O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Learning Android Forensics

Book Description

A hands-on guide to Android forensics, from setting up the forensic workstation to analyzing key forensic artifacts

In Detail

Many forensic examiners rely on commercial, push-button tools to retrieve and analyze data, even though there is no tool that does either of these jobs perfectly. This book will introduce you to the Android platform and its architecture, and provides a high-level overview of what Android forensics entails. You will see how data is stored on Android devices and how to set up a digital forensic examination environment. Next, you will go through the various physical and logical techniques to extract data from devices to obtain forensic evidence. You will also learn how to reverse-engineer applications and forensically analyze the data with the help of various open source and commercial tools.

By the end of this book, you will have a complete understanding of the Android forensic process.

What You Will Learn

  • Understand the Android system architecture and its significance for Android forensics
  • Build a forensically sound workstation
  • Utilize ADB to acquire data
  • Bypass Android security such as PINs and passwords
  • Perform both logical and full physical extractions to retrieve data
  • Reverse-engineer applications
  • Analyze data from many popular applications including Gmail, WhatsApp, and Snapchat
  • Discover free and open source tools to aid in data acquisition and analysis

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Learning Android Forensics
    1. Table of Contents
    2. Learning Android Forensics
    3. Credits
    4. About the Authors
    5. About the Reviewers
    6. www.PacktPub.com
      1. Support files, eBooks, discount offers, and more
        1. Why subscribe?
        2. Free access for Packt account holders
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Errata
        2. Piracy
        3. Questions
    8. 1. Introducing Android Forensics
      1. Mobile forensics
      2. The mobile forensics approach
        1. Investigation Preparation
        2. Seizure and Isolation
        3. Acquisition
        4. Examination and Analysis
        5. Reporting
      3. Challenges in mobile forensics
      4. The Android architecture
        1. The Linux kernel
        2. Libraries
        3. Dalvik virtual machine
        4. The application framework
        5. The applications layer
      5. Android security
        1. Security at OS level through Linux kernel
          1. Permission model
          2. Application sandboxing
          3. SELinux in Android
          4. Application Signing
          5. Secure interprocess communication
        2. Android hardware components
          1. Core components
            1. Central processing unit
            2. Baseband processor
            3. Memory
            4. SD Card
            5. Display
            6. Battery
        3. Android boot process
          1. Boot ROM code execution
          2. The boot loader
          3. The Linux kernel
          4. The init process
          5. Zygote and Dalvik
          6. System server
        4. Summary
    9. 2. Setting Up an Android Forensic Environment
      1. The Android forensic setup
      2. The Android SDK
        1. Installing the Android SDK
        2. Android Virtual Device
      3. Connecting and accessing an Android device from the workstation
        1. Identifying the device cable
        2. Installing device drivers
        3. Accessing the device
      4. Android Debug Bridge
        1. Using adb to access the device
          1. Detecting a connected device
          2. Directing commands to a specific device
          3. Issuing shell commands
          4. Basic Linux commands
          5. Installing an application
          6. Pulling data from the device
          7. Pushing data to the device
          8. Restarting the adb server
          9. Viewing log data
      5. Rooting Android
        1. What is rooting?
        2. Why root?
        3. Recovery and fastboot
          1. Recovery mode
            1. Accessing the recovery mode
            2. Custom recovery
          2. Fastboot mode
        4. Locked and unlocked boot loaders
        5. How to root
          1. Rooting an unlocked boot loader
          2. Rooting a locked boot loader
      6. ADB on a rooted device
      7. Summary
    10. 3. Understanding Data Storage on Android Devices
      1. Android partition layout
        1. Common partitions in Android
          1. boot loader
          2. boot
          3. recovery
          4. userdata
          5. system
          6. cache
          7. radio
        2. Identifying partition layout
      2. Android file hierarchy
        1. An overview of directories
          1. acct
          2. cache
          3. d
          4. data
            1. dalvik-cache
            2. data
          5. dev
          6. init
          7. mnt
          8. proc
          9. root
          10. sbin
          11. misc
          12. sdcard
          13. system
            1. build.prop
            2. app
            3. framework
          14. ueventd.goldfish.rc and ueventd.rc
      3. Application data storage on the device
        1. Shared preferences
        2. Internal storage
        3. External storage
        4. SQLite database
        5. Network
      4. Android filesystem overview
        1. Viewing filesystems on an Android device
        2. Common Android filesystems
          1. Flash memory filesystems
          2. Media-based filesystems
          3. Pseudo filesystems
      5. Summary
    11. 4. Extracting Data Logically from Android Devices
      1. Logical extraction overview
        1. What data can be recovered logically?
          1. Root access
      2. Manual ADB data extraction
        1. USB debugging
          1. Using ADB shell to determine if a device is rooted
        2. ADB pull
        3. Recovery mode
        4. Fastboot mode
          1. Determining bootloader status
          2. Booting to a custom recovery image
      3. ADB backup extractions
        1. Extracting a backup over ADB
        2. Parsing ADB backups
        3. Data locations within ADB backups
      4. ADB Dumpsys
        1. Dumpsys batterystats
        2. Dumpsys procstats
        3. Dumpsys user
        4. Dumpsys App Ops
        5. Dumpsys Wi-Fi
        6. Dumpsys notification
        7. Dumpsys conclusions
      5. Bypassing Android lock screens
        1. Lock screen types
          1. None/Slide lock screens
          2. Pattern lock screens
          3. Password/PIN lock screens
          4. Smart Locks
            1. Trusted Face
            2. Trusted Location
            3. Trusted Device
        2. General bypass information
      6. Cracking an Android pattern lock
        1. Cracking an Android PIN/Password
      7. Android SIM card extractions
        1. Acquiring SIM card data
        2. SIM security
          1. SIM cloning
      8. Issues and opportunities with Android Lollipop
      9. Summary
    12. 5. Extracting Data Physically from Android Devices
      1. Physical extraction overview
        1. What data can be acquired physically?
          1. Root access
      2. Extracting data physically with dd
        1. Determining what to image
        2. Writing to an SD card
        3. Writing directly to an examiner's computer with netcat
          1. Installing netcat on the device
          2. Using netcat
      3. Extracting data physically with nanddump
        1. Verifying a full physical image
      4. Analyzing a full physical image
        1. Autopsy
        2. Issues with analyzing physical dumps
      5. Imaging and analyzing Android RAM
        1. What can be found in RAM?
        2. Imaging RAM with LiME
        3. Imaging RAM with mem
        4. Output from mem
      6. Acquiring Android SD cards
        1. What can be found on an SD card?
        2. SD card security
      7. Advanced forensic methods
        1. JTAG
        2. Chip-off
        3. Bypassing Android full-disk encryption
      8. Summary
    13. 6. Recovering Deleted Data from an Android Device
      1. An overview of data recovery
        1. How can deleted files be recovered?
      2. Recovering data deleted from an SD card
      3. Recovering data deleted from internal memory
        1. Recovering deleted data by parsing SQLite files
        2. Recovering deleted data through file carving techniques
      4. Analyzing backups
      5. Summary
    14. 7. Forensic Analysis of Android Applications
      1. Application analysis
        1. Why do app analysis?
        2. The layout of this chapter
      2. Determining what apps are installed
        1. Understanding Linux epoch time
      3. Wi-Fi analysis
      4. Contacts/call analysis
      5. SMS/MMS analysis
      6. User dictionary analysis
      7. Gmail analysis
      8. Google Chrome analysis
        1. Decoding the WebKit time format
      9. Google Maps analysis
      10. Google Hangouts analysis
      11. Google Keep analysis
        1. Converting a Julian date
      12. Google Plus analysis
      13. Facebook analysis
      14. Facebook Messenger analysis
      15. Skype analysis
        1. Recovering video messages from Skype
      16. Snapchat analysis
      17. Viber analysis
      18. Tango analysis
        1. Decoding Tango messages
      19. WhatsApp analysis
        1. Decrypting WhatsApp backups
      20. Kik analysis
      21. WeChat analysis
        1. Decrypting the WeChat EnMicroMsg.db database
      22. Application reverse engineering
        1. Obtaining the application's APK file
        2. Disassembling an APK file
        3. Determining an application's permissions
        4. Viewing the application's code
      23. Summary
    15. 8. Android Forensic Tools Overview
      1. ViaExtract
        1. Backup extraction with ViaExtract
        2. Logical extraction with ViaExtract
        3. Examining data in ViaExtract
        4. Other tools within ViaExtract
      2. Autopsy
        1. Creating a case in Autopsy
        2. Analyzing data in Autopsy
      3. ViaLab Community Edition
        1. Setting up the emulator in ViaLab
        2. Installing an application on the emulator
        3. Analyzing data with ViaLab
      4. Summary
      5. Conclusion
    16. Index