Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract
With the world over shifting to mobile devices for both personal and official work, the
number of digital frauds is increasing exponentially. As the technology is advancing day by day,
innovative ways to commit crimes is also increasing. These days cyber criminals are focusing on
improvising their crime techniques so that minimal amount of data traces should be left on the
devices or system which they are using. In order to investigate the ever growing cyber- crime on
easily available and affordable computing devices, there is a need to develop manual techniques
which can help investigators in the near future and make them not to solely rely on forensic tools.
This paper brings out the methodology to analyze and examine an android mobile phone in an easy
and simple manner without the help of commercial tools by utilizing the concept of virtual android
device created on Genymotion emulator . Additionally this work also focuses on the analysis and
recovery of the data present in the cache memory of the installed applications like Facebook.
1. Introduction
Forensics is a branch of science that deals with the evidences that can be
presented in the Court of Law. Its sub-domain that deals with acquiring and
analyzing data from computers, smartphones and other digital devices is known
as digital forensics. The Operating System (OS) used in Android smartphones is
derived from Linux OS used in computers. Due to the rapid growth in mobile
technology, new challenges have been introduced for forensic investigators. The
speed at which new models are being designed and launched makes the
application of old forensic procedures very difficult. Each case or investigation
of the new model needs to be considered differently and requires steps which
could be different and unique to the case. Android smartphones are the most
popular choice in the already crowded mobile phone market. They are gaining
even a higher market share with exponential growth rate. The reason for the
popularity of these devices is that they are feature rich, cost efficient and user
friendly. Android smartphones provide a number of features and data centric
information such as data files, contact details, running applications, games and
many more. The data from these devices can be extracted using various forensic
tools which are both open source and paid. However, there is no simple
universally accepted method which can be used with 100 % surety to fetch data
from Android smartphones in a forensically sound manner. The established
approach to digital forensics developed for personal computers is generally
inappropriate for Android smartphones. Consequently, recovering evidences
2
from the Android smartphones in accordance with established principles of
forensic evidence is complex and time consuming. The architecture of a
commercial mobile analysis tool is not open source, primarily to protect the
commercial interests of the manufactures. Hence, an investigator or a researcher
is unable to capture the data flow between the tool and the mobile device, the
memory map of the device and other finer details which can help him in
gathering the data from the point of carrying out forensics. In order to
understand the data communication, the android architecturewhich is Linux
based as given in Fig.1 and referenced in Android Architecture and Libraries
Every Android Developer Should Know - Elisha Chirchir
http://simpledeveloper.com/android-architecture/ , was studied in detail.In the
case of Mobile forensics, an investigator focuses on mainly two types of
acquisition- physical and logical. Logical acquisition encompasses acquiring the
file system of the device which includes the system files, user data and present
data. The physical acquisition includes the physical memory of the mobile
device including the deleted data. The general tendency is to delete the data
from the mobile after committing a crime. Hence, there is a lot of emphasis on
recovering deleted data from the mobile phone.
In this work, android debugging bridge (adb) commands have been used to extract
the data manually from the android phone. Using these commands the system
partition of the phone can be accessed thereby easing the process of forensic
analysis. For the purpose of this research, a two pronged approach has been
followed. First, the data extraction has been done using a virtual android device
created in an android emulator like Genymotion. Second, a real device having the
same or nearly matching android kernel version is taken and the process is repeated
to establish the authenticity of the research being done. Complete article is
organized as following. Section 2 briefs about the work done in the area by other
researchers. Section 3 gives the details of the proposed system and experimental
setup discussed in section 4. Section 5 summarizes the important findings of the
experiments with conclusion and future work being highlighted in section 6.
3
2. Literature Survey
3. Proposed Methodology
4. Experimental Setup
There are a large number of apps installed in any mobile device which store
plethora of information in the form of cache. Cache is a type of SRAM
(Static Random Access Memory) which the system can access faster than
RAM (Random Access Memory). The purpose is to store data and
processes that are used repeatedly by an application or program. Every app
has got its own cache folder and stores data in different file formats. These
files can give a broad idea about the data sent or received and can also be
used to derive forensic artifacts in any investigation. Since the extraction of
data was already done in android versions 4.4, 5.0 and 6.0, the app data
analysis was done on higher versions of android. Hence, virtual phones
created on ver 7.0 and 8.0 were used to extracted data from Facebook app.
The cached files were analyzed and .jpeg files which were transmitted and
subsequently deleted could be easily recovered following the manual
approach enumerated below.
5. Manual Analysis
After the dd raw dump was created as per the procedure outlined above, the
manual analysis commenced to extract the test data from the mobile. For
this the concept of file signature analysis as specified in
https://www.garykessler.net/library/file_sigs.html was utilized. Every file
extension or type has a unique file signature which consists of the header
8
and footer. The actual data of the file is stored in between the header and
footer for that particular file type. For e.g. for a .jpeg file the header and
footer are FF D8 FF and FF D9 respectively. All bytes stored in between
the header and footer when copied from the hex dump and pasted in a
separate file reproduces the desired file. This experiment was done with
non-deleted data first. A virtual android device having android version 4.4.4
was taken and a total of 10 files was stored into it. These include two each
of file types docx, jpeg, pdf, mp4 and zip. The same set of data was stored
in a real android device having same android version. Each phone was
connected separately to the Tamer VM and using adb commands described
above and a dd image or raw dump of the /data partition of the mobile was
created. The data partition contains the user data like contacts, messages,
installed apps, etc. The dd image was analysed manually in wxHexEditor
which displays the hex value of each byte. The desired files were extracted
using the concept of file header and footer described earlier.
A search was carried out for the header and footer in the hex dump as stated
above. All bytes stored in between the header and footer when copied from
the hex dump and pasted in a separate file with extension .jpeg would lead
to recovery of the original file. After extracting the required bytes and
creating a file with the desired extension, the hash of the file was calculated.
This process was repeated for another file having the same extension.
Subsequently, four more different file types were similarly extracted.
Case 1
The experiment was done for Android Version 4.4 (Kitkat) both for virtual
and real phone as described above. It was then repeated with two more
virtual and real devices with android versions (Version 5.0 and 6.0 -
Lollipop and Marshmallow respectively) each having five different file
types as test data. The results obtained have been discussed in the Result
section.
Case 2
The analysis was repeated for non-deleted data using commercial mobile
forensic tools namely XRY and MOBILedit. The mobile devices, both
virtual and physical were connected one by one to the Tamer VM and a dd
image was created and data was extracted for different versions of Android.
Case 3
Retrieving deleted data is the most challenging issue which every forensic
investigator faces in any given case. Case 1 and Case 2 considers only non-
deleted/present data of the device. In this case, concentration was on
retrieval of deleted data. To perform this, same test data was pushed to the
devices (real, virtual). Then the data was deleted from the device and same
was checked in FTK Imager if the files were actually deleted or not from
the device. Then, the dd image of data partition of the device was taken and
analysis was done.
9
Case 4
The deleted test data was extracted using automated tools and results was
tabulated for further comparison and analysis. To check the authenticity of
the experiments and to show that the data was actually deleted the dd image
was mounted in FTK imager. Fig. 3 below shows the presence of test data
before deletion.
The data was then deleted from the device and the dd image was taken. Fig 4
shows that the test data actually got deleted and only the name of the file was
visible in the hex format. Successful extraction of each test data signifies that
any deleted data can be retrieved without using any commercial tool by the
manual method explained through the concept of header and footer analysis.
However, it is imperative that the authenticity of the extracted data is
established through hash verification. Therefore, MD5 hash was calculated
for each of the extracted files and verified with that of the original
file/automated tool extracted file as given in Fig 5 (a) and (b).
10
Fig. 4 - Test data after deletion
25 50 44 46
25 45 4F 46
Fig.9-Experiment Flowchart
Figure 10 (a)Android Ver 8.0 (b) Android Ver 7.0 (c)Test Facebook ID (d)
File sent from Test ID (e) Deleted file from test id (f) Recovered file from
cache
Analysis of the cache files which were extracted as mentioned in the
above section revealed that the .jpeg file that was sent and then deleted
from the source could be recovered from cache as shown in Fig 10(f).
Similarly the same experiment was repeated for four more .jpeg files and
they too were also recovered. This analysis shows that traces of the
multimedia data that is being transmitted using social media apps can be
found in the user device itself. The header and footer concept which has
been used in this paper to extract different file types has been highlighted
in Fig 11 and 12 for the image extracted above. Additionally the metadata
of the image is also obtained from the cache of the Facebook app
14
Fig.13- Metadata info of the sent image extracted from facebook cache
15
PDF(2)
DOCX(2)
MP4(2)
ZIP(2)
JPEG(2)
In this paper we present a novel method of data extraction from different android
virtual and physical phones using a manual method. The research done is
authenticated using commercial mobile tools and the hash of the recovered file is
matched with the original file to prove the fact that data can be recovered from
mobile phones even without using expensive tools. The methodology presented in
this paper is cumbersome and time consuming, in case a large data set has to be
extracted which is generally the case in any mobile. Hence, there is a need to
automate the process described in the paper, so that the background processing is
invisible to a novice investigator and he can obtain the desired results at the click of
a button. Also the mechanism of hash calculation of all the extracted files needs to
be automated. Fragmented files also pose a challenge and a framework needs to be
made for partial recovery of files since it can act as a vital source of evidence in
criminal investigation. A similar data extraction methodology can be developed for
Windows and iOS phones after detailed study of their architecture. Also,
compatibility of commercial forensic tools for analysis of dd image can be studied
so that a tool compatible format can be generated which would further strengthen
our analysis results. Availability of physical phones having different android
versions, commercial mobile forensic tools and hardware to carry out research
mobile analysis is a difficult preposition. Hence, it is easier to carry research on a
virtual device which has exactly the same features as a physical phone. The various
advantages of using a virtual phone as enlisted earlier aids in creating different
scenarios for experimentation thereby helping in examining the actual mobile
phones. This would not be possible in case of real phones due to manufacturer
imposed limitations, rooting issues, etc. With a simple to use data extraction setup,
the analysis becomes easy. Another advantage of this setup is that the latest versions
of the mobile can also be tested for different android kernels and develop new
methodologies to extract data. App data extraction as depicted through Facebook
app further corroborates our research approach through manual method. It clearly
brings out that large amount of data cached during the process of message exchange
can be recovered which can form a rich source of evidence.The present work has
huge potential which can be expanded to develop solutions for extracting data from
various brands of Android smartphones. Deleting data from a mobile device does
not remove the file from its memory. It only removes the visual indication of the
presence of the file to the user. The deleted file continues to reside in the phone
memory until the same is overwritten by another process. And with increasing
phone memory, the probability of file remanence after deletion is very high. This
aspect has been utilised in this research to propose a simple and cost effective
manual method of data extraction from android smartphone.
17
References
[2] Agrawal A.K., Khatri P., Sinha S.R. (2018) Comparative Study of
Mobile Forensic Tools. In: Kolhe M., Trivedi M., Tiwari S., Singh
V. (eds) Advances in Data and Information Sciences. Lecture Notes
in Networks and Systems, vol 38. Springer, Singapore.
[7] Choi, J. H., Chang, T., Kim, K. B., & Yang, S. J(2015,Aug).New
acquisition method based on firmware update protocols for Android
smartphones, Digital Investigation, vol. 14, pp. S68S76.
[8] Choi,J., Kim, K., & Chang,T. (2015). New acquisition method
based on firmware update protocols for Android smartphones:
Digital Investigation, vol. 14, pp. S68S76.
[13] https://en.wikipedia.org/wiki/android-operating-system.
[22] Sharma A., Agrawal A.K., Kumar B., Khatri P. (2019) Forensic
Analysis of a Virtual Android Phone. In: Verma S., Tomar R.,
Chaurasia B., Singh V., Abawajy J. (eds) Communication,
Networks and Computing. CNC 2018. Communications in
Computer and Information Science, vol 839. Springer, Singapore