Click here to load reader
Upload
vuongdung
View
219
Download
2
Embed Size (px)
Citation preview
Android Forensics
Investigation, Analysis,and Mobile Security for
Google Android
Andrew Hoog
John McCash, Technical Editor
AMSTERDAM • BOSTON . HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO . SINGAPORE • SYDNEY • TOKYO
Syngress is an imprint of Elsevier
SYNGRESS
Contents
Acknowledgements xiii
Introduction xv
About the Author xix
CHAPTER 1 Android and Mobile Forensics i
Introduction 1
Android Platform 1
History of Android 3
Google's Strategy 7
Linux, Open Source Software, and Forensics 10
Brief History of Linux 11
Android Open Source Project 25
AOSP Licenses 26
Development Process 27
Value of Open Source in Forensics 27
Downloading and Compiling AOSP 29
Internationalization 31
Unicode 31
Keyboards 31
Custom Branches 32
Android Market 33
Installing an App 34
Application Statistics 37
Android Forensics 37
Challenges 38
Summary 38
References 39
CHAPTER 2 Android Hardware Platforms ...41
Introduction 41
Overview of Core Components 41
Central Processing Unit 41
Baseband Modem/Radio 42
Memory (Random-Access Memory and NAND Flash) 42
Global Positioning System 43
Wireless (Wi-Fi.com and Bluetooth) 43
Secure Digital Card 44
Screen 44
Camera 44
Keyboard 45
viii Contents
Battery 45
Universal Serial Bus 46
Accelerometer/Gyroscope 46
Speaker/Microphone 46
Overview of Different Device Types 47
Smartphone 47
Tablet 47
Netbook 48
Google TV 48
Vehicles (In-board) 48
Global Positioning System 49
Other Devices 49
ROM and Boot Loaders 49
Power On and On-chip Boot ROM Code Execution 50
Boot Loader (Initial Program Load/Second Program
Loader) 50
Linux Kernel 51
The Init Process 51
Zygote and Dalvik 54
System Server 54
Manufacturers 56
Android Updates 57
Custom User Interfaces 58
Aftermarket Android Devices 58
Specific Devices 59
T-MobileGl 59
Motorola Droid 59
HTC Incredible 60
Google Nexus One 60
Summary 62
References 62
CHAPTER 3 Android Software Development Kit and Android
Debug Bridge 65
Introduction 65
Android Platforms 65
Android Platform Highlights Through 2.3.3
(Gingerbread) 67
Software Development Kit (SDK) 71
SDK Release History 71
SDK Install 72
Android Virtual Devices (Emulator) 81
Android OS Architecture 86
Dalvik VM 87
Contents ix
Native Code Development 88
Android Security Model 88
Forensics and the SDK 90
Connecting an Android Device to a Workstation 90
USB Interfaces 94
Introduction to Android Debug Bridge 100
Summary 102
References 103
CHAPTER 4 Android File Systems and Data Structures 105
Introduction 105
Data in the Shell 105
What Data are Stored 106
App Data Storage Directory Structure 106
How Data are Stored 107
Type of Memory 125
RAM 125
File Systems 132
rootfs, devpts, sysfs, and cgroup File Systems 133
proc136
tmpfs 137
Extended File System (EXT) 140
FAT32/VFAT 140
YAFFS2 141
Mounted File Systems 153
Mounted File Systems 154
Summary 157
References 157
CHAPTER 5 Android Device, Data, and App Security 159
Introduction 159
Data Theft Targets and Attack Vectors 160
Android Devices as a Target 160
Android Devices as an Attack Vector 168
Data Storage 168
Recording Devices 169
Security Considerations 170
Security Philosophy 170
US Federal Computer Crime Laws and Regulations 172
Open Source Versus Closed Source 173
Encrypted NAND Flash 175
Individual Security Strategies 176
Corporate Security Strategies 178
Policies 178
X Contents
Password/Pattern/PIN Lock 178
Remote Wipe of Device 179
Upgrade to Latest Software 180
Remote Device Management Features 181
Application and Device Audit 183
App Development Security Strategies 184
Mobile App Security Testing 184
App Security Strategies 186
Summary 192
References 193
CHAPTER 6 Android Forensic Techniques 195
Introduction 195
Types of Investigations 195
Difference Between Logical and Physical Techniques 196
Modification of the Target Device 197
Procedures for Handling an Android Device 198
Securing the Device 199
Network Isolation 200
How to Circumvent the Pass Code 203
Imaging Android USB Mass Storage Devices 211
SD Card Versus eMMC 211
How to Forensically Image the SD Card/eMMC 212
Logical Techniques 218
ADB Pull 218
Backup Analysis 219
AFLogical 220
Commercial Providers 228
Physical Techniques 266
Hardware-Based Physical Techniques 268
JTAG 268
Chip-off 270
Software-Based Physical Techniques and Privileges 270
AFPhysical Technique 278
Summary 284
References 284
CHAPTER 7 Android Application and Forensic Analysis 285
Introduction 285
Analysis Techniques 285
Timeline Analysis 285
File System Analysis 288
File Carving 291
Strings 293
Contents xi
Hex: A Forensic Analyst's Good Friend 296
Android Directory Structures 301
FAT Forensic Analysis 308
FAT Timeline Analysis 309
FAT Additional Analysis 316
FAT Analysts Notes 317
YAFFS2 Forensic Analysis 321
YAFFS2 Timeline Analysis 324
YAFFS2 File System Analysis 330
YAFFS2 File Carving 332
YAFFS2 Strings Analysis 334
YAFFS2 Analyst Notes 335
Android App Analysis and Reference 340
Messaging (sms and mms) 340
MMS Helper Application 341
Browser 342
Contacts 347
Media Scanner 349
YouTube 350
Cooliris Media Gallery 353
Google Maps 354
Gmail 358
Facebook 360
Adobe Reader 363
Summary 363
References 364
Index 365