Forensic Carving of Wireless Network Information from the Android Linux Kernel

Saltaformaggio, Brendan D.

01 May 2012

Modern smartphones integrate ubiquitous access to voice, data, and email communication and allow users to rapidly handle both personal and corporate business affairs. This is possible because of the smartphone’s constant connectivity with the Internet. Digital forensic investigators have long understood the value of smartphones as forensic evidence, and this thesis seeks to provide new tools to increase the amount of evidence that one can obtain and analyze from an Android smartphone. Specifically, by using proven data carving algorithms we try to uncover information about the phone’s connection to wireless access points in a capture of the device’s volatile memory.

Android forensics

memory forensics

memory analysis

Linux

Collaborative Digital Forensics: Architecture, Mechanisms, and Case Study

January 2011

abstract: In order to catch the smartest criminals in the world, digital forensics examiners need a means of collaborating and sharing information with each other and outside experts that is not prohibitively difficult. However, standard operating procedures and the rules of evidence generally disallow the use of the collaboration software and techniques that are currently available because they do not fully adhere to the dictated procedures for the handling, analysis, and disclosure of items relating to cases. The aim of this work is to conceive and design a framework that provides a completely new architecture that 1) can perform fundamental functions that are common and necessary to forensic analyses, and 2) is structured such that it is possible to include collaboration-facilitating components without changing the way users interact with the system sans collaboration. This framework is called the Collaborative Forensic Framework (CUFF). CUFF is constructed from four main components: Cuff Link, Storage, Web Interface, and Analysis Block. With the Cuff Link acting as a mediator between components, CUFF is flexible in both the method of deployment and the technologies used in implementation. The details of a realization of CUFF are given, which uses a combination of Java, the Google Web Toolkit, Django with Apache for a RESTful web service, and an Ubuntu Enterprise Cloud using Eucalyptus. The functionality of CUFF's components is demonstrated by the integration of an acquisition script designed for Android OS-based mobile devices that use the YAFFS2 file system. While this work has obvious application to examination labs which work under the mandate of judicial or investigative bodies, security officers at any organization would benefit from the improved ability to cooperate in electronic discovery efforts and internal investigations. / Dissertation/Thesis / M.S. Computer Science 2011

Computer Science

Android forensics

collaborative forensics

digital forensics

forensic framework

YAFFS

Forensic Analysis of GroupMe on Android and iOS Smartphones

Tanvi Milind Gandhi (11205891)

30 July 2021

The growing popularity of instant messaging has led to the conception of several new applications over the span of the past decade. This has opened up an attack surface for cybercriminals to target susceptible app users. GroupMe is a free IM app widely used by students and so far, no comprehensive forensic analysis has been performed to aid forensic practitioners in recovering evidence from GroupMe on smartphones. This research performs a detailed analysis of the digital artifacts left by the app on Android and iOS devices. This was achieved by installing the app on two mobile phones (Samsung Galaxy S7 Edge and iPhone 6), and identifying each artifact created by performing a series of actions in the app ranging from sending texts, to sharing images and documents, along with their location. Using Cellebrite UFED and Magnet AXIOM, a significant number of artifacts were accurately recovered mainly from the “GroupMe.sqlite” and “GroupMe.sqlite-wal” databases. Out of the 335 artifacts populated on the iPhone, 317 were correctly recovered by both UFED and AXIOM, resulting in an accuracy of 94.62%. No GroupMe related artifacts could be recovered from the Android device. This was due to several physical imaging and rooting limitations imposed by the Samsung SM-935A model, which was used during the study.

Uncategorized

Digital Forensics

Cyber Forensics

Mobile Forensics

Forensic Analysis

GroupMe

Android Forensics

iOS Forensics

UFED Cellebrite

Magnet AXIOM

Forensic Analysis of Navigation Applications on Android and iOS Platforms

Neesha Shantaram (11656642)

19 December 2021

<div>With the increased evolution in technology over the past decade, there has been a gradual inclination towards utilizing advanced tools, like location-based applications which incorporate features such as constant route or traffic updates with Global Positioning System (GPS), among</div><div>others, which aid in smooth living. Such applications gain access to private information of users, among their other life hack qualities, thus producing a highly vulnerable ground for data exposure such as current location. With the increase in mobile application-based attacks, there exists a</div><div>constant threat scenario in terms of criminal activities which pose an ultimate challenge while tackling large amount of data. This research primarily focuses on the extent of user-specific data that can be obtained while forensically collecting and analysing data from Waze and HEREwego</div><div>applications on Android and iOS platforms. In order to address the lack of forensic research on the above mentioned applications, an in-depth forensic analysis is conducted in this study, utilizing Cellebrite, a professional tool to provide and verify the evidence acquired, that aid in any digital forensic investigations. On the Waze application, 12 artifacts were populated on the Android device and 17 artifacts on the iOS device, out of which 12 artifacts were recovered from the Android device (100% of the artifacts populated) and 12 artifacts from the iOS device (70.58% of the artifacts populated). Similarly on the HEREwego application, 14 artifacts were populated on the Android device and 13 artifacts on the iOS device, out of which 7 artifacts were recovered from the Android device (50% of the artifacts populated) and 7 artifacts from iOS device (53.84% of the artifacts populated).</div>

Technology not elsewhere classified

Digital Forensics

Mobile Forensics

Cyber Forensics

Android Forensics

iOS Forensics

GPS

Navigation

Mobile applications

UFED Cellebrite

Waze

HEREwego

Digital incursion: Breaching the android lock screen and liberating data

Oskarsson, Tim

January 2021

Android is the most used operating system in the world, because of this the probability of an android device being acquired in an investigation is high. To begin to extract data from an android device you first need to gain access to it. Mechanisms like full system encryption can make this very difficult. In this paper, the advantages and disadvantages of different methods of gaining access and extracting data from an android device with an unlocked bootloader are discussed. Many users unlock the bootloader of their android device to gain a much greater level of control over it. Android forensics on a device without a unlocked bootloader is very limited. It is therefore interesting to study how you can extract data from an android device that doesn’t have this limitation to android forensics. A literature study is done on previous related research to gather methods for gaining access and extracting data. The methods collected are then tested by performing experiments on a Oneplus 3 android 9 and Oneplus 8 android 11. The research of this paper found that it is possible to perform a brute force attack within a reasonable time against a PIN of length 4-5 or pattern of length 4-6 on the lock screen of an android device. It found that you can optimise the attack by performing a dictionary attack by using public lists of the most used PIN codes. A list of all possible pattern combinations sorted and optimised for a dictionary attack is generated based on statistics of pattern starting location and length. A proof of concept is made by creating a copy of a fingerprint with common cheap materials to gain access through the fingerprint sensor. A device image were able to be extracted by using a root shell through Android Debug Bridge and common command-line tools. Memory forensics were performed by using Frida and was able to extract usernames, passwords, and emails from Google Chrome and Gmail. The custom recovery image TWRP was used to boot the device, gain root access, and was able to extract a full device image with common command-line tools. The results of the TWRP backup feature is also analysed. The results of the data extraction is then analysed manually and with Autopsy.

Android forensics

Mobile forensics

Memory forensics

Device access

PIN

Pattern

Biometrics

Android Debug Bridge

TWRP

Frida.

Computer Sciences

Datavetenskap (datalogi)

Computer and Information Sciences

Data- och informationsvetenskap

Providing Context to the Clues: Recovery and Reliability of Location Data from Android Devices

Bell, Connie

01 January 2015

Mobile device data continues to increase in significance in both civil and criminal investigations. Location data is often of particular interest. To date, research has established that the devices are location aware, incorporate a variety of resources to obtain location information, and cache the information in various ways. However, a review of the existing research suggests varying degrees of reliability of any such recovered location data. In an effort to clarify the issue, this project offers case studies of multiple Android mobile devices utilized in controlled conditions with known settings and applications in documented locations. The study uses data recovered from test devices to corroborate previously identified accuracy trends noted in research involving live-tracked devices, and it further offers detailed analysis strategies for the recovery of location data from devices themselves. A methodology for reviewing device data for possible artifacts that may allow an examiner to evaluate location data reliability is also presented. This paper also addresses emerging trends in device security and cloud storage, which may have significant implications for future mobile device location data recovery and analysis. Discussion of recovered cloud data introduces a distinct and potentially significant resource for investigators, and the paper addresses the cloud resources' advantages and limitations.

Android forensics

location forensics

android location data

mobile device forensics

mobile device investigations

android investigations

google location history

cloud analyzer

Computer Sciences

Engineering

Forensic Science and Technology