book

Learning Android Forensics

Name: Learning Android Forensics
ISBN: 9781782174578

by Rohit Tamma, Donnie Tindall

April 2015

Beginner to intermediate

322 pages

7h 11m

English

Packt Publishing

Read now

Unlock full access

Learning Android Forensics
Table of Contents
Learning Android Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
ErrataPiracyQuestions
1. Introducing Android Forensics
Mobile forensics
The mobile forensics approach
Investigation PreparationSeizure and IsolationAcquisitionExamination and AnalysisReporting
Challenges in mobile forensics
The Android architecture
The Linux kernelLibrariesDalvik virtual machineThe application frameworkThe applications layer
Android security
Security at OS level through Linux kernelPermission modelApplication sandboxingSELinux in AndroidApplication SigningSecure interprocess communicationAndroid hardware componentsCore componentsCentral processing unitBaseband processorMemorySD CardDisplayBatteryAndroid boot processBoot ROM code executionThe boot loaderThe Linux kernelThe init processZygote and DalvikSystem serverSummary
2. Setting Up an Android Forensic Environment
The Android forensic setup
The Android SDK
Installing the Android SDKAndroid Virtual Device
Connecting and accessing an Android device from the workstation
Identifying the device cableInstalling device driversAccessing the device
Android Debug Bridge
Using adb to access the deviceDetecting a connected deviceDirecting commands to a specific deviceIssuing shell commandsBasic Linux commandsInstalling an applicationPulling data from the devicePushing data to the deviceRestarting the adb serverViewing log data
Rooting Android
What is rooting?Why root?Recovery and fastbootRecovery modeAccessing the recovery modeCustom recoveryFastboot modeLocked and unlocked boot loadersHow to rootRooting an unlocked boot loaderRooting a locked boot loader
ADB on a rooted device
Summary
3. Understanding Data Storage on Android Devices
Android partition layoutCommon partitions in Androidboot loaderbootrecoveryuserdatasystemcacheradioIdentifying partition layout
Android file hierarchy
An overview of directoriesacctcacheddatadalvik-cachedatadevinitmntprocrootsbinmiscsdcardsystembuild.propappframeworkueventd.goldfish.rc and ueventd.rc
Application data storage on the device
Shared preferencesInternal storageExternal storageSQLite databaseNetwork
Android filesystem overview
Viewing filesystems on an Android deviceCommon Android filesystemsFlash memory filesystemsMedia-based filesystemsPseudo filesystems
Summary
4. Extracting Data Logically from Android Devices
Logical extraction overviewWhat data can be recovered logically?Root access
Manual ADB data extraction
USB debuggingUsing ADB shell to determine if a device is rootedADB pullRecovery modeFastboot modeDetermining bootloader statusBooting to a custom recovery image
ADB backup extractions
Extracting a backup over ADBParsing ADB backupsData locations within ADB backups
ADB Dumpsys
Dumpsys batterystatsDumpsys procstatsDumpsys userDumpsys App OpsDumpsys Wi-FiDumpsys notificationDumpsys conclusions
Bypassing Android lock screens
Lock screen typesNone/Slide lock screensPattern lock screensPassword/PIN lock screensSmart LocksTrusted FaceTrusted LocationTrusted DeviceGeneral bypass information
Cracking an Android pattern lock
Cracking an Android PIN/Password
Android SIM card extractions
Acquiring SIM card dataSIM securitySIM cloning
Issues and opportunities with Android Lollipop
Summary
5. Extracting Data Physically from Android Devices
Physical extraction overviewWhat data can be acquired physically?Root access
Extracting data physically with dd
Determining what to imageWriting to an SD cardWriting directly to an examiner's computer with netcatInstalling netcat on the deviceUsing netcat
Extracting data physically with nanddump
Verifying a full physical image
Analyzing a full physical image
AutopsyIssues with analyzing physical dumps
Imaging and analyzing Android RAM
What can be found in RAM?Imaging RAM with LiMEImaging RAM with memOutput from mem
Acquiring Android SD cards
What can be found on an SD card?SD card security
Advanced forensic methods
JTAGChip-offBypassing Android full-disk encryption
Summary
6. Recovering Deleted Data from an Android Device
An overview of data recoveryHow can deleted files be recovered?
Recovering data deleted from an SD card
Recovering data deleted from internal memory
Recovering deleted data by parsing SQLite filesRecovering deleted data through file carving techniques
Analyzing backups
Summary
7. Forensic Analysis of Android Applications
Application analysisWhy do app analysis?The layout of this chapter
Determining what apps are installed
Understanding Linux epoch time
Wi-Fi analysis
Contacts/call analysis
SMS/MMS analysis
User dictionary analysis
Gmail analysis
Google Chrome analysis
Decoding the WebKit time format
Google Maps analysis
Google Hangouts analysis
Google Keep analysis
Converting a Julian date
Google Plus analysis
Facebook analysis
Facebook Messenger analysis
Skype analysis
Recovering video messages from Skype
Snapchat analysis
Viber analysis
Tango analysis
Decoding Tango messages
WhatsApp analysis
Decrypting WhatsApp backups
Kik analysis
WeChat analysis
Decrypting the WeChat EnMicroMsg.db database
Application reverse engineering
Obtaining the application's APK fileDisassembling an APK fileDetermining an application's permissionsViewing the application's code
Summary
8. Android Forensic Tools Overview
ViaExtractBackup extraction with ViaExtractLogical extraction with ViaExtractExamining data in ViaExtractOther tools within ViaExtract
Autopsy
Creating a case in AutopsyAnalyzing data in Autopsy
ViaLab Community Edition
Setting up the emulator in ViaLabInstalling an application on the emulatorAnalyzing data with ViaLab
Summary
Conclusion
Index

Content preview from Learning Android Forensics

Imaging and analyzing Android RAM

Pulling Android memory is not applicable in a very large number of cases due to the fact that it requires root access. Most public root processes involve rebooting the phone, which erases volatile RAM, meaning that by the time an examiner gains root to image the RAM, it's too late because the RAM has been erased. Because of this and possibly other reasons, there is not great support for Android RAM imaging and analysis in the commercial forensic world. However, there are cases where imaging RAM is applicable, and may prove invaluable. If a device is already rooted when it is seized, imaging the RAM should be a mandatory step in the seizure process. As powering the phone off will erase the RAM, the device should ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781782174578

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Learning Android Forensics

by Rohit Tamma, Donnie Tindall

Imaging and analyzing Android RAM

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.