book

Learning Android Forensics

Name: Learning Android Forensics
ISBN: 9781782174578

by Rohit Tamma, Donnie Tindall

April 2015

Beginner to intermediate

322 pages

7h 11m

English

Packt Publishing

Read now

Unlock full access

Learning Android Forensics
Table of Contents
Learning Android Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
ErrataPiracyQuestions
1. Introducing Android Forensics
Mobile forensics
The mobile forensics approach
Investigation PreparationSeizure and IsolationAcquisitionExamination and AnalysisReporting
Challenges in mobile forensics
The Android architecture
The Linux kernelLibrariesDalvik virtual machineThe application frameworkThe applications layer
Android security
Security at OS level through Linux kernelPermission modelApplication sandboxingSELinux in AndroidApplication SigningSecure interprocess communicationAndroid hardware componentsCore componentsCentral processing unitBaseband processorMemorySD CardDisplayBatteryAndroid boot processBoot ROM code executionThe boot loaderThe Linux kernelThe init processZygote and DalvikSystem serverSummary
2. Setting Up an Android Forensic Environment
The Android forensic setup
The Android SDK
Installing the Android SDKAndroid Virtual Device
Connecting and accessing an Android device from the workstation
Identifying the device cableInstalling device driversAccessing the device
Android Debug Bridge
Using adb to access the deviceDetecting a connected deviceDirecting commands to a specific deviceIssuing shell commandsBasic Linux commandsInstalling an applicationPulling data from the devicePushing data to the deviceRestarting the adb serverViewing log data
Rooting Android
What is rooting?Why root?Recovery and fastbootRecovery modeAccessing the recovery modeCustom recoveryFastboot modeLocked and unlocked boot loadersHow to rootRooting an unlocked boot loaderRooting a locked boot loader
ADB on a rooted device
Summary
3. Understanding Data Storage on Android Devices
Android partition layoutCommon partitions in Androidboot loaderbootrecoveryuserdatasystemcacheradioIdentifying partition layout
Android file hierarchy
An overview of directoriesacctcacheddatadalvik-cachedatadevinitmntprocrootsbinmiscsdcardsystembuild.propappframeworkueventd.goldfish.rc and ueventd.rc
Application data storage on the device
Shared preferencesInternal storageExternal storageSQLite databaseNetwork
Android filesystem overview
Viewing filesystems on an Android deviceCommon Android filesystemsFlash memory filesystemsMedia-based filesystemsPseudo filesystems
Summary
4. Extracting Data Logically from Android Devices
Logical extraction overviewWhat data can be recovered logically?Root access
Manual ADB data extraction
USB debuggingUsing ADB shell to determine if a device is rootedADB pullRecovery modeFastboot modeDetermining bootloader statusBooting to a custom recovery image
ADB backup extractions
Extracting a backup over ADBParsing ADB backupsData locations within ADB backups
ADB Dumpsys
Dumpsys batterystatsDumpsys procstatsDumpsys userDumpsys App OpsDumpsys Wi-FiDumpsys notificationDumpsys conclusions
Bypassing Android lock screens
Lock screen typesNone/Slide lock screensPattern lock screensPassword/PIN lock screensSmart LocksTrusted FaceTrusted LocationTrusted DeviceGeneral bypass information
Cracking an Android pattern lock
Cracking an Android PIN/Password
Android SIM card extractions
Acquiring SIM card dataSIM securitySIM cloning
Issues and opportunities with Android Lollipop
Summary
5. Extracting Data Physically from Android Devices
Physical extraction overviewWhat data can be acquired physically?Root access
Extracting data physically with dd
Determining what to imageWriting to an SD cardWriting directly to an examiner's computer with netcatInstalling netcat on the deviceUsing netcat
Extracting data physically with nanddump
Verifying a full physical image
Analyzing a full physical image
AutopsyIssues with analyzing physical dumps
Imaging and analyzing Android RAM
What can be found in RAM?Imaging RAM with LiMEImaging RAM with memOutput from mem
Acquiring Android SD cards
What can be found on an SD card?SD card security
Advanced forensic methods
JTAGChip-offBypassing Android full-disk encryption
Summary
6. Recovering Deleted Data from an Android Device
An overview of data recoveryHow can deleted files be recovered?
Recovering data deleted from an SD card
Recovering data deleted from internal memory
Recovering deleted data by parsing SQLite filesRecovering deleted data through file carving techniques
Analyzing backups
Summary
7. Forensic Analysis of Android Applications
Application analysisWhy do app analysis?The layout of this chapter
Determining what apps are installed
Understanding Linux epoch time
Wi-Fi analysis
Contacts/call analysis
SMS/MMS analysis
User dictionary analysis
Gmail analysis
Google Chrome analysis
Decoding the WebKit time format
Google Maps analysis
Google Hangouts analysis
Google Keep analysis
Converting a Julian date
Google Plus analysis
Facebook analysis
Facebook Messenger analysis
Skype analysis
Recovering video messages from Skype
Snapchat analysis
Viber analysis
Tango analysis
Decoding Tango messages
WhatsApp analysis
Decrypting WhatsApp backups
Kik analysis
WeChat analysis
Decrypting the WeChat EnMicroMsg.db database
Application reverse engineering
Obtaining the application's APK fileDisassembling an APK fileDetermining an application's permissionsViewing the application's code
Summary
8. Android Forensic Tools Overview
ViaExtractBackup extraction with ViaExtractLogical extraction with ViaExtractExamining data in ViaExtractOther tools within ViaExtract
Autopsy
Creating a case in AutopsyAnalyzing data in Autopsy
ViaLab Community Edition
Setting up the emulator in ViaLabInstalling an application on the emulatorAnalyzing data with ViaLab
Summary
Conclusion
Index

Content preview from Learning Android Forensics

Determining what apps are installed

To see what applications are on the device, an examiner could navigate to /data/data and run the ls command. However, this doesn't provide well-formatted data that will look good in a forensic report. We suggest that you pull the /data/system/packages.list file. This file lists the package name for every app on the device and path to its data (if this file does not exist on the device, the adb shell pm list packages -f command is a good alternative). For example, here is an entry for Google Chrome (the full file on our test device contained 120 entries):

Note

This is the first method of data storage: plain text. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781782174578

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Learning Android Forensics

by Rohit Tamma, Donnie Tindall

Determining what apps are installed

Note

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.