Android Forensics Investigation, Analysis, and Mobile Security for Google Android Andrew Hoog John McCash, Technical Editor AMSTERDAM BOSTON. HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO. SINGAPORE SYDNEY TOKYO SYNGRESS Syngress is an imprint of Elsevier
Contents Acknowledgements Introduction About the Author xiii xv xix CHAPTER 1 Android and Mobile Forensics i Introduction 1 Android Platform 1 History of Android 3 Google's Strategy 7 Linux, Open Source Software, and Forensics 10 Brief History of Linux 11 Android Open Source Project 25 AOSP Licenses 26 Development Process 27 Value of Open Source in Forensics 27 Downloading and Compiling AOSP 29 Internationalization 31 Unicode 31 Keyboards 31 Custom Branches 32 Android Market 33 Installing an App 34 Application Statistics 37 Android Forensics 37 Challenges 38 Summary 38 References 39 CHAPTER 2 Android Hardware Platforms...41 Introduction 41 Overview of Core Components 41 Central Processing Unit 41 Baseband Modem/Radio 42 Memory (Random-Access Memory and NAND Flash) 42 Global Positioning System 43 Wireless (Wi-Fi.com and Bluetooth) 43 Secure Digital Card 44 Screen 44 Camera 44 Keyboard 45
viii Contents Battery 45 Universal Serial Bus 46 Accelerometer/Gyroscope 46 Speaker/Microphone 46 Overview of Different Device Types 47 Smartphone 47 Tablet 47 Netbook 48 Google TV 48 Vehicles (In-board) 48 Global Positioning System 49 Other Devices 49 ROM and Boot Loaders 49 Power On and On-chip Boot ROM Code Execution 50 Boot Loader (Initial Program Load/Second Program Loader) 50 Linux Kernel 51 The Init Process 51 Zygote and Dalvik 54 System Server 54 Manufacturers 56 Android Updates 57 Custom User Interfaces 58 Aftermarket Android Devices 58 Specific Devices 59 T-MobileGl 59 Motorola Droid 59 HTC Incredible 60 Google Nexus One 60 Summary 62 References 62 CHAPTER 3 Android Software Development Kit and Android Debug Bridge 65 Introduction 65 Android Platforms 65 Android Platform Highlights Through 2.3.3 (Gingerbread) 67 Software Development Kit (SDK) 71 SDK Release History 71 SDK Install 72 Android Virtual Devices (Emulator) 81 Android OS Architecture 86 Dalvik VM 87
Contents ix Native Code Development 88 Android Security Model 88 Forensics and the SDK 90 Connecting an Android Device to a Workstation 90 USB Interfaces 94 Introduction to Android Debug Bridge 100 Summary References 103 CHAPTER 4 Android File Systems and Data Structures 105 Introduction 105 Data in the Shell 105 What Data are Stored 106 App Data Storage Directory Structure 106 How Data are Stored 107 Type of Memory RAM 125 102 File Systems 132 rootfs, devpts, sysfs, and cgroup File Systems 133 proc 125 136 137 tmpfs Extended File System (EXT) 140 FAT32/VFAT 140 YAFFS2 141 Mounted File Systems Mounted File Systems 154 Summary 153 157 References 157 CHAPTER 5 Android Device, Data, and App Security 159 Introduction 159 Data Theft Targets and Attack Vectors 160 Android Devices as a Target 160 Android Devices as an Attack Vector 168 Data Storage 168 Recording Devices 169 Security Considerations 170 Security Philosophy 170 US Federal Computer Crime Laws and Regulations 172 Open Source Versus Closed Source 173 Encrypted NAND Flash 175 Individual Security Strategies 176 Corporate Security Strategies 178 Policies 178
X Contents Password/Pattern/PIN Lock 178 Remote Wipe of Device 179 Upgrade to Latest Software 180 Remote Device Management Features 181 Application and Device Audit 183 App Development Security Strategies 184 Mobile App Security Testing 184 App Security Strategies 186 Summary 192 References 193 CHAPTER 6 Android Forensic Techniques 195 Introduction 195 Types of Investigations 195 Difference Between Logical and Physical Techniques 196 Modification of the Target Device 197 Procedures for Handling an Android Device 198 Securing the Device 199 Network Isolation 200 How to Circumvent the Pass Code 203 Imaging Android USB Mass Storage Devices 211 SD Card Versus emmc 211 How to Forensically Image the SD Card/eMMC 212 Logical Techniques 218 ADB Pull 218 Backup Analysis 219 AFLogical 220 Commercial Providers 228 Physical Techniques 266 Hardware-Based Physical Techniques 268 JTAG 268 Chip-off 270 Software-Based Physical Techniques and Privileges 270 AFPhysical Technique 278 Summary 284 References 284 CHAPTER 7 Android Application and Forensic Analysis 285 Introduction 285 Analysis Techniques 285 Timeline Analysis 285 File System Analysis 288 File Carving 291 Strings 293
Contents xi Hex: A Forensic Analyst's Good Friend 296 Android Directory Structures 301 FAT Forensic Analysis 308 FAT Timeline Analysis 309 FAT Additional Analysis 316 FAT Analysts Notes 317 YAFFS2 Forensic Analysis 321 YAFFS2 Timeline Analysis 324 YAFFS2 File System Analysis 330 YAFFS2 File Carving 332 YAFFS2 Strings Analysis 334 YAFFS2 Analyst Notes 335 Android App Analysis and Reference 340 Messaging (sms and mms) 340 MMS Helper Application 341 Browser 342 Contacts 347 Media Scanner 349 YouTube 350 Cooliris Media Gallery 353 Google Maps 354 Gmail 358 Facebook 360 Adobe Reader 363 Summary 363 References 364 Index 365