Android Forensics and Security Testing Course_PUBLIC_RELEASE

PowerPoint Presentation

AndroidForensicsand Security TestingApproved for Public Release: 12-3411. Distribution UnlimitedShawn Valleshawnvalle at gmail dot comSeptember 20121More Memory Memory (RAM & NAND Flash)Manufactured together into multichip package (MCP)http://www.hynix.com/products/mobile/mcp.jsp?menuNo=1&m=4&s=441AndroidForensics

RAM Random Access Memory; loads and runs OS, apps, and data; is volatileNAND Nonvolatile, persistent; stores bootloader, OS, and data41Learning ObjectivesBy the end of this course, you will be able to:Extract and analyze data from an Android deviceManipulate Android file systems and directory structuresUnderstand techniques to bypass passcodes NEW!Utilize logical and physical data extraction techniques Reverse engineer Android applications Analyze acquired dataApproved for Public Release3AndroidForensics3BooksHoog, Andrew (2011). Android Forensics, Syngress.Dwivedi, Himanshu, Clark, Theil (2010). Mobile Application Security, McGraw-Hill.Approved for Public Release4

AndroidForensics4AgendaDAY 1Forensic IntroductionCourse Setup Linux, OS X, and Windows Android OverviewSDK and AVDAndroid Security ModelADB and shell IntroductionBREAKFile System and Data Structures

LUNCH Device HandlingCircumvent passcodeGain Root AccessRecovery Mode Boot LoadersBREAKLogical Forensic TechniquesOpen Source ToolsCommercial ToolsApproved for Public Release5AndroidForensics5AgendaDAY 2Physical Forensic Techniques & ToolsBREAKForensic Analysis

LUNCHApplication Penetration Testing SetupReverse AppsBREAKmore ReversingDocument Findings

Approved for Public Release6AndroidForensics6PrerequisitesIntroduction to Android Development

and / or

Introduction to LinuxApproved for Public Release7AndroidForensicsLegalities Possibility of Android devices being involved in crimesEasily cross geographical boundaries; multi-jurisdictional issuesForensic investigator should be well aware of regional laws Data may be altered during collection, causing legal challengesFully document justification for data modificationhttp://www.forensicfocus.com/downloads/windows-mobile-forensic-process-model.pdf8AndroidForensicsSince these devices are extremely compactthere is every possibility of them being involved in crimes, which can easily cross geographical boundaries. In order to tackle these multi-jurisdictional issues, the forensic investigator should be well aware of the nature of the crime and the regional laws. 8Forensic Investigationshttp://www.intellisec.com/9

Terms and Definitions Mobile Forensics is defined as the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods. (NIST)

Apenetration test, occasionallypentest, is a method of evaluating thesecurityof acomputer systemornetworkby simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). (Wikipedia)

A vulnerability assessmentis the process of identifying, quantifying, and prioritizing (or ranking) thevulnerabilitiesin a system.Approved for Public Release10AndroidForensicshttp://www.basistech.com - Our Washington, DC-based team is routinely engaged to train government operatives in the recovery and analysis of data from captured devices for cellphone exploitation (CELLEX).CELLEX - Not as concerned about all the data, chain of custody, etc. Intelligence gathering.10What is Mobile Forensics& Why Should I Care?The acquisition and analysis of data from devices,Internal corporate investigations, civil litigation, criminal investigations, intelligence gathering, and matters involving national security.Arguably the fastest growing and evolving digital forensic discipline, offers significant opportunities as well as many challenges.Approved for Public Release11AndroidForensics11Forensic Overview General to forensics, not just Android.Potential scenarios:Evidence gathering for legal proceedingsCorporate investigationsIntellectual property or data theftInappropriate use of company resourcesAttempted or successful attack against computer systemsEmployment-related investigations including discrimination, sexual harassmentSecurity auditFamily mattersDivorceChild custodyEstate disputesGovernment security and operationCyber Threats, Advanced Persistent ThreatStopping cyber attacksInvestigating successful attacksIntelligence / Counter-intelligence gatheringSource: Andrew Hoog, Android Forensics, Elselvier 2010Approved for Public Release12AndroidForensics12Forensic ConsiderationsImportant items to consider during investigation:Chain of custodyDetailed notes and complete reportValidation of investigation results, using tools or other investigators

Source: Andrew Hoog, Android Forensics, Elselvier 2010Approved for Public Release13AndroidForensics13Android Overview & Historyin five minutesApproved for Public Release14

14Android Overview & HistoryGoogle Mobile SVP Andy Rubin reported that over 850,000 Android devices were being activated each day as of February 2012500,000 increase per day over just one year ago

Approved for Public Release15AndroidForensicsGoogle: 850,000 Android Devices Activated Every DayRetrieved March 11, 2012http://mashable.com/2012/02/27/android-daily-activations/

Google Investor: Google android activating 350,000 devices daily (data visualization video) Top global smartphone platform. (n.d.). Retrieved March 9, 2011, from http://googinvestor.blogspot.com/2011/03/google-android-activations-350k-daily.html.15Android Overview & HistoryOperating System 3Q11 Market Share (%) 3Q10 Market Share (%) Android52.525.3Symbian16.926.3iOS1516.6RIM1115.4Worldwide Smartphone Sales to End UsersSource: http://www.gartner.com/it/page.jsp?id=1848514Market Share: Mobile Communication Devices by Region and Country, 3Q11 Approved for Public Release16AndroidForensicsSource: Gartner (November 2011)16Android Overview & HistoryDateEventJuly 1, 2005Google acquires Android, Inc. November 12, 2007Android launchedSeptember 23, 2008Android 1.0 platform releasedFebruary 13, 2009Android Market: USA takes paid appsApril 15, 2009Android 1.5 (Cupcake) platform releasedSeptember 16, 2009Android 1.6 (Donut) platform releasedOctober 5, 2009Android 2.0/2.1 (Eclair) platform releasedMay 20, 2010Android 2.2 (Froyo) platform releasedDecember 6, 2010Android 2.3 (Gingerbread) platform releasedFebruary 2, 2011 Android 3.0 (Honeycomb) preview releasedNovember 14, 2011Android 4.0 (Ice Cream Sandwich), 3.0 source releasedJuly 9, 2012Android 4.1 (Jelly Bean) platform released

17Image source: http://xmscan.files.wordpress.com/2011/06/android-version-name-history1.png 17Android Overview & HistoryAndroid Feature IntroductionMore details come later1st Primary feature, always connected: GSM, CDMA, LTE, WiMax, WiFi2nd Market / Play: rich source for forensic analysts3rd Data Storage: Big part of the courseFlash (or NAND) memoryExternal SD cardInternal SD card

Approved for Public Release18AndroidForensicsSource: Hoog, Android Forensics18Android Overview & HistoryCellular Networks and HardwareGlobal System for Mobile Communications GSMSubscriber identity module (SIM) or universal subscriber identity module (USIM) to identify the user to the cellular networkAT&T, T-MobileCode Division Multiple Access CDMASprint, VerizonIntegrated Digital Enhanced Network iDENSprintWorldwide Interop for Microwave Access WiMaxSprintLong Term Evolution LTEAT&T, Sprint, T-Mobile, Verizon

Approved for Public Release19AndroidForensics19Android Overview & HistoryAppsAs of January 2012, over 400,000 Android apps have been developed. Doubled since January 2011.Apple maintains tight control over their App Store, requiring developers to submit to a sometimes lengthy review process and providing Apple with the nal approval for an app. Apps can be denied based on a number of criteria, most notably if they contain any content Apple feels is objectionable. Google, on the other hand, requires very little review to publish an app in the Android Market. While Google has the ability to ban a developer, remove an app from the Android Market, and even remotely uninstall apps from Android devices, in general their approach to app management is hands off. (Hoog)Source: http://www.theverge.com/2012/1/4/2681360/android-market-400000-app-availableApproved for Public Release20AndroidForensics20Android Open Source ProjectTheAndroid Open Source Project (AOSP)is led by Google, and is tasked with the maintenance and development of Android.It is good experience to download and install AOSP from source.Not critical for all forensics analysts to get this deep into Android. May be helpful for deep analysis.We wont be doing that in this courseSource: http://en.wikipedia.org/wiki/Android_(operating_system)#Android_Open_Source_ProjectApproved for Public Release21AndroidForensics21Brief Linux OverviewSource: http://www.talkandroid.com/wp-content/uploads/2011/05/LinuxAndroid.png?3995d3Approved for Public Release22

Linux, Open Source Software & ForensicsOpen source software has had a tremendous impact on the digital forensics discipline. Forensic tools that are released as free open source software have tremendous advantages over closed source solutions including the following:The ability to review source code and understand exact steps takenThe ability to improve the software and share enhancements with entire communityThe priceLinux is not only a critical component of Android but can also be used as a powerful forensic tool. Source: Andrew Hoog, Android Forensics, Elselvier 2010Approved for Public Release23AndroidForensics23Linux Commandsmanhelpcdmkdirmountrmdir/rmnanolstree

catddfindchmodchownsudoapt-getgrep| and >Approved for Public Release24 see Linux Commands handout for valuable commandsAndroidForensicsThese are some Linux commands that are useful when using Ubuntu as a forensic workstation, but also come in handy when we access an Android shell, which is Linux.

If these commands are foreign to you, suggest a refresher course/book in Linux commands.

Due to time, we will not be covering detailed definitions of Linux commands, though we will highlight and define the commands we use, as we go.24Android and ForensicsSource: http://viaforensics.com/services/mobile-forensics/android-forensics/Approved for Public Release25

Android & ForensicsRelatively new, emerged in ~2009Best known expert in the field is Andrew HoogOther leaders in the Android Security field include Jon Oberheide and Zach LanierCommunity is rapidly growingIn-house investigations on pilot / prototype appsPenetration testsVulnerability assessments Funded research

Approved for Public Release26AndroidForensicsThese are some Linux commands that are useful when using Ubuntu as a forensic workstation, but also come in handy when we access an Android shell, which is Linux.

If these commands are foreign to you, suggest a refresher course/book in Linux commands.

Due to time, we will not be covering detailed definitions of Linux commands, though we will highlight and define the commands we use, as we go.26Course SetupSource: http://viaforensics.com/services/mobile-forensics/android-forensics/Approved for Public Release27

Course Setup Ubuntu Linux distribution with Android SDKUbuntu 11.10 32-bit running on VMWare. Fully functional free, open-source environment for you to keep after the course is over.http://www.vmware.com/Need 20GB hard drive space and 2+GB RAM for the VMhttp://www.ubuntu.com/download/ubuntu/downloadWindows for some commercial toolsApproved for Public Release28AndroidForensicsAlso have 64-bit version built for VirtualBox28VM Setup 1 of 7

Approved for Public Release29

AndroidForensicsVM Setup 2 of 7Approved for Public Release30






UbuntuUser name: studentPassword: password1

AndroidForensics35Forensic Workstation SetupApproved for Public Release36Disable AutomountCommand: gconf-editorNavigate to apps > nautilus > preferences, uncheck media_automount and media_automount_open

AndroidForensics

Slide only needed on some instances of the VM. Initially used on first Virtual Box build, but automatically setup on the VMWare build. 36Android ArchitectureSource: http://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpgApproved for Public Release37

Got Android?http://developer.android.com/guide/basics/what-is-android.html38

AndroidForensicshttp://developer.android.com/guide/basics/what-is-android.htmlBased on Linux 2.6 kernel.Flash Memory important for forensicsLibraries (core libraries)SQLite is important for forensic analysisRuntimeContains Dalvik, custom JVMWe will explore the details of Dalvik VM when we RE an app.Dalvik VM uses file format Dalvik Executable (.dex).Java Archive (.jar) gets converted to .dex upon compilation, providing optimization .We will use smali (by JesusFreke) to decompile .dex files.App FrameworkResources access via SDK by developersWe will focus on much of these areas during our forensic data extraction and application reverse engineeringFor more deep info on the Android architecture and application development framework, suggest Android Internal and Intro to Android Dev.NDK Add more if we want to address.

38Much ado about hardwarehttp://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg39

Hardware - core CPURadioMemory (RAM & NAND Flash)GPSWiFiBluetoothSD CardScreenCamera(s)KeyboardBatteryUSBAccelerometer / GyroscopeSpeakerMicrophoneSIMApproved for Public Release40AndroidForensicsCPU ARM and Intel x86RAM Random Access Memory; loads and runs OS, apps, and data; is volatileNAND Nonvolatile, persistent; stores bootloader, OS, and dataSD Card varies per device. External SD uses NAND. Some phones (Nexus) emulate an SD Card by partitioning on-board NAND.Camera Front, back; GPS tracked photos; time/date stamp; barcode readerBattery to get to SD Card/SIM, often must remove battery, powering off device. Dangerous for forensics.USB Used for ADB, much of this class; connecting R/W to memory, modifying stored data.40Samsung Vibrant Galaxy SAndroid 2.2 (Froyo)

/data/dbdataWear levelingLogicalLogicalPhysicalPhysicalSource: Mark Guido, MITREAndroidForensicsthe different layers of memory. nand below partitions below files. Notice logical and physical. Important to remember, as we get into different types of forensics acquisition. Logical, possible with default manufacturer device permissionPhysical, requires superuser permissions.42Hardware - devices SmartphonesTabletsGoogle TVVehicle StereosStandalone GPSKindle FireB&N Nook

700+ Android devicesApproved for Public Release43AndroidForensics43ROM & Boot Loaders ROM varies by manufacturerContains boot processseven key steps to the Android boot process: Power on and on-chip boot ROM code execution The boot loader The Linux kernel The init process Zygote and Dalvik The system server Boot completeSource: The Android boot process from power on by Mattias Bjrnheden of the Android Competence Center at Enea44AndroidForensicsBoot loader separate from Linux kernel; the boot loader has two distinct stages: the initial program load (IPL) and the second program loader (SPL).Init - starts key system and user processes; similar to the /etc/init.d scripts found on traditional Linux devices; init.rc is typically located on the root file system and provides the kernel with the details on how to start core services.44ROM & Boot Loaders Source: The Android boot process from power on by Mattias Bjrnheden of the Android Competence Center at Enea45AndroidForensics

Boot loader separate from Linux kernel; the boot loader has two distinct stages: the initial program load (IPL) and the second program loader (SPL).Init - starts key system and user processes; similar to the /etc/init.d scripts found on traditional Linux devices; init.rc is typically located on the root file system and provides the kernel with the details on how to start core services.45

Security Model46Security ModelAt app (.apk) installation, Android checks for developers unique signature.NOTE: Not signed by a CA.Key is the responsibility of the developer.After signature validation, Android check the permissions (AndriodManifest.xml) needed for the app, designated by the developer.For example: network access, GPS access, access to storageChecking an apps permissions, compared to its functionality could give a clue if an app has potential malicious intent. Important area to look at for forensics analysis.Approved for Public Release47AndroidForensicsAt app (.apk) installation, Android checks for developers unique signature.NOTE: Not signed by a CA.Key is the responsibility of the developer.After signature validation, Android check the permissions (AndriodManifest.xml) needed for the app, designated by the developer.For example: network access, GPS access, access to storageChecking an apps permissions, compared to its functionality could give a clue if an app has potential malicious intent. Important area to look at for forensics analysis.47Application SecurityQuick intro/review of Android security modelEvery application (.apk) gets a unique Linux user ID and group IDApps run with their unique user IDEach running app gets its own dedicated process and a dedicated Dalvik VMEach app has its own storage location in /data/data/, only accessible by the unique user ID and group IDApps can share data with other apps using Content Providers (see Intro to Android App Dev for details)Source: Geary Sutterfield, MITRE48.java.class.dexjavadxAndroidForensicsApp installed.Android creates a Linux user ID and group ID for each installed app. This creates a security perimeter allowing only apps with the same user ID access to the same Dalvik VM.Each app get its own directory on device for app and data storage, and is only accessible by its Linux User ID.This is the basis for data security in Android, and the core of the Android Security Model.Android Runtime Dalvik VM (Sutterfield)Runs every Android app (.apk)Each Android app runs in its own processEach Android app has its own instance of the VMPropertiesWritten to allow multiple VM instances to run efficientlyLow memory requirementsRegister based (no stack)Linux provides process isolation, memory management and threading supportRuns Dalvik bytecode (.dex files)Java .class / .jar files are converted to .dex at build time

48Android SDKApproved for Public Release49

Android Tools NeededAndroid SDK (Software Development Kit)Though we are not going to use any of the development tools for device forensicsAVD (Android Virtual Device)ADB (Android Debug Bridge)

Approved for Public Release50AndroidForensicsSDK SetupAndroid 4.1 (newest) , 2.3.3, and 2.2 (most used) SDK is already installed on Ubuntu workstationFor more: http://blog.markloiseau.com/2011/06/how-to-install-the-android-sdk-and-eclipse-in-ubuntu/Eclipse installed, not needed for device forensics, but will be used for later application reverse engineering

Approved for Public Release51AndroidForensicsSDK Install via commandApproved for Public Release52

AndroidForensicscopy the android sdk to /optsudo -s cp -r android-sdk_r20.0.3-linux.tgz /opt

change you into the Android working directorycd /opt

unpack your Android SDKsudo -s tar xvzf android-sdk_r20.0.3-linux.tgz

make the /opt directory and the Android SDK writable and executable for all userssudo -s chmod -R 755 /opt/android-sdk-linux

If you are running a 64-bit distribution of Android SDK on your development machine, you need to install the ia32-libssudo apt-get install ia32-libs

Download, Install and Configure the Android SDKsudo -s cp -r android-sdk_r20.0.3-linux.tgz /opt52SDK ManagerStarting up Android SDK and Android Virtual Device (AVD) manager from terminalIcon on desktop, or$ cd /opt/android/tools$ ./android Approved for Public Release53

AndroidForensicsPut proxy on the board.gatekeeper.mitre.orgPort 80

Located in Tools > Options53SDK PluginsDownload the SDK plugins you want. For us: 4.1 (newest), 2.3.3, and 2.2 (most used)Choose whichever SDK is appropriate for the device you are analyzing.Approved for Public Release54AndroidForensics54USB Drivers in WindowsAdding USB Drivers in Windows is very easy.


AndroidForensicsIf you're developing on Windows, you need to install a USB driver for adb. If you're using an Android Developer Phone (ADP), Nexus One, or Nexus S, see the Google Windows USB Driver. Otherwise, you can find a link to the appropriate OEM driver in the OEM USB Drivers document.

Download and install Android SDK.In Android SDK Manager, expand Extras and check Google USB Driver packageUpdate Environment Variables PATHExample: C:\Users\Shawn\AppData\Local\Android\android-sdk\platform-tools

55USB Drivers in OS X Lion (1 of 2)If you're developing on Mac OS X, it just works. Approved for Public Release56

AndroidForensicsRun SDK Manager and add some available packages.Update PATH (similar to Linix)

56USB Drivers in OS X Lion (2 of 2)Update PATH for Android toolsnano w ~/.bash_profileexport PATH=${PATH}:/tools:/platform-toolsClose / reopen TerminalApproved for Public Release57AndroidForensics57USB Drivers in Linux

Add a udev rules fileContains a USB configuration for each type of deviceApproved for Public Release58AndroidForensicsSet up your system to detect your device Linux If you're developing on Ubuntu Linux, you need to add a udev rules file that contains a USB configuration for each type of device you want to use for development. In the rules file, each device manufacturer is identified by a unique vendor ID, as specified by the ATTR{idVendor} property. For a list of vendor IDs, see USB Vendor IDs, below. To set up device detection on Ubuntu Linux: In Android SDK Manager, USB Driver package is not compatible with Linux, requiring the more cumbersome UDEV rules setup.

58USB Vendor IDsThis table provides a reference to the vendor IDs needed in order to add USB device support on Linux. The USB Vendor ID is the value given to the ATTR{idVendor} property in the rules file, as described above.CompanyUSB Vendor IDAcer0502ASUS0B05Dell413CGoogle18D1HTC0BB4Lenevo17EFLG1004Motorola22B8Nook2080Samsung04E8Toshiba0930Approved for Public Release59AndroidForensicsterminal: lsusb - when devices connected via USB, run this command to get Vendor ID59UDEV RulesLog in as root and create this file: sudo nano -w /etc/udev/rules.d/51-android.rulesUse this format to add each vendor to the file:SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0666", GROUP="plugdev"I used: #HTCSUBSYSTEM==usb, SYSFS{idVendor}==0bb4, MODE=0666

Approved for Public Release60AndroidForensics60Final UDEV TouchesMake file readable to all:sudo chmod a+r /etc/udev/rules.d/51-android.rulesUDEV Rules Overview:http://reactivated.net/writing_udev_rules.html

Approved for Public Release61AndroidForensics61Android Virtual Device (AVD)62

62AVD (Emulator) and connecting devicesForensics analysts utilize AVD/emulator to learn app execution on a deviceUseful for validating investigation findingsUseful for testing a forensics or reverse engineering tool an Android device or appTerminal: android (will start up AVD)

Approved for Public Release63AndroidForensics63Create AVDLocation of AVD Files:


Desktop OSAVD Data LocationUbuntu/home//.androidMax OS X/Users//.androidWindows 7C:\Users\\.androidAndroidForensics64/.android Directory TreeCommand: treeApproved for Public Release65

AndroidForensics

65Interesting Filescache.img: disk image of /cache partitionsdcard.img: disk image of SD card (if created during AVD setup)userdata-qemu.img: disk image of /data partition

More details on these directories later


AndroidForensics66REVIEWLearned a brief overview of Android and LinuxDefined the basics of forensics, penetration testing, and vulnerability assessmentsExplored the hardware components of an Android deviceFamiliarized with the Forensics Workstation and Android AVD

Approved for Public Release67AndroidForensics67EXERCISE Create AVD and explore directories of interestCreate FroyoForensics AVD or AVD based on your own Android deviceExplore /.android subdirectoriesLocate cache.img

Approved for Public Release68AndroidForensics68Connecting a Device for ForensicsApproved for Public Release69

69Connecting Device to VMMac OS X with VMWare FusionVirtualBox


AndroidForensicsMac OS X with VMWare FusionVirtual Machine > USB > ConnectUsing VirtualBoxSettings > USB

70Setting up USB InterfacesEach device has different USB setting options when connected to a PCSome options are:Charge onlySyncDisk driveMobile Broadband Connect

Approved for Public Release71AndroidForensics71USB Connection TestTo ensure the device is connected and passing through the host OS to the Ubuntu VMOpen a terminal window and type dmesg (display message or driver message)Approved for Public Release72

AndroidForensicsSCSI removable disk, sdb. Thats the SD card on my HTC phone.72USB Forensics Precaution Important to disable auto-mount to prevent automatic detection and mounting of USB mass storageCritical to limit and modifications to device when acquiring forensic data (more later)A hardware USB write blocker is an optionTo check for mounted SD cards, use df command.

Approved for Public Release 73

AndroidForensics

Not proven, though understand that write blocker may still allow ADB. Some test have proven that write blockers still allow modification of the Android device.Write blockers, ~$200-$300. TableauUltraBlock USB Write Blocker

We will learn more about ADB in a few minutes.73SD Card Infohttp://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg74

SD Card Approved for Public Release75Most developers store large data files on SD cards.Core application data is located in /sdcard/data/data

AndroidForensicsAndroid Debug Bridgehttp://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg76

Android Debug BridgeOne of the most important pieces of Android forensics. Best time to pay attention is now.Android Debug Bridge (ADB)Developers use this, forensic analysts and security analysts rely on this.

Approved for Public Release77AndroidForensics77USB DebuggingEnable USB debugging on deviceApplications > Development > USB DebuggingThis will run adb daemon (adbd) on device.adbd runs as a user account, not an admin account. No root access. Unless your device is rooted, then adbd will run as root.If the device is locked with a pass code, enabling USB debugging is difficult.

Approved for Public Release78AndroidForensics78USB Debugging

Source: http://theheatweb.com79AndroidForensicsUsers may have already enabled USB debugging if:They are involved in app developmentSome commercial apps require USB debugging, for example tethering appsCustom ROMs (CyanogenMod, etc)Google developer phones79USB DebuggingEnable USB debugging on deviceApplications > Development > USB DebuggingThis will run adb daemon (adbd) on device.adbd runs as a user account, not an admin account. No root access. Unless your device is rooted, then adbd will run as root.If the device is locked with a pass code, enabling USB debugging is difficult.

Approved for Public Release80AndroidForensics80ADB ComponentsThree componentsadbd on deviceadbd on workstationadb on workstation

adb is free, open-source, and our primary tool for Android forensics

Approved for Public Release 81AndroidForensicsPrepare for using adb a lot over the next two days.81ADB DevicesTo identify devices connected, use command adb devices


AndroidForensicsBad ADBSometimes adb doesnt respond properly. To kill adb, use command adb kill-server


AndroidForensics83ADB ShellTo open an adb shell on an Android device, use command adb shell

Gives full shell access directly on device.Once we learn more about file system and directories, adb shell will get you much of the data needed for forensic analysis


AndroidForensicsDO NOT give out devices. ADB shell can run with emulator.84Full list of adb commands at http://developer.android.com/guide/developing/tools/adb.html

ADB Shell example Approved for Public Release 85

AndroidForensics85REVIEWLearned proper technique for connecting Android device to a forensic workstationBecame familiar with USB Debuggings importance to forensicsExplored ADB and its relevance to successful investigations

Approved for Public Release 86AndroidForensics86EXERCISELocate data directory on an Android deviceConnect an Android device to your VM workstation (or startup an AVD)Verify USB Debugging is enabled on the deviceStart adb on your forensic workstationUsing adb shell, locate directories in /data/dataJot down the name of some interesting directories for further exploration later

Approved for Public Release 87AndroidForensics87File System& Data http://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg88

SMS HistoryDeleted SMSContacts (stored in phone memory and on SIM card)Call HistoryReceived CallsDialed NumbersMissed CallsCall Dates & DurationsDatebookSchedulerCalendarTo-Do ListFile System (physical memory)System FilesMultimedia FilesJava Files / ExecutablesDeleted DataNotepadMore...GPS Waypoints, Tracks, Routes, etc.RAM/ROMDatabasesE-mail

Page 89Forensics Data Gathered and AnalyzedAndroidForensicsFile System & Data OverviewFile SystemsData StorageWhat Data?Important DirectoriesFive Data Storage MethodsShared PreferencesInternal StorageExternal StorageSQLiteNetworkWhere else? Linux Kernel & Android StackdmesglogcatForensically Thinking

Approved for Public Release 90AndroidForensicsFile SystemsMore than a dozen file systems in AndroidMore than a dozen file systems in use on AndroidForensics analysts should understand the most importantEXTFAT32YAFFS2Most user data live in those

Want to find the file systems on your device?adb shell cat /proc/filesystems Approved for Public Release 91AndroidForensicsData StorageExplore file systems and virtual machinesLearning the Android file systems, directory structures, and specific files will be crucial to successful Android forensics analysis Approved for Public Release 92AndroidForensicsWhat Data?Apps shipped with Android (with the OS) eg. Browser

Apps installed by manufacturer eg. Moto Blur

Apps installed by wireless carrier eg. CarrierIQ

Additional Google/Android apps eg. Google Play Music, Gmail

Apps installed by the user, from Play Store or elsewhere Approved for Public Release 93AndroidForensics93Important Directories/data/data- Apps data generally installed in a subdirectoryExample: Android browser is named com.android.browser, data files are stored at /data/data/com.android.browser Approved for Public Release 94

AndroidForensics94Common Subdirectories/data/data//

Approved for Public Release 95shared_prefsXML of shared preferenceslibCustom library files required by appfilesDeveloper saved filescacheFiles cached by the appdatabasesSQLite databases and journal filesAndroidForensics95Five Data Storage Methods We will be exploring these methodsShared preferencesInternal storageExternal storageSQLiteNetwork Source: Hoog96AndroidForensicsShared preferencesKey-value XML datause cat command to view files

Approved for Public Release 97AndroidForensics

97Can be source of data


98Shared preferences exampleAndroid device security applicationExploring shared_prefs, and SDPrefs_V2.xml, my user name and password are stored in the clear Approved for Public Release 99AndroidForensics

99Shared preferences exampleMDM productStores entire connection string, including user name, domain, and password in clear text Approved for Public Release 100AndroidForensics

100Internal storageCommon file systems used: ext3, ext4, yaffs2.By default, files stored in /data/data are encrypted, accessed only by the application. Commonly root access is needed to access these files.


101Internal storageNotice user app_84 is the owner. That user was created when Google Maps was installedTheres a lot of potential rich forensic maps data in these directories Approved for Public Release 102AndroidForensics

102External storageExternal storage (SD Card) have less permission restrictions.FAT32 does not have fine-grain permissions of other file systems.


Typical use FAT32 as the file system for compatibility with Windows for mounting.Example: Google Maps will store data on SD Card due to the file size, and that data is easily accessible to a forensic analyst.103SQLiteLightweight open-source relational database

Entire database contained in a single file

Generally stored on internal storage at /data/data//databases

Browser subdirectories contain valuable data Approved for Public Release 104AndroidForensics

104SQLite commandssqlite3 Runs SQLite.tablesLists available tables.headers ONDisplays header rowselect * from ;Displays table contentsCTRL+ZExits SQLite Approved for Public Release 105AndroidForensics105SQLite exampleThese directories all contain one of more databases of interesting data for analysis. Contents include (app_geolocation) GPS positions for tracking where the device has traveled, (databases, app_databases and app_cache) stored data from visited web sites/apps.


Commercial app available in Android Market, Easy Money106NetworkNetwork storage via Java and Android network classesNetwork data is not stored locally on the device, though configuration files and related databases generally are locally stored Approved for Public Release 107AndroidForensics107Where else? Linux Kernel & Android StackAndroid is Linux at the kernelwe know that.With Linux, there is a kernel log, which may have some interesting data.To access the kernel log, command dmesg or display message, prints the kernel messages to the console (avd or adb shell)

Approved for Public Release 108AndroidForensics108dmesgNotice [KEY] above. Possibly something logging keystrokes. May be worth further investigationRoot access is not needed for dmesg, just USB debugging Approved for Public Release 109AndroidForensics

Generally too much info in dmesg output, though possible time stamps or specific activities may be of use in a forensic investigation.If the device was recently booted, boot log info may be available.109more dmesg commandsdmesg | wcdisplays word count of logl for line count

dmesg > dmesg.log saves dmesg to a log file


Generally too much info in dmesg output, though possible time stamps or specific activities may be of use in a forensic investigation.If the device was recently booted, boot log info may be available.110dmesg.log Approved for Public Release 111AndroidForensics

Generally too much info in dmesg output, though possible time stamps or specific activities may be of use in a forensic investigation.If the device was recently booted, boot log info may be available.111logcat Displays a live stream of messages, system and app debug messageUsed in the CarrierIQ demonstration video on YouTube


Watch video until 15:45 mark112logcat Message Indicators

Approved for Public Release 113AndroidForensicsMessage IndicatorDescriptionVVerboseDDebugIInformationWWarningEErrorFFatalSSilent113Forensically ThinkingNow that we have some idea of how to locate dataTime to start thinking about identifying potential interesting data, forensically thinkingWhat you might look for:Time stamps when was something modified, when did an event occurUser Information locate user names and/or passwords in insecure prefs/logs. Locate user authentication times in log files.Image files identify .JPEG or other picture files, for later assessment of the picture. SD Card Files look for files saved to SD CardCall logs Who has the user been calling / receiving calls from Approved for Public Release 114AndroidForensics114REVIEWExplored Android file system, internal and externalLocated common directories for rich forensic informationIdentified five key areas of stored persistent dataExplored application preference files to locate important forensic dataExplored databases in search of data for forensics analysisIdentified sensitive data stored insecurely

Approved for Public Release 115AndroidForensics115EXERCISEApply current Android forensics knowledge to locate data of interestUsing adb shell (or /.android if using an AVD), explore an applications shared_prefs within /data/dataUse the cat command to open an xml file and review the contentsNote anything of interest to share with the classUsing sqlite3, explore an applications databases within /data/dataUse .tables and select commands to gather data of interest, which could identify something specific about the user.Note anything of interest to share with the class Approved for Public Release 116AndroidForensics116Learning ObjectivesBy the end of this course, you will be able to:Extract and analyze data from an Android deviceManipulate Android file systems and directory structuresUnderstand techniques to bypass passcodes NEW!Utilize logical and physical data extraction techniques Reverse engineer Android applications Analyze acquired data Approved for Public Release 117AndroidForensics117Device Handling & Modification Source: thebransonhistory.blogspot.com118

118Device Handling & ModificationForensics rule: Avoid modification of the target, at all costsNot so easy for mobile. Drives, RAM, CPU, etc are all in non-accessible locationsJust the act of taking the device out of sleep mode records a log (remember logcat)The realization: You cannot get a pristine mobile device, but take much precaution to minimize modification to the device Approved for Public Release 119AndroidForensicsWant pristine (or as close to it) evidence as possible, as to not alter forensic data or nullify an investigation.Plugging in USB, logs an action (which USB access is a key piece to Android forensics)Network connectivity (automatic email syncing, SMS messages, etc) modifies the device.Powering off the device, in order to retain network state, may engage passcodes and encryption. Possibly losing the ability for any data acquisition at all.

119Device Acquisition Extend screen timeout to max, immediately (if not already locked)

Enable Stay Awake while charging and USB debugging

Disable network communication

Do nothing further until in a secure location with minimal cellular / network connectivity Approved for Public Release 120

AndroidForensicsExtendAndroid 2.3.7 (Gingerbread): Settings > Display > Screen timeout > 30 minutes (other implementations have Never timeout option) EnableStay Awake: This will keep the device from shutting off and locking.USB debugging: enable USB connecting for data extraction.Android 2.3.7 (Gingerbread): Menu > Settings > Applications > Development > Stay Awake : USB debuggingDisableAirplane mode (Hold power button or Menu > Settings > Wireless & network settings > Airplane mode)[likely the best approach]Remove SIM (requires power-off)Shielded bag, faraday cage (will rapidly drain battery, as device attempts to connect to cellular network)Power-off, option but not typically advised (may require passcode/PIN upon reboot)

120What if its already off?Boot into recovery mode

Test for connectivity and root access

Cross your fingers that USB debugging is already enabled and/or device is already rooted Approved for Public Release 121AndroidForensics121Circumventing Passcodes http://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg122

Circumventing PasscodesCritical capability in forensics and security testing

Techniques vary from platform-to-platform

There is no panacea for circumventing passcodes on Androidbut we will learn a few potential techniques Approved for Public Release 123AndroidForensicsLearning techniques for circumventing passcodes is critical in forensics and security testingThe techniques vary from platform-to-platform, and even vary among Android devices due to varying versions of the OS and varying manufacture implementationsThere is no panacea for circumventing passcodes on Android.but we will learn a few potential techniques

123Passcodes TypesPattern lockPIN Approved for Public Release 124

Alphanumeric

AndroidForensicsFour types of passcode on AndroidPattern lockPINAlphanumeric passwordArguably the strongest and most difficult to circumventFacial recognition (have not had enough time with ICS yet to evaluate this)

124New Passcode TypeFacial recognition Approved for Public Release 125

AndroidForensicsFour types of passcode on AndroidPattern lockPINAlphanumeric passwordArguably the strongest and most difficult to circumventFacial recognition (have not had enough time with ICS yet to evaluate this)

125How Do We Crack Them?Smudge Attack

Pattern Lock Vulnerability

ADB and USB Debugging, with psneuter

Continues to evolve

Approved for Public Release 126AndroidForensicsADB and USB DebuggingFirst attempt requires phone powered on and USB Debugging enabledUse ADB over USBOn forensics workstation with SDK installed, open command/terminal, and run adb devicesIf device is listed, USB Debugging is enabledTypical verification steps:adb devicesadb kill-server (if you are sure you are connected, but no devices are listed)

126Smudge AttackScreens are reflective; smudge (aka pattern lock) is diffuse.Directional lighting and a camera capturing photos overexposed by two to three f-stops (4 to 8 times correct exposure)Creates an image displaying pattern lockNot 100% accurate, since other swipes of the screen may have damaged the pattern lock smudge Approved for Public Release 127AndroidForensicsAdam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith, Smudge Attacks on Smartphone Touch Screens, Department of Computer and Information Science University of Pennsylvania127Smudge Attack Approved for Public Release 128

AndroidForensicshttp://bcove.me/7ozhp9u4WhisperSystems mitigation to smudge attack videohttp://bcove.me/7ozhp9u4 Begin at 6:30 mark

We will show what psneuter is in the next section128Pattern Lock Crack Source: http://www.youtube.com/user/SecurityCompass129AndroidForensicsPattern Lock creates a file gesture.keyHash of the pattern stored If custom recovery ROM is installed (i.e. ClockWork Recovery)Remove & recreate key to bypass pattern

129Gaining Root http://androinica.com130

Root details3 types of rootTempPermRecovery modeProperty Service Neuter (psneuter)Busy BoxSuperOneClick

130Gaining RootNeeded for many forensic techniques, including physical acquisitionNot enabled on any device by defaultNot possible on all devicesGaining root isnt always the best choice in forensicsIt will change data on the device, possibly altering evidenceIt will be time consuming to gain root, as its implemented differently across most devicesRoot makes the device vulnerable to many exploits Approved for Public Release 131AndroidForensicsthere are many root exploits and they can be stuck in tempfs to reduce the amount of forensic changes Mark Guido

131Three Common Types of RootTemp root roots the device only until it is rebooted, which then disables root

Perm root root persists after reboots. Commonly enabled with custom ROMs

Recovery mode root flashing (installing) a custom recovery partition, allowing root to run only in recovery mode Approved for Public Release 132AndroidForensics132Temp RootFor forensics, temp root is what we want to enable, if neededSuggest testing these procedures many times, not, on your primary / target device Approved for Public Release 133AndroidForensics133Temp RootIs USB debugging enabled?Is it already rooted?adb shell supermission denied no root# - root

MyTouch 4G custom ROM

Droid X stock OS

If not rooted, start searching xda-developers.com Approved for Public Release 134

AndroidForensicsJust teaching you to fish here. Heres a pole, theres the pond, have at it.

134Property Service NeuterPsneuter is a form of a malicious app, but for our good

Uses a vulnerability in Android to gain superuser access, and ultimately root

To gain root shell (or temp root) with psneuter:adb devicesadb push psneuter /data/local/tmpadb shell$ cd /data/local/tmp$ chmod 777 psneuter$ ./psneuter Approved for Public Release 135AndroidForensicsWe dont yet have access to the psneuter app to push to our device.Its available in the web, but even better in a packaged rooting app we will look at in a few mintues

135Permanent RootNot as common for forensicsWe want to limit the footprintPerm root leaves a HUGE footprint Approved for Public Release 136

AndroidForensics136Busy BoxThe Swiss Army Knife of Embedded Linux# mount -o remount,rw -t rfs /dev/block/st19 /system# exitadb push busybox /system/binadb push su /system/binadb install Superuser.apkadb shell# chmod 4755 /system/bin/busybox# chmod 4755 /system/bin/su# mount -o remount,ro -t rfs /dev/block/st19 /system# exitadb reboot Approved for Public Release 137

AndroidForensicsExample commands is for Samsung phonessomething that you install on Android to give some additional handy LINUX / UNIX based commandsBusy Box is needed to enable permanent rootNeed to get Busy Box and superuser.apk to execute this.With psneuter and the Busy Box / superuser implementation listed, you may gain perm rootor, check out the next tool as a giant time saverRemember, we are trying to do forensics here, not learn every intricacy of the Android platform137SuperOneClickA simple tool for "rooting" your Android phone Approved for Public Release 138

AndroidForensicsSuperOneClick is a simple tool for "rooting" your Android phone. It allows partial or full rooting and also enables "unrooting.Download drivers from your phoneFor my Motorola DroidX, drivers are at: http://www.motorola.com/Support/US-EN/Support-Homepage/Software_and_Drivers/USB-and-PC-Charging-DriversWindows-based solution (about a 15 minute installation)Includes ADB in the zip/installationHome of SuperOneClick: http://shortfuse.org/

138SuperOneClickRoot for perm, Shell Root for temp Approved for Public Release 139

AndroidForensicsSuperOneClick is a simple tool for "rooting" your Android phone. It allows partial or full rooting and also enables "unrooting.Download drivers from your phoneFor my Motorola DroidX, drivers are at: http://www.motorola.com/Support/US-EN/Support-Homepage/Software_and_Drivers/USB-and-PC-Charging-DriversWindows-based solution (about a 15 minute installation)Includes ADB in the zip/installationHome of SuperOneClick: http://shortfuse.org/Video showing successful rooted Moto phone: http://youtu.be/J1MD7GX7Pyw only 1:32 in length

139A couple rootsAcer A500http://www.tabletroms.com/forums/showwiki.php?title=AcerIconiaFaq:How-to-root-the-Acer-Iconia-Tab-A500Lenovohttp://rootzwiki.com/topic/8722-lenovo-ideapad-k1-rooting-guide-messy/page__st__120 Approved for Public Release 140AndroidForensicsSuperOneClick is a simple tool for "rooting" your Android phone. It allows partial or full rooting and also enables "unrooting.Download drivers from your phoneFor my Motorola DroidX, drivers are at: http://www.motorola.com/Support/US-EN/Support-Homepage/Software_and_Drivers/USB-and-PC-Charging-DriversWindows-based solution (about a 15 minute installation)Includes ADB in the zip/installationHome of SuperOneClick: http://shortfuse.org/Video showing successful rooted Moto phone: http://youtu.be/J1MD7GX7Pyw only 1:32 in length

140AgendaDAY 1Forensic IntroductionCourse Setup Linux, OS X, and Windows Android OverviewSDK and AVDAndroid Security ModelADB and shell IntroductionFile System and Data Structures

Device HandlingCircumvent passcodeGain Root Access Approved for Public Release 141AndroidForensics141AgendaDAY 2Recovery Mode Boot LoadersLogical Forensic TechniquesOpen Source ToolsCommercial Tools

Physical Forensic Techniques & ToolsForensic AnalysisApplication Penetration Testing SetupReverse Appsmore ReversingDocument Findings

Approved for Public Release 142AndroidForensics142Got sqlite3? $ adb push sqlite3 /sdcard/

$ adb shell$ su# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system# dd if=/sdcard/sqlite3 of=/system/bin/sqlite3# chmod 4755 /system/bin/sqlite3# mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /systemsqlite3 binary is in SuperOneClick directory. Approved for Public Release 143AndroidForensicsAdded in for students asking, how do we install sqlite3 on Motorola devices that do not come with sqlite? Remember, its best to pull data off device and analyze offline to keep the pristine nature during a forensics investigation.143Recovery Mode http://www.mymac.com144

144Recovery ModeDesigned as an avenue for manufacturers to deliver and apply system updates

Recovery partitions offer shell access and root permissions

When booting into recovery mode, pass codes are circumvented Approved for Public Release 145AndroidForensicsBriefly mentioned recovery mode earlierNot on all stock or manufacture provided ROMsMost custom ROMs and some manufacturer ROMs contain a recovery partition in the NAND flashNot all recovery partitions are equal

145Recovery Not User Accessible Approved for Public Release 146

AndroidForensicsDevices without user accessible recovery partition will have a screen similar to this when attempting the recovery mode key combinationReboot in Recovery (T-Mobile MyTouch 4G with CyanogenMod 7.10 ROM)Press and hold power off buttonChoose Reboot from Phone options menuChoose Recovery from Reboot phone menu

146Recovery User AccessibleCheck adb devices on forensic workstation

If no adb access, search for root while in recovery mode Approved for Public Release 147

AndroidForensicsPhone reboots, ClockworkMod Recovery opens (this is because the phone tested has a custom ROM and custom recovery partition only found on perm rooted phones# - We have root$ - we do not have root

Plug into USB (if not already)Choose mount for any of the directories, and you have direct access to the data in that directory, via adb (if connected to forensic workstation) or as a windows directoryData can be extracted for later analysis

(optional further ClockworkMod exploration) Navigate to mounts and storage147Recovery Mode TechniquesDeviceKey CombinationMotorola Droid XPower off. Hold Home and press power button. Release power. When (!) displays release Home. Press Search button. (needs more research)HTC IncredibleHold volume down and press power button. Use volume down to select recovery and press power button. Approved for Public Release 148AndroidForensicsOther recovery mode techniques, based on device148Passcode Circumvention RecapIf device is on and passcode protected, connect to USB and attempt ADB access.

If pattern lock is present (and you have access to lighting and camera), attempt smudge attack.

If those fail, attempt to reboot into recovery mode.

If device is off, attempt boot into recovery mode. Approved for Public Release 149AndroidForensicsMore advanced techniques include flashing the recovery partition with a custom ROM, or utilizing exploits in boot loaders. Many possibilities exist; time limits us from diving into each.

149REVIEWIdentified the important of proper device handling

Explored techniques for circumventing passcodes

Applied rooting techniques and tools

Located recovery partitions and benefit of recovery mode Approved for Public Release 150AndroidForensicsWe wont be covering boot loaders in detail this course. Android Internals will give you all the Boot Loader info.150EXERCISEAttempt to circumvent passcode and obtain root accessDocument your findings to share with the class Approved for Public Release 151AndroidForensics151Learning ObjectivesBy the end of this course, you will be able to:Extract and analyze data from an Android deviceManipulate Android file systems and directory structuresUnderstand techniques to bypass passcodes NEW!Utilize logical and physical data extraction techniques Reverse engineer Android applications Analyze acquired data Approved for Public Release 152AndroidForensics152Android Forensics Techniques http://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg153

Android Forensics TechniquesForensic data acquisitionAcquiring SD card dataOpen-source and commercial forensic toolsqtADBviaExtractCelleBriteParaben Approved for Public Release 154AndroidForensicsXRY

154Logical vs. Physical Acquisition http://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg155

Logical vs. Physical AcquisitionLogical vs. PhysicalLogical ADB PullOther toolsPhysicalHardware vs. softwareSoftware technique in detail Approved for Public Release 156AndroidForensicsLogical vs. Physical AcquisitionLogicalPhysicalAccesses the file system. Data that is readily available to a user.Targets the physical memory, not relying on the file systems. Gains much more data than logical, potentially circumvents passcodes.

Approved for Public Release 157AndroidForensicsLogicalIf adb devices returns results you can run a logical extraction.Logical are the most common technique, because they are the easiest and often provide enough data.No root access needed, just USB debuggingIn Android forensics, there is a logical technique which does not rely on the file system, and is less-effective. It relies on applications Content Providers. It is part of Android OS and the SDK. Later on we will have a detailed look at logical forensic techniques, and a commercial tool that uses this technique.We will look further into adb logical extraction, then into commercial forensic tools, including viaForensics, CelleBrite, and Paraben productsPhysicalPhysical extraction can be achieved via hardware or software forensicsThe ability to physically image memory is the holy grail of mobile device forensics Hardware-based involves physically tearing down the device, rendering it likely inoperableSoftware is a bit less destructive, which we will cover, using root accessSoftware extraction will attempt to acquire the entire image of the device, including deleted data

157Logical Acquisition http://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg158

158Logical SD Card AcquisitionUser app data lives in /data/data directories which each sub-directory is RW protected to the app userSD cards are used for large storage (audio, video, maps)SD uses cross-platform FAT file systems.apk files residing on SD cards are increasingly encryptedRemoving SD card challengesUnencrypted .apks are mounted in /mnt/asecThis is an important directory to pull and analyze, if 3rd party apps are part of the investigation Approved for Public Release 159AndroidForensicsX-platformFAT file system, common on old versions of WindowsEncrypted apklimiting the previous ability to lift the .apk off device and analyzemicroSD range from 2GB to 32GBRemoving challengesPhysically removing SD cards sometimes requires removing battery (i.e. powering off), or becoming more common, the SD card is non-removableUnencryptedWhen SD card is not mounted to forensic workstation, the unencrypted .apks are mounted in /mnt/asec.This a an important directory to pull and analyze, if 3rd party apps are part of the investigationWe will look at reverse engineering the .apk files later159ADB Pull logicalCommand used for copying data from an emulator or devicePrimary logical acquisition tooladb pull on non-rooted Droid X:


AndroidForensicsIf not rooted will likely not have much for resultsYou may notice security engineers talk about the importance of not rooting your Android device. This is the reasonadb pull is considered a primary logical acquisition toolMay take 20 minutes to complete

160ADB Pull rooted & lockedadb pull on rooted and password locked HTC Glacier (aka T-Mobile MyTouch 4G): Approved for Public Release 161

AndroidForensicsIf not rooted will likely not have much for resultsYou may notice security engineers talk about the importance of not rooting your Android device. This is the reasonadb pull is considered a primary logical acquisition toolMay take 20 minutes to complete

161ADB Pull rooted & locked~700 MB ~27 minutes


AndroidForensicsThe entire /data directory was pulled from the MyTouch, while locked, and stored on my workstation in /home/adbpull

On unrooted devices, /data is encrypted, though adb pull can pull useful data (web history, system info, more) in directories like /proc and /sys.

Later on we will dig into some of the key directories we pulled data from162Tools and Time Savers 163

Many commercial forensics software products, now support Android (likely because the ease of adb integration)Not all are equal, as there are hundreds of Android devices which each product may (or may not) supportMost focus on logical acquisition of data either with adb or pulling Content Provider information from applicationsSome can do physical acquisition on a few devicesSome also attempt passcode bypassing http://viaforensics.com/products/viaextract/ The Sleuth Kit http://sleuthkit.org We will look at QtADBAFLogical by viaForensicsCellebrite UFED & Physical AnalyzerParaben Device Seizure163QtADBhttp://qtadb.wordpress.com/

Graphical app based on adb

Open-source, currently well-supported


A graphical app based on adb. Utilizes the Android SDK (actually uses adb), but gives a clean user interfaceRequires installing Qt libs 4.7 on your workstation, rooted device, and busybox installed on the deviceWindows, Linux, and Mac versions

Silent annotated 6 minute video: http://youtu.be/H3drxktKIyU

164QtADB featuresFile managercopying files and dirs between phone and computerremoving files and dirscreating new dirand otherApp managerinstalling appsremoving appscreating backup of apps with datarestoring backups of apps with dataSms managerreceiving sms (baloon in tray)reading smssending smsShellopens android shellScreenshottake screenshot of your devicesave screenshot to png fileFastbootflash bootloader, radio and recoveryboot recoveryRecoverynandroid backup/restorewipe dataflash romwipe battery statsfix uid mismatchesRebootto bootloaderto recoverynormal rebootSettingsset font used by appset starting paths (or remember paths on exit)and otherLogcatAutomatically detects phone (device, fastboot and recovery mode)

Approved for Public Release 165AndroidForensicsA graphical app based on adb. Utilizes the Android SDK (actually uses adb), but gives a clean user interfaceOpen-source, currently well-supportedRequires installing Qt libs 4.7 on your workstation, rooted device, and busybox installed on the deviceWindows, Linux, and Mac versions

165QtADB in actionRecovery partitionLogcat Approved for Public Release 166AndroidForensics

166QtADB setupWindows:Must have Android SDK installedZIP contain all librariesExtract to a permanent directoryOpen QtADB applicationChoose path to directory with adb and aapt binaries (example: C:\Users\\AppData\Local\Android\android-sdk\platform-tools) Approved for Public Release 167AndroidForensics

Windows: http://qtadb.com/qtadb/QtADB_0.8.1_windows.zip Linux 64-bit: http://qtadb.com/qtadb/QtADB_0.8.1_linux64.tar.gzMac OS X: http://www.mediafire.com/file/4hsyfnvvmq2lc5c/QtADB_0.8.0_osx.zip

If phone drivers are installed, QtADB will display a Windows Explorer-like displayWorkstation files on left, phone files on right

167REVIEWIdentified the difference between logical and physical forensics

Explored open and free tools and techniques for logically acquiring data

Located directories and file details for SD card logical acquisition Approved for Public Release 168AndroidForensics168EXERCISEUsing either ADB or QtADB pull a logical acquisition from your device or AVD.

Verify pull successfully completed, and document size of data acquired. Approved for Public Release 169AndroidForensics169AFLogicalAndroid forensics logical extraction toolFree for law enforcement and government agenciesLeverages Content Providers Approved for Public Release 170AndroidForensicsCallLog Calls

Created by security consulting / product company viaForensicsLeverages Content Providers (remember our overview of the Android security model). Content Providers allows an application the ability to share data with another application.See Intro to Android Dev for more.AFLogical requires USB debugging to be enabledAcquires data from 41 Content Providers and saves details in .csv

Setup:Download AFLogical application athttp://viaforensics.com/products/aflogical/Remove users SD Card and install examiners SD Card into phoneConnect Android device to forensic workstationFrom cmd prompt, type the following:adb devicesadb install AndroidForensics.apkadb shell am start -n com.viaforensics.android/com.viaforensics.android.ForensicsActivityOn device, viaForensic app should be running, select Capture[Optional] Create directory on workstation to receive files, for example c:\temp\af[Optional] From cmd prompt:adb pull /sdcard/forensics c:\temp\afFrom cmd prompt:adb uninstall com.viaforensics.androidDisconnect Android deviceFiles are on SD Card root in folder called forensics and then named after date/time of acquisition. Or files are in workstation folder if followed above Optional steps.

170Cellebrite UFEDPage 171

AndroidForensicsLogical extraction onlyNo deleted filesNo file system at allData extractedSMSCall LogContactsPicturesAudio FilesEtc.~1-2 min for extraction

171Cellebrite Physical Analyzer Approved for Public Release 172AndroidForensics

172Paraben Device Seizure173

AndroidForensicsLogical ExtractionSMSCall LogContactsPicturesAudio FilesEtc.File SystemNo deleted filesReconstructs file systemExcludes /dataRegular user does not have permission to access this directoryNext step: root the device~3-4 hours for extractionWe will look at:AcquisitionResultsSortingReporting

173Device Seizure Acquisition

DS acquisition temp installs Seizure Service on device. Removes automatically during completion of acquisition174AndroidForensicsLogical ExtractionSMSCall LogContactsPicturesAudio FilesEtc.File SystemNo deleted filesReconstructs file systemExcludes /dataRegular user does not have permission to access this directoryNext step: root the device~3-4 hours for extraction

174Device Seizure Acquisition175Device Seizure hung while acquiring data after more than 11 hoursKeep in mind, I'm acquiring from a rooted CyanogenMod ROM, and checked options to acquire all data, including the entire contents of 32GB Class 10 microSD card

AndroidForensics175Device Seizure Acquisition176This screen displays for considerable amount of time when completing / canceling an acquisition

AndroidForensics176Device Seizure Results177Contacts and Calendar were empty

AndroidForensics177Device Seizure Sorting178After acquisition, "Do you want to fill the sorter?This will take about an hour

AndroidForensics178Device Seizure Sort Results179Sorting all the findings

AndroidForensics5-48 hours, eventual failure to complete. Though looking at data, nearly 3GB of data was extracted into case. (case3)Stored on protected IronKey

Search for password28 results found before pausing search

Cached GPS voice commandsHTC Glacier File System mnt/sdcard/Android/data/com.google.android.apps.maps/cache/._speech_nav_27.wav[1}I-95 N , 2011-12-09 11:47:00mnt/sdcard/Android/data/com.google.android.apps.maps/cache/._speech_nav_13.wav[1}Wayside Rd. , 2011-12-09 11:55:24Image InvestigationHTC Glacier File System mnt/sdcard/DCIM/.thumbnails/1324772457133.jpg [1]Picture of room with furniture. Meta data shows picture was taken from HTC Glacier on 2011-12-24 20:20:56.

179Device Seizure Reports180Creating a PDF report of the entire case

AndroidForensics180Device Seizure Report181AndroidForensics

181Device Seizure Report182AndroidForensics

182Device Seizure Report183AndroidForensics

183Physical Acquisition http://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg184

Physical Accesses the physical storage, not the file system, for access to data.Physical provides much more data than logical, though are more difficult and time intensive, and require more analysis time.Can locate deleted data, which was marked for deletion, but not yet overwritten.Known as allocated and unallocated (deleted) data.

184Software Physical AcquisitionLets get a full NAND acquisition of the user accessible data partition

For times sake, and now that we know of open-source and commercial tools, lets take advantage of them for the physical acquisition Approved for Public Release 185AndroidForensicsPhysical more difficult to achieve than logical.

First need root privileges, we covered this earlier. No root, no physical.If we have root, we can get access to the entire NAND flash, not just the file systemWill bypass passcode locked devicesHow do we do it?Many approaches documented

185Forensic Analysis http://www.geeky-gadgets.com/wp-content/uploads/2010/08/android3.jpg186

Forensic AnalysisAnalyzing acquired dataFile System AnalysisSQLite AnalysisDirectory Structure FAT AnalysisSD Card AnalysisYAFFS2 Analysis

Approved for Public Release 187187Forensic Analysis - photosCommon location for storage of photos in JPG format Approved for Public Release 188

188Important Directories Recap/cache/Previewed Gmail attachmentsDownloads (Market and messages)/data/ dalvik-cache: applications (.dex) that have been runapp: .apk filesdata: subdirectories per app with SQLite databases and XML shared preferencesmisc: protocol infosystem:installed applications (or packages.xml)accounts databasedevice and app login details, .key files/proc & /sys list of device filesystems, web history, device info/mnt/sdcard/DCIM/Camera - images/sdcard/android or sdcard/data/data FAT32, limited permission 189AndroidForensics189REVIEWExplored several commercial Android forensics products

Identified the benefits and acquisition steps of physical forensics

Located the most important directories for analysis Approved for Public Release 190190EXERCISEDetermine what the user does for work and fun(in groups) Now that you have acquired data many different ways, analyze the data using one of the forensics tools (adb, adb shell, Device Seizure, QtADB, etc) to get a fresh data acquisition from your deviceLook at earlier exercises for commands, as a refresherExplore data in directories like /data/ and /cache/As a forensic analyst, document findings that would help you determine the users profession and hobbiesBe prepared to share your findings with the class Approved for Public Release 191If using AFLogical (see exercise page for AFLogical setup)

Connect an Android device and attempt a physical acquisition (if available)

If physical not available, attempt a logical acquisition (for time sake, exclude SD card)

Once acquired, locate apps and be prepared to share with the class the contacts database and apps stored on the device

191Learning ObjectivesBy the end of this course, you will be able to:Extract and analyze data from an Android deviceManipulate Android file systems and directory structuresUnderstand techniques to bypass passcodesUtilize logical and physical data extraction techniques Reverse engineer Android applications Analyze acquired data Approved for Public Release 192AndroidForensics192Application TestingReverse Engineering Apps http://www.areamobile.it/wp-content/uploads/2011/12/defend-reverse-engineering.jpg193

193Analyzing APKsByte code is reverted to sourceFirst extracting each of the classes.dex filesUsing dex2jar.bat, a jar file is created


.java.class.dexjavadxBatch file used to convert dex files to jar filesThe byte code is reverted to source for potential use during penetration testingThis is done by first extracting each of the classes.dex files using an archive manager, for example 7-ZipArchive management program similar to WinZipUsing dex2jar.bat, a jar file is createdBatch file used to convert dex files to jar files194More Analyzing APKsJava Decompiler used to create a zip file containing all of the Java source codeUsed to view class files and convert them to javaThe remaining content of each of the APK files is extracted Approved for Public Release 195AndroidForensicsYes, its a painful process!

How can we make it easier?The byte code is reverted to source for potential use during penetration testingThis is done by first extracting each of the classes.dex files using an archive manager, for example 7-ZipArchive management program similar to WinZipUsing dex2jar.bat, a jar file is createdBatch file used to convert dex files to jar files195APK ReversingRename Android app (.apk) to .zip.Extract .zip.Run Dex2Jar desktop script (.bat or .sh) on extracted .dex fileDex2Jar decompiles .dex to .jar (Java Archive)Open .jar in Java Decompiler desktop app to review source http://en.wikipedia.org/wiki/Step_by_Step_(TV_series)196.java.class.dexjavadx

APKToolPowerful tool for forensic analystsTool for reverse engineering Android binaries Available at code.google.com


Remove -f flag if not needing to overwrite directory.Installation for noobsWindows:Download apktool-install-windows-* fileDownload apktool-* fileUnpack both to your Windows directoryLinux:Download apktool-install-linux-* fileDownload apktool-* fileUnpack both to /usr/local/bin directory (you must have root permissions)Mac OS X:Download apktool-install-macos-* fileDownload apktool-* fileUnpack both to /usr/local/bin directory (you must have root permissions)197androguardReverse engineering, Malware and goodware analysis of Android applications ... and more !Check for permissions and usage Available at code.google.com


you can analyze, display, modify and save your apps easily and statically by using the tool (androlyze) in command line

198APKinspectorPowerful tool for forensic analystsGraphically reverse engineer and analyze appsAvailable at code.google.com Approved for Public Release 199AndroidForensics

Includes Java Decompiler and dex2jarAPKInspector install stepsCode.google.com/p/apkinspector/wiki/Installation (with help from ubuntuforums.org/showthread.php?t=17777613)Install QtSDKConfigure PATHInstall PythonInstall SIPInstall PyQt4Install pydotInstall GraphvizInstall apktool

Run it: /opt/apkinspector python startQT.pyNo sound, not stimulating 9:00m Video at: http://youtu.be/X538N-x3UUY 199REVIEWExplored reversing tools for Android

Reverse engineered app back to source code

Explored code and data for an APK Approved for Public Release 200200EXERCISEReverse engineer an app and locate critical dataUse APKInspectorReverse engineer Facebook or F-Droid, mobile app market, applicationBoth apps located in Documents directory on workstationLocate the database where user IDs are stored

Approved for Public Release 201201Learning ObjectivesBy the end of this course, you will be able to:Extract and analyze data from an Android deviceManipulate Android file systems and directory structuresUnderstand techniques to bypass passcodes NEW!Utilize logical and physical data extraction techniques Reverse engineer Android applications Analyze acquired data Approved for Public Release 202AndroidForensics202