.apk
• adb shell
• # chmod 4755 /system/bin/busybox
• # chmod 4755 /system/bin/su
Android
Forensi
cs

SuperOneClick
• A simple tool for "rooting" your Android phone
Android
Forensi
cs

SuperOneClick
• Root for perm, Shell Root for temp
Android
Forensi
cs

A couple roots
• Acer
A500 http://www.tabletroms.com/forums/sh
owwiki.php?title=AcerIconiaFaq:How-to-root-
the-Acer-Iconia-Tab-A500
• Lenovo http://rootzwiki.com/topic/8722-
lenovo-ideapad-k1-rooting-guide-
messy/page__st__120
Android
Forensi
cs

Agenda
DAY 1
 Forensic Introduction
 Course Setup – Linux, OS X, and
Windows
 Android Overview
 SDK and AVD
 Android Security Model
 ADB and shell Introduction
 File System and Data Structures
 Device Handling
 Circumvent passcode
 Gain Root Access
Android
Forensi
cs

Agenda
DAY 2
 Recovery Mode
 Boot Loaders
 Logical Forensic Techniques
 Open Source Tools
 Commercial Tools
 Physical Forensic Techniques &
Tools
 Forensic Analysis
 Application Penetration Testing
Setup
 Reverse Apps
 …more Reversing
 Document Findings
Android
Forensi
cs

Got sqlite3?
• $ adb push sqlite3 /sdcard/
• $ adb shell
• $ su
• # mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
• # dd if=/sdcard/sqlite3 of=/system/bin/sqlite3
• # chmod 4755 /system/bin/sqlite3
• # mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system
• sqlite3 binary is in SuperOneClick directory.
Android
Forensi
cs

Recovery Mode

Recovery Mode
• Designed as an avenue for manufacturers to deliver and
apply system updates
• Recovery partitions offer shell access and root
permissions
• When booting into recovery mode, pass codes are
circumvented
Android
Forensi
cs

Recovery Not User Accessible
Android
Forensi
cs

Recovery User Accessible
• Check adb devices on forensic
workstation
• If no adb access, search for root
while in recovery mode
Android
Forensi
cs

Recovery Mode Techniques
Device Key Combination
Motorola Droid X Power off. Hold Home and press power
button. Release power. When (!) displays
release Home. Press Search button.
(needs more research)
HTC Incredible Hold volume down and press power
button. Use volume down to select
recovery and press power button.
Android
Forensi
cs

Passcode Circumvention Recap
• If device is on and passcode protected, connect
to USB and attempt ADB access.
• If pattern lock is present (and you have access to
lighting and camera), attempt smudge attack.
• If those fail, attempt to reboot into recovery
mode.
• If device is off, attempt boot into recovery mode.
Android
Forensi
cs

REVIEW
• Identified the important of proper device handling
• Explored techniques for circumventing passcodes
• Applied rooting techniques and tools
• Located recovery partitions and benefit of recovery mode
Android
Forensi
cs

EXERCISE
• Attempt to circumvent passcode and obtain root access
• Document your findings to share with the class
Android
Forensi
cs

Learning Objectives
 Understand techniques to bypass passcodes NEW!
3. Utilize logical and physical data extraction techniques
Android
Forensi
cs

Android Forensics
Techniques

Android Forensics Techniques
• Forensic data acquisition
• Acquiring SD card data
• Open-source and commercial forensic tools
• qtADB
• viaExtract
• CelleBrite
• Paraben
Android
Forensi
cs

Logical vs. Physical
Acquisition

Logical vs. Physical Acquisition
• Logical vs. Physical
• Logical
• ADB Pull
• Other tools
• Physical
• Hardware vs. software
• Software technique in detail
Android
Forensi
cs

Logical vs. Physical Acquisition
Logical Physical
• Accesses the file system.
• Data that is readily
available to a user.
• Targets the physical
memory, not relying on the
file systems.
• Gains much more data than
logical, potentially
circumvents passcodes.
Android
Forensi
cs

Logical Acquisition

Logical SD Card Acquisition
• User app data lives in /data/data directories which each
sub-directory is RW protected to the app user
• SD cards are used for large storage (audio, video, maps)
• SD uses cross-platform FAT file systems
• .apk files residing on SD cards are increasingly encrypted
• Removing SD card challenges
• Unencrypted .apk’s are mounted in /mnt/asec
• This is an important directory to pull and analyze, if 3rd party apps are part of the
investigation
Android
Forensi
cs

ADB Pull – logical
• Command used for
copying data from an
emulator or device
• Primary logical
acquisition tool
• adb pull on non-rooted Droid X:
Android
Forensi
cs

ADB Pull – rooted & locked
• adb pull on rooted and
password locked HTC
Glacier (aka T-Mobile
MyTouch 4G):
Android
Forensi
cs

ADB Pull – rooted & locked
• ~700 MB
• ~27 minutes
Android
Forensi
cs

Tools and Time
Savers

QtADB
• http://qtadb.wordpress.com/
• Graphical app based on adb
• Open-source, currently well-
supported
Android
Forensi
cs

QtADB – features
• File manager
• copying files and dirs between phone and computer
• removing files and dirs
• creating new dir
• and other
• App manager
• installing apps
• removing apps
• creating backup of apps with data
• restoring backups of apps with data
• Sms manager
• receiving sms (baloon in tray)
• reading sms
• sending sms
• Shell
• opens android shell
• Screenshot
• take screenshot of your device
• save screenshot to png file
• Fastboot
• flash bootloader, radio and recovery
• boot recovery
• Recovery
• nandroid backup/restore
• wipe data
• flash rom
• wipe battery stats
• fix uid mismatches
• Reboot
• to bootloader
• to recovery
• normal reboot
• Settings
• set font used by app
• set starting paths (or remember paths on exit)
• and other
• Logcat
• Automatically detects phone (device, fastboot and recovery mode)
Android
Forensi
cs

QtADB – in action
Recovery partition Logcat
Android
Forensi
cs

QtADB – setup
• Windows:
• Must have Android SDK
installed
• ZIP contain all libraries
• Extract to a permanent
directory
• Open QtADB application
• Choose path to directory
with adb and aapt
binaries (example:
C:Users<USERNAME>AppData
LocalAndroidandroid-
sdkplatform-tools)
Android
Forensi
cs

REVIEW
• Identified the difference between logical and physical forensics
• Explored open and free tools and techniques for logically acquiring data
• Located directories and file details for SD card logical acquisition
Android
Forensi
cs

EXERCISE
• Using either ADB or QtADB pull a logical acquisition from your device or AVD.
• Verify pull successfully completed, and document size of data acquired.
Android
Forensi
cs

AFLogical
• Android forensics logical
extraction tool
• Free for law
enforcement and
government agencies
• Leverages
Content
Providers
Android
Forensi
cs
• CallLog Calls

Cellebrite UFED
Page 157
Android
Forensi
cs

Cellebrite Physical Analyzer
Android
Forensi
cs

Paraben Device Seizure
159
Android
Forensi
cs

Device Seizure – Acquisition
• DS acquisition temp installs
Seizure Service on device.
Removes automatically during
completion of acquisition
160
Android
Forensi
cs

161
• Device Seizure hung while
acquiring data after more than 11
hours
• Keep in mind, I'm acquiring from a
rooted CyanogenMod ROM, and
checked options to acquire all
data, including the entire contents
of 32GB Class 10 microSD card
Android
Forensi
cs

162
• This screen displays for
considerable amount of time
when completing / canceling an
acquisition
Android
Forensi
cs

Device Seizure – Results
163
• Contacts and Calendar were empty
Android
Forensi
cs

Device Seizure – Sorting
164
• After acquisition, "Do you want to
fill the sorter?“
• This will take about an hour
Android
Forensi
cs

Device Seizure – Sort Results
165
• Sorting all the findings
Android
Forensi
cs

Device Seizure – Reports
166
• Creating a PDF report of the entire
case
Android
Forensi
cs

Device Seizure – Report
167
Android
Forensi
cs

168
Android
Forensi
cs

169
Android
Forensi
cs

Physical Acquisition

Software Physical Acquisition
• Let’s get a full NAND acquisition of the user accessible
data partition
• For time’s sake, and now that we know of open-source
and commercial tools, let’s take advantage of them for
the physical acquisition
Android
Forensi
cs

Forensic Analysis

Forensic Analysis
• Analyzing acquired data
• File System Analysis
• SQLite Analysis
• Directory Structure
• FAT Analysis
• SD Card Analysis
• YAFFS2 Analysis

Forensic Analysis - photos
• Common location for storage of photos in JPG format

Important Directories Recap
• /cache/
• Previewed Gmail attachments
• Downloads (Market and messages)
• /data/
• dalvik-cache: applications (.dex) that have been run
• app: .apk files
• data: subdirectories per app with SQLite databases and XML shared preferences
• misc: protocol info
• system:
• installed applications (or packages.xml)
• accounts database
• device and app login details, .key files
• /proc & /sys – list of device filesystems, web history, device info
• /mnt/sdcard/DCIM/Camera - images
• /sdcard/android or sdcard/data/data – FAT32, limited permission 175
Android
Forensi
cs

REVIEW
• Explored several commercial Android forensics products
• Identified the benefits and acquisition steps of physical forensics
• Located the most important directories for analysis

EXERCISE
• Determine what the user does for work and fun
• (in groups) Now that you have acquired data many different ways, analyze the data
using one of the forensics tools (adb, adb shell, Device Seizure, QtADB, etc) to get a
fresh data acquisition from your device
• Look at earlier exercises for commands, as a refresher
• Explore data in directories like /data/ and /cache/
• As a forensic analyst, document findings that would help you determine the users
profession and hobbies
• Be prepared to share your findings with the class

Learning Objectives
 Understand techniques to bypass passcodes
 Utilize logical and physical data extraction techniques
Android
Forensi
cs

Application Testing
Reverse Engineering Apps

Analyzing APKs
• Byte code is reverted to
source
• First extracting each of
the classes.dex files
• Using dex2jar.bat, a jar
file is created
Android
Forensi
cs
.java
.class
.dex java
dx
 Batch file used to
convert dex files to jar
files

More Analyzing APKs
• Java Decompiler used to
create a zip file
containing all of the
Java source code
• Used to view class files and
convert them to java
• The remaining content
of each of the APK files
is extracted
Android
Forensi
cs
• Yes, it’s a painful process!
• How can we make it easier?

APK Reversing
• Rename Android app (.apk) to .zip.
• Extract .zip.
• Run Dex2Jar desktop script (.bat or .sh) on extracted .dex file
• Dex2Jar decompiles .dex to .jar (Java Archive)
• Open .jar in Java Decompiler desktop app to review source
http://en.wikipedia.org/wiki/Step_by_Step_(TV_series) 182
.java
.class
.dex java
dx

APKTool
• Powerful tool for forensic analysts
• Tool for reverse engineering Android binaries
• Available at code.google.com
Android
Forensi
cs

androguard
• Reverse engineering, Malware and goodware analysis of
Android applications ... and more !
• Check for permissions and usage
Android
Forensi
cs

APKinspector
• Powerful tool for forensic analysts
• Graphically reverse engineer and analyze apps
Android
Forensi
cs

REVIEW
• Explored reversing tools for Android
• Reverse engineered app back to source code
• Explored code and data for an APK

EXERCISE
• Reverse engineer an app and locate critical data
• Use APKInspector
• Reverse engineer Facebook or F-Droid, mobile app market, application
• Both apps located in Documents directory on workstation
• Locate the database where user ID’s are stored

Learning Objectives
 Understand techniques to bypass passcodes NEW!
 Utilize logical and physical data extraction techniques
 Reverse engineer Android applications
 Analyze acquired data
Android
Forensi
cs

Mobile Forensics and Investigation Android Forensics

More Related Content

What's hot

Similar to Mobile Forensics and Investigation Android Forensics

More from Don Caeiro

Recently uploaded

Mobile Forensics and Investigation Android Forensics