Learning Android Forensics - Second Edition

Learning Android Forensics - Second Edition

by Oleg Skulkin, Donnie Tindall, Rohit Tamma
Released December 2019
Publisher(s): Packt Publishing
ISBN: 9781789131017

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

A comprehensive guide to Android forensics, from setting up the workstation to analyzing key artifacts

Key Features

  • Get up and running with modern mobile forensic strategies and techniques
  • Analyze the most popular Android applications using free and open source forensic tools
  • Learn malware detection and analysis techniques to investigate mobile cybersecurity incidents

Book Description

Many forensic examiners rely on commercial, push-button tools to retrieve and analyze data, even though there is no tool that does either of these jobs perfectly.

Learning Android Forensics will introduce you to the most up-to-date Android platform and its architecture, and provide a high-level overview of what Android forensics entails. You will understand how data is stored on Android devices and how to set up a digital forensic examination environment. As you make your way through the chapters, you will work through various physical and logical techniques to extract data from devices in order to obtain forensic evidence. You will also learn how to recover deleted data and forensically analyze application data with the help of various open source and commercial tools. In the concluding chapters, you will explore malware analysis so that you'll be able to investigate cybersecurity incidents involving Android malware.

By the end of this book, you will have a complete understanding of the Android forensic process, you will have explored open source and commercial forensic tools, and will have basic skills of Android malware identification and analysis.

What you will learn

  • Understand Android OS and architecture
  • Set up a forensics environment for Android analysis
  • Perform logical and physical data extractions
  • Learn to recover deleted data
  • Explore how to analyze application data
  • Identify malware on Android devices
  • Analyze Android malware

Who this book is for

If you are a forensic analyst or an information security professional wanting to develop your knowledge of Android forensics, then this is the book for you. Some basic knowledge of the Android mobile platform is expected.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Learning Android Forensics Second Edition
  3. About Packt
    1. Why subscribe?
    2. Packt.com
  4. Contributors
    1. About the authors
    2. About the reviewers
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  6. Introducing Android Forensics
    1. Mobile forensics
    2. The mobile forensics approach
      1. Investigation preparation
      2. Seizure and isolation
      3. The acquisition phase
      4. Examination and analysis
      5. Reporting
    3. Challenges in mobile forensics
    4. Android architecture
      1. The Linux kernel
      2. Hardware abstraction level
      3. Android Runtime
      4. Native C/C++ Libraries
      5. Java API Framework
      6. The application layer
    5. Android security
      1. Security at OS level through the Linux kernel
      2. Permission model
        1. Sample permission model in Android
      3. Application sandboxing
      4. SELinux in Android
      5. Application signing
      6. Secure inter-process communication
      7. Binder communication model
    6. Android hardware components
      1. Core components
        1. Central Processing Unit (CPU)
        2. Baseband processor
        3. Memory
        4. SD Card
        5. Display
        6. Battery
    7. Android boot process
      1. Boot ROM code execution
      2. The bootloader
      3. The Linux kernel
      4. The init process
        1. Zygote and Dalvik
      5. System server
    8. Summary
  7. Setting up the Android Forensic Environment
    1. Android forensic setup
      1. Android SDK
        1. Installing the Android SDK
        2. Android Virtual Device
      2. Connecting and accessing Android devices from the workstation
        1. Identifying the correct device cable
        2. Installing device drivers
        3. Accessing the device
    2. Android Debug Bridge
      1. Using ADB to access the device
        1. Detecting a connected device
        2. Directing commands to a specific device
        3. Issuing shell commands
        4. Basic Linux commands
        5. Installing an application
        6. Pulling data from the device
        7. Pushing data to the device
        8. Restarting the ADB server
        9. Viewing log data
    3. Rooting Android
      1. What is rooting?
      2. Why root?
      3. Recovery and fastboot
        1. Recovery mode
          1. Accessing recovery mode
          2. Custom recovery
        2. Fastboot mode
      4. Locked and unlocked boot loaders
      5. How to root
        1. Rooting an unlocked boot loader
        2. Rooting a locked boot loader
        3. ADB on a rooted device
    4. Summary
  8. Understanding Data Storage on Android Devices
    1. Android partition layout
      1. Common partitions in Android
      2. Identifying partition layout
    2. Android file hierarchy
      1. Overview of directories
        1. The acct directory
        2. The cache directory
        3. The config directory
        4. The data directory
        5. The dev directory
        6. The mnt directory
        7. The proc directory
        8. The sbin directory
        9. The storage directory
        10. The system directory
    3. Application data storage on the device
      1. Shared preferences
      2. Internal storage
      3. External storage
      4. SQLite database
      5. Network
    4. Android filesystem overview
      1. Viewing filesystems on an Android device
      2. Common Android filesystems
        1. Flash memory filesystems
        2. Media-based filesystems
        3. Pseudo filesystems
    5. Summary
  9. Extracting Data Logically from Android Devices
    1. Logical extraction overview
      1. What data can be recovered logically?
        1. Root access
    2. Manual ADB data extraction
      1. USB Debugging
        1. Using adb shell to determine if a device is rooted
      2. adb pull
      3. Recovery Mode
      4. Fastboot mode
        1. Determining bootloader status
        2. Booting to a custom recovery image
    3. ADB backup extractions
      1. Extracting a backup over ADB
      2. Parsing ADB backups
      3. Data locations within ADB backups
    4. ADB dumpsys
      1. Dumpsys batterystats
      2. Dumpsys procstats
      3. Dumpsys user
      4. Dumpsys App Ops
      5. Dumpsys Wi-Fi
      6. Dumpsys notification
      7. Dumpsys conclusions
      8. Helium backup extractions
    5. Bypassing Android lock screens
      1. Lock screen types
        1. None/Slide lock screens
        2. Pattern lock screens
        3. Password/PIN lock screens
        4. Smart Locks
          1. Trusted Face
          2. Trusted Voice
          3. Trusted Location
          4. Trusted Device
          5. On-body Detection
      2. General bypass information
      3. Removing Android lock screens
        1. Removing PIN/password with ADB
        2. Removing PIN/Password with ADB and SQL
    6. Android SIM card extractions
      1. Acquiring SIM card data
      2. SIM Security
        1. SIM cloning
    7. Summary
  10. Extracting Data Physically from Android Devices
    1. Physical extraction overview
      1. What data can be acquired physically?
        1. Root access
    2. Extracting data physically with dd
      1. Determining what to image
      2. Writing to an SD card
      3. Writing directly to an examiner's computer with netcat
        1. Installing netcat on the device
        2. Using netcat
    3. Extracting data physically with nanddump
    4. Extracting data physically with Magnet ACQUIRE
      1. Verifying a full physical image
    5. Analyzing a full physical image
      1. Autopsy
      2. Issues with analyzing physical dumps
    6. Imaging and analyzing Android RAM
      1. What can be found in RAM?
      2. Imaging RAM with LiME
    7. Acquiring Android SD cards
      1. What can be found on an SD card?
      2. SD card security
    8. Advanced forensic methods
      1. JTAG
      2. Chip-off
    9. Summary
  11. Recovering Deleted Data from an Android Device
    1. Data recovery overview
      1. How can deleted files be recovered?
    2. Recovering deleted data from SD cards
    3. Recovering deleted records from SQLite databases
    4. Recovering deleted data from internal memory
    5. Recovering deleted data using file carving
    6. Summary
  12. Forensic Analysis of Android Applications
    1. Application analysis overview
    2. Why do app analysis?
    3. Layout of this chapter
      1. Determining which apps are installed
      2. Understanding Unix epoch time
      3. Wi-Fi analysis
      4. Contacts/Call analysis
      5. SMS/MMS analysis
      6. User dictionary analysis
      7. Gmail analysis
      8. Google Chrome analysis
        1. Decoding the Webkit time format
      9. Google Maps analysis
      10. Google Hangouts analysis
      11. Google Keep analysis
      12. Converting a Julian date
      13. Google Plus analysis
      14. Facebook analysis
      15. Facebook Messenger analysis
      16. Skype analysis
      17. Recovering video messages from Skype
      18. Snapchat analysis
      19. Viber analysis
      20. Tango analysis
      21. Decoding Tango messages
      22. WhatsApp analysis
        1. Decrypting WhatsApp backups
      23. Kik analysis
      24. WeChat analysis
        1. Decrypting the WeChat EnMicroMsg.db
    4. Summary
  13. Android Forensic Tools Overview
    1. Autopsy
      1. Creating a case in Autopsy
      2. Analyzing data in Autopsy
    2. Belkasoft Evidence Center
      1. Creating a case in Belkasoft Evidence Center
      2. Analyzing data in Belkasoft Evidence Center
    3. Magnet AXIOM
      1. Creating a case in Magnet AXIOM
      2. Analyzing data in Magnet AXIOM
    4. Summary
  14. Identifying Android Malware
    1. An introduction to Android malware
    2. Android malware overview
      1. Banking malware
      2. Spyware
      3. Adware
      4. Ransomware
      5. Cryptomining malware
    3. Android malware identification
      1. Android malware identification using antivirus scanners
      2. Android malware identification using VirusTotal
      3. Android malware identification using YARA rules
    4. Summary
  15. Android Malware Analysis
    1. Dynamic analysis of malicious Android applications
      1. Dynamic analysis using an online sandbox
    2. Static analysis of malicious Android applications
      1. Unpacking Android applications
      2. Manifest file decoding and analysis
      3. Android application decompilation
      4. Viewing and analyzing decompiled code
    3. Summary
    4. Further reading
  16. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Learning Android Forensics - Second Edition
  • Author(s): Oleg Skulkin, Donnie Tindall, Rohit Tamma
  • Release date: December 2019
  • Publisher(s): Packt Publishing
  • ISBN: 9781789131017