Android Forensics. Presented By: Mohamed Khaled. Thanks to: Ibrahim Mosaad Mohamed Shawky

Similar documents
Android Forensics. Investigation, Analysis, Google Android. and Mobile Security for. Andrew Hoog. John McCash, Technical Editor SYNGRESS

Android Forensics: Simplifying Cell Phone Examinations

Digital Forensics Mobile Device Data Extraction. Crime Scene/Digital and Multimedia Division

and Security Testing Shawn Valle gmail. com May 2013

Rooting Android. Lecture 10. Security of Mobile Devices. SMD Rooting Android, Lecture 10 1/33

FORENSIC ANALYSIS OF WECHAT

CompTIA A+ Accelerated course for & exams

Android Forensics Techniques. Zlatko Jovanovic. Instructor Dr DeAndre Redd. International Academy of Design and Technology

Android Bootloader and Verified Boot

Department of Computer Science and Engineering, Sri Jayachamarajendra College of Engineering, Mysore, Karnataka

Mobile Devices Villanova University Department of Computing Sciences D. Justin Price Spring 2014

Install ADB on Windows

Enabler Manual Device-Based Anonymization

Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX

CompTIA A+ Certification ( ) Study Guide Table of Contents

Intro. This program can retrieve messages, call logs, pictures, contacts, apps, calendar events, s, passwords, deleted data, and much more.

OXYGEN SOFTWARE OXYGEN FORENSIC KIT

This version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Android System Development Training 4-day session

MOBILedit Forensic Express

A Study of User Data Integrity During Acquisition of Android Devices

PCI Compliance Updates

Smartphone Security Overview

SSDD and SSDF Handset seizure Paraben * Seizure test SE K850, SE Xperia

Unlock bootloader samsung with odin

Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication

Android: Under the Hood. GDG-SG DevFest 5th Nov 2016 Jason Zaman

Galaxy Note Root Guide. by Max Lee

MOBILE DEVICE FORENSICS

Clockworkmod Won't Boot Into Recovery Droid X2

Macintosh Forensic Survival Course

Lamine Aouad, Tahar Kechadi, Justin Trentesaux and Nhien-An Le-Khac

File Cover. Arrange your Gallery into different folder names. (Move your Camera or

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edit9on

CompTIA A+ Certification: Labs. Course Outline. CompTIA A+ Certification: Labs. 07 Dec

Scientific Working Group on Digital Evidence

Cellebrite Digital Forensics for Legal Professionals (CDFL)

Running Head: IPHONE FORENSICS 1. iphone Forensics Jaclyn Sottilaro Monica Figueroa-Santos Antonina Spinella Saint Leo University

Chapter 2. Operating-System Structures

ROM FLASHING INSTRUCTIONS FOR ONEPLUS 3 / 3T

OXYGEN SOFTWARE OXYGEN FORENSIC KIT

Securing Android-Powered Mobile Devices Using SELinux

How To Install Apps On Nook Color Using Adb

File Synchronization using API Google Drive on Android Operating System

Quick Heal Mobile Security. Anti-Theft Security. Real-Time Protection. Safe Online Banking & Shopping.

IT-G400 Series. Android 6.0 Quick Start Guide. This document is a Development Guide Book for IT-G400 application developers. Ver 1.

COURSE OUTLINE: A+ COMPREHENSIVE

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

BACKING UP YOUR COMPUTER PRESENTED BY SAM STAHL

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Lab: Setting up PL-App with a Raspberry Pi

What's new 9 Magnet AXIOM 11 System requirements 12

Upgrading Prime Optical

Certified Digital Forensics Examiner

User Manual. Microdigital IP cameras with built-in Ivideon software

Android - open source mobile platform

Installing and configuring an Android device emulator. EntwicklerCamp 2012

Android AOSP Overview. Karthik Dantu and Steve Ko

COLLEGE OF ENGINEERING, NASHIK-4

MPE+ Frequently Asked Questions & Troubleshooting

How To Manually Update Android Apps On Kindle Fire Hd Without Rooting

IJRDTM Kailash ISBN No Vol.17 Issue

Chapter 10: Mobile, Linux, and OS X Operating Systems

User Guide Software Pdf Samsung Galaxy S2 Skyrocket

1. Introduction. 1.1 Cosmo Specifications

Release Notes Zebra TC51 and TC56 Android M MG (GMS)

Data Extraction on MTK-based Android Mobile Phone Forensics

Lab E2: bypassing authentication and resetting passwords

HotSpot USER MANUAL. twitter.com/vortexcellular facebook.com/vortexcellular instagram.com/vortexcellular

Android Jelly Bean Manual Install Application On Sd Card

Quick Heal Total Security for Android. Anti-Theft Security. Web Security. Backup. Real-Time Protection. Safe Online Banking & Shopping.

Android Forensics Concept

Access android system files from pc

SD Card with Eclipse/Emulator

Four Components of a Computer System

Survey on Android Forensic Tools and Methodologies

IJREAT International Journal of Research in Engineering & Advanced Technology, Volume 1, Issue 5, Oct-Nov, 2013 ISSN:

Introduction. Assessment Test. Part I

Definitions referenced from the Android Developers Guide or the FreeYourAndroid.com dictionary.

Online Services. Sept 2017

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Android Gingerbread Manually Update To Jelly Bean Features

Forensic analysis of the android file system YAFFS2

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems

Linux+ Guide to Linux Certification, Third Edition. Chapter 6 Advanced Installation

Android Forensics: Investigation, Analysis And Mobile Security For Google Android PDF

For a complete list of modifications included in this update please refer to the Release Notes section at the bottom of this document.

COMP116 Final Project. Shuyan Guo Advisor: Ming Chow

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Hackveda Training - Ethical Hacking, Networking & Security

OXYGEN SOFTWARE OXYGEN FORENSIC KIT

Paraben s Data Recovery Stick User Manual

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

Embedded lightweight unix

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

Root User Guide Android Jelly Bean Operating System

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Course Outline. Pearson: CompTIA A Cert Guide (Course & Labs) Pearson: CompTIA A Cert Guide (Course & Labs)

Transcription:

Android Forensics Presented By: Mohamed Khaled Thanks to: Ibrahim Mosaad Mohamed Shawky

Agenda Mobile Forensic Process Different Mobile Forensic Scenario Acquisition Guide Challenges of Android Forensics How to Circumvent the Pass Code Types Of Analyses(Logical analysis) Types Of Analyses(Physical analysis) Android Partition Layout Custom Recovery Modifications How Data are Stored In Android Example of Useful Data extracted from Android Image

Mobile Forensic Process Receive device as evidence. Receive request for Intake Identify device specifications & capabilities examination Identify Goals of Examination Identification Prepare methods and tools to be used Prepare media and forensic workstation Preparation Protect the evidence Prevent for examination data destruction Prepare toolsremote to most recent version Isolation Isolate from the Cellular Conduct forensic acquisition network, bluetooth, and Wi-Fi Perform forensic analysis Processing Scan for malware Validate your acquisition Validate your forensic Verification findings Keep notes about your findings and process Documenting Draft and finalize your forensic reports Prepare exhibits Present Keep a gold copy of data in ayour Presentation findings safe place Keep data in common formats Archiving for future

Data Acquisition Types Manual Logical Physica l

scenarios The device might be found to be turned off after seizure. have internal or removable memory Locked /unlocked Have access via USB debug mode or not

Acquisition Guide A-(Unlocked) Airplane Mode SIM ID Cloning Isolate Device from the Network Take the necessary steps to ensure physical device access is possible Remove passcode Enable USB debugging Enable Stay Awake Disable timed screen lock features Acquire supporting media SIM card(s) Media cards Check associated media for device backups Physical Acquisitions

A1 - Isolate Device from the Network Airplane Mode Remove the SIM card. Place device in a shielded bag, box, tent, or room.

A 2-Ensure physical device access is possible Enable USB debugging Enable Stay Awake option Disable timed screen lock features

A3 - Physical Acquisitions Acquire supporting media SIM card(s) Media cards Check associated media for device backups(connected PC or Network)

Acquisition Guide B-(Locked) 1 Physical access requires that USB debugging mode is enabled. Forensic tools will use custom bootloaders to bypass the passcode if applicable. 2 Acquire supporting media SIM cards Media card(s) 3 Check associated computers and media for device backups Computers and media cards

Challenges of Android Forensics Access to system partitions is Restricted to The Android OS. Techniques for obtaining root privilege differ depending on Android version, device manufacturer and model. The OS has Authentication mechanisms that uses passwords, tactile patterns or biometric information

How to Circumvent the Pass Code The smudge attack Flash a New Recovery Partition (Our Solution) Know Gmail user name and password for the device JTAG and Chip-off

Types Of Analyses(Logical analysis) It is possible to backup all the present data in a cell phone without rooting Using Android Debug Bridge (adb backup command). $ adb backup -apk -shared -system -all -f %1.backup created a backup file which was later converted to.tar archive $ java -jar abe.jar unpack %1.backup %1.tar

Physical Analysis (Low level analysis ) Low level analysis is based on exact, bit to bit, copy of userdata partition. After the copy, this partition is stored as a single file. which is later used as input for other analysis tools. Only a root user can make such a copy, so the phone must have been rooted at first.

What is rooting? Process of overcoming limitations imposed by manufacturers on smartphone or tablet owners. Gives an owner the ability to replace and/or alter system applications and settings Run applications requiring administrator-level privileges This includes listing active mounted partitions and cloning them

Physical analysis(recovery Mode) Another Way to Do Physical Analysis is by using Recovery Rom But first We Are Going to Talk About the Android Partition Layout

Android Partition Layout boot loader Splash Boot Recovery System Userdata or Data Cache Radio

Android Partition Layout (Cont.) boot loader: Stores the phone s boot loader program, which takes care of : Initializing the hardware when the phone boots Booting the Android kernel Implementing alternative boot modes such as download mode. boot: Stores the Android boot image, which consists of : Linux kernel(zimage) and the root file system ram disk (initrd). splash: Stores the first splash screen image seen right after powering on the device.

Android Partition Layout (Cont.) userdata (data): this is the device s internal storage for Application data User files such as: pictures, videos, audio, downloads. This is mounted as /data on a booted system. system: Stores the Android system image that is mounted as /system on a device. Contains the Android framework. Libraries. system binaries. pre-installed applications.

Android Partition Layout (Cont.) cache: Used to store various utility files such as : recovery logs and update packages downloaded over-the- air. On devices with applications installed on an SD card it may also contain the dalvik-cache folder, which stores the Dalvik Virtual Machine (VM) cache.

Physical analysis(recovery Mode) It is an operating designed to apply updates format the device perform other maintenance on the devices. The stock recovery mode on most devices is very basic Only provides a number of limited functions Does not provide root privileges in a shell.

Physical analysis(recovery Mode) Should use extreme caution when installing a custom recovery partition as the process often contains kernel and radio updates Could render the device unusable bricked. Extensive testing must be performed on a lab device first to ensure no issues occur. Examiners should understand what is being modified on the device during the installation of a custom recovery firmware.

Custom Recovery Rom Examples Cyanogenmod Recovery (clockworkmod) TeamWin (TWRP)

Custom Recovery Modifications We are going to modify in the Cyanogenmod source code The source code is writen in C Programming language.

Custom Recovery Modifications Remove Security Pattern The pattern file is at /data/system/gesture.key Other security pattern are in file /data/system/password.key We will also use the pre defined function system. Which will enable us to run Linux commands like ls,rm, etc system("rm /data/system/gesture.key"); //remove the pattern system("rm /data/system/password.key"); // remove any other lock like face or voice or password.

Custom Recovery Modification Physical imaging In order to do physical imaging you have to run command like dd if = /dev/sda1 of =/media/pc/file.dd Where if is the source(the media whci we want to image). The of is the destination So We have to know: the name of the driver of the source partition (i.e /data or /system) The name of the destination driver (USB Flash for example)

How To Know The Name Of The Driver For The Source Partition Using the file /etc/recovery.fstab We will search in the /etc/recovery.fstab till we find the driver name equivalent to the partition we want to image

Who to Know The name Of The Destination Driver (USB Flash for example) Vold: The volume manager daemon. Automatically Mount Sdcard and USB Flash memory (If connected) When Device Startup OR When Connected We are going to search in the Vold till we find USB or SdCard.

How Data are Stored In Android Android provides developers with five methods for storing data to a device. 1. 2. 3. 4. 5. Shared preferences Internal storage External storage SQLite Network

How Data are Stored In Android(Shared preferences) Allow a developer to store key-value pairs of primitive data types in a lightweight XML format. /data/data/<com.android.contacts>/shared_prefs Used to set the programs configuartion

How Data are Stored In Android (Internal storage) Contain more complicated data structures. The files are stored in the application s /data/data subdirectory. Files can only be read by the application. Indicate data that may be of interest to a forensic analyst

How Data are Stored In Android (External storage) Files stored on the internal device s storage have strict security and location parameters. Files on the various external storage devices have far fewer constraints. Emulated SdCard and Actual SdCard Examples Pictures,Videos,,etc

How Data are Stored In Android (SQLite) Databases are used for structured data storage SQLite is a popular database format appearing in many mobile systems traditional operating systems. /data/data/<packagename>/databases. SQLite databases are a rich source of forensic data.

How Data are Stored In Android (Network) Very few applications took advantage of the network as a storage option. The Android Developer web site provides very few details for those interested in network storage. You can use the network (when it is available) to store and retrieve data on your own web-based services. Dropbox Google Drive Onedrive

Example of Useful Data extracted from Android Image Android Browser Password / data/data/com.android.browser/databases/webview.d b.table select * from password; data/com.android.chrome/app_chrome/default/login Open Login Data file using txt viewer /data/misc/wifi/ Open wpa_supplicant.conf file using txt viewer.

References Android Forensics by Andrew Hoog Android Hacker's Handbook Joshua J. Drake,Pau Oliva Fora,Zach Lanier,Collin Mulliner,Stephen A. Ridley andgeorg Wicherski Developing Process for Mobile Device Forensics Det. Cynthia A. Murphy Android Forensics, Part 1: How we recovered (supposedly) erased data https://blog.avast.com/2014/07/09/android-foreniscs-pt-2-how-we-recovered-erased-data/ http://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/ http://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/ http:// forum.xda-developers.com/galaxy-nexus/general/guide-phone-backup-unlock-ro ot-t1420351

?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback