6

Click here to load reader

Android forensics : investigation, analysis, and mobile ... · PDF fileAndroid Forensics Investigation, Analysis, and Mobile Security for Google Android AndrewHoog John McCash, Technical

Embed Size (px)

Citation preview

Page 1: Android forensics : investigation, analysis, and mobile ... · PDF fileAndroid Forensics Investigation, Analysis, and Mobile Security for Google Android AndrewHoog John McCash, Technical

Android Forensics

Investigation, Analysis,and Mobile Security for

Google Android

Andrew Hoog

John McCash, Technical Editor

AMSTERDAM • BOSTON . HEIDELBERG • LONDON

NEW YORK • OXFORD • PARIS • SAN DIEGO

SAN FRANCISCO . SINGAPORE • SYDNEY • TOKYO

Syngress is an imprint of Elsevier

SYNGRESS

Page 2: Android forensics : investigation, analysis, and mobile ... · PDF fileAndroid Forensics Investigation, Analysis, and Mobile Security for Google Android AndrewHoog John McCash, Technical

Contents

Acknowledgements xiii

Introduction xv

About the Author xix

CHAPTER 1 Android and Mobile Forensics i

Introduction 1

Android Platform 1

History of Android 3

Google's Strategy 7

Linux, Open Source Software, and Forensics 10

Brief History of Linux 11

Android Open Source Project 25

AOSP Licenses 26

Development Process 27

Value of Open Source in Forensics 27

Downloading and Compiling AOSP 29

Internationalization 31

Unicode 31

Keyboards 31

Custom Branches 32

Android Market 33

Installing an App 34

Application Statistics 37

Android Forensics 37

Challenges 38

Summary 38

References 39

CHAPTER 2 Android Hardware Platforms ...41

Introduction 41

Overview of Core Components 41

Central Processing Unit 41

Baseband Modem/Radio 42

Memory (Random-Access Memory and NAND Flash) 42

Global Positioning System 43

Wireless (Wi-Fi.com and Bluetooth) 43

Secure Digital Card 44

Screen 44

Camera 44

Keyboard 45

Page 3: Android forensics : investigation, analysis, and mobile ... · PDF fileAndroid Forensics Investigation, Analysis, and Mobile Security for Google Android AndrewHoog John McCash, Technical

viii Contents

Battery 45

Universal Serial Bus 46

Accelerometer/Gyroscope 46

Speaker/Microphone 46

Overview of Different Device Types 47

Smartphone 47

Tablet 47

Netbook 48

Google TV 48

Vehicles (In-board) 48

Global Positioning System 49

Other Devices 49

ROM and Boot Loaders 49

Power On and On-chip Boot ROM Code Execution 50

Boot Loader (Initial Program Load/Second Program

Loader) 50

Linux Kernel 51

The Init Process 51

Zygote and Dalvik 54

System Server 54

Manufacturers 56

Android Updates 57

Custom User Interfaces 58

Aftermarket Android Devices 58

Specific Devices 59

T-MobileGl 59

Motorola Droid 59

HTC Incredible 60

Google Nexus One 60

Summary 62

References 62

CHAPTER 3 Android Software Development Kit and Android

Debug Bridge 65

Introduction 65

Android Platforms 65

Android Platform Highlights Through 2.3.3

(Gingerbread) 67

Software Development Kit (SDK) 71

SDK Release History 71

SDK Install 72

Android Virtual Devices (Emulator) 81

Android OS Architecture 86

Dalvik VM 87

Page 4: Android forensics : investigation, analysis, and mobile ... · PDF fileAndroid Forensics Investigation, Analysis, and Mobile Security for Google Android AndrewHoog John McCash, Technical

Contents ix

Native Code Development 88

Android Security Model 88

Forensics and the SDK 90

Connecting an Android Device to a Workstation 90

USB Interfaces 94

Introduction to Android Debug Bridge 100

Summary 102

References 103

CHAPTER 4 Android File Systems and Data Structures 105

Introduction 105

Data in the Shell 105

What Data are Stored 106

App Data Storage Directory Structure 106

How Data are Stored 107

Type of Memory 125

RAM 125

File Systems 132

rootfs, devpts, sysfs, and cgroup File Systems 133

proc136

tmpfs 137

Extended File System (EXT) 140

FAT32/VFAT 140

YAFFS2 141

Mounted File Systems 153

Mounted File Systems 154

Summary 157

References 157

CHAPTER 5 Android Device, Data, and App Security 159

Introduction 159

Data Theft Targets and Attack Vectors 160

Android Devices as a Target 160

Android Devices as an Attack Vector 168

Data Storage 168

Recording Devices 169

Security Considerations 170

Security Philosophy 170

US Federal Computer Crime Laws and Regulations 172

Open Source Versus Closed Source 173

Encrypted NAND Flash 175

Individual Security Strategies 176

Corporate Security Strategies 178

Policies 178

Page 5: Android forensics : investigation, analysis, and mobile ... · PDF fileAndroid Forensics Investigation, Analysis, and Mobile Security for Google Android AndrewHoog John McCash, Technical

X Contents

Password/Pattern/PIN Lock 178

Remote Wipe of Device 179

Upgrade to Latest Software 180

Remote Device Management Features 181

Application and Device Audit 183

App Development Security Strategies 184

Mobile App Security Testing 184

App Security Strategies 186

Summary 192

References 193

CHAPTER 6 Android Forensic Techniques 195

Introduction 195

Types of Investigations 195

Difference Between Logical and Physical Techniques 196

Modification of the Target Device 197

Procedures for Handling an Android Device 198

Securing the Device 199

Network Isolation 200

How to Circumvent the Pass Code 203

Imaging Android USB Mass Storage Devices 211

SD Card Versus eMMC 211

How to Forensically Image the SD Card/eMMC 212

Logical Techniques 218

ADB Pull 218

Backup Analysis 219

AFLogical 220

Commercial Providers 228

Physical Techniques 266

Hardware-Based Physical Techniques 268

JTAG 268

Chip-off 270

Software-Based Physical Techniques and Privileges 270

AFPhysical Technique 278

Summary 284

References 284

CHAPTER 7 Android Application and Forensic Analysis 285

Introduction 285

Analysis Techniques 285

Timeline Analysis 285

File System Analysis 288

File Carving 291

Strings 293

Page 6: Android forensics : investigation, analysis, and mobile ... · PDF fileAndroid Forensics Investigation, Analysis, and Mobile Security for Google Android AndrewHoog John McCash, Technical

Contents xi

Hex: A Forensic Analyst's Good Friend 296

Android Directory Structures 301

FAT Forensic Analysis 308

FAT Timeline Analysis 309

FAT Additional Analysis 316

FAT Analysts Notes 317

YAFFS2 Forensic Analysis 321

YAFFS2 Timeline Analysis 324

YAFFS2 File System Analysis 330

YAFFS2 File Carving 332

YAFFS2 Strings Analysis 334

YAFFS2 Analyst Notes 335

Android App Analysis and Reference 340

Messaging (sms and mms) 340

MMS Helper Application 341

Browser 342

Contacts 347

Media Scanner 349

YouTube 350

Cooliris Media Gallery 353

Google Maps 354

Gmail 358

Facebook 360

Adobe Reader 363

Summary 363

References 364

Index 365