This thesis investigates the automation of forensic analysis in identifying and categorising forensically interestingchanges across different versions of chat applications on Android platforms. The focus is primarily on thedifferentiation of Android Package Kit (APK) using reverse-engineering techniques to reconstruct the originalsource code and comparing the source code from two different versions of the APK. Given the rapid evolutionof chat applications and their frequent updates, it is crucial for forensic investigators to understand thesechanges to maintain the integrity of legal investigations.The research introduces a comprehensive framework leveraging the open-source tools, Ghidra and BinDiff, toautomate the decompilation and differential analysis of APK files. This approach not only makes forensicanalysis less complicated but also ensures that investigators can keep pace with the continuous updates in chatapplications.Tests on the system are conducted on various versions of the Signal chat application. These tests aim todemonstrate the proposed tool in capturing significant changes between APK versions, such as alterations inlogging mechanisms, database interactions, and the use of encryption and cypher libraries.The results confirm that the integration of Ghidra and BinDiff provides a solution for automated forensicanalysis, facilitating the identification of changes and categorisation of methods based on their forensicrelevance. The study shows that the tool can pinpoint modifications and structural changes, which are essentialfor forensic investigations.
| Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:mau-69162 |
| Date | January 2024 |
| Creators | Ljungsten, Ted, Makowski, Adam |
| Publisher | Malmö universitet, Institutionen för datavetenskap och medieteknik (DVMT) |
| Source Sets | DiVA Archive at Upsalla University |
| Language | English |
| Detected Language | English |
| Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
| Format | application/pdf |
| Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.0024 seconds