Embed Size (px)
Citation preview
AN EVIDENCE-BASED ANDROID CACHE FORENSICS MODELFelix Jeyareuben Chandrakumar
Supervisor: Dr Kim-Kwang Raymond Choo
Associate Supervisor: Ben Martini
INTRODUCTION
ANDROID
Most popular and widely used mobile operating system with more than 1.2 million Android Apps (AppBrain 2014).
Android caches understudied research topic – focus of thesis.
Research questions:
1. What is the process or methodology that must be followed to forensically analyze Android caches?
2. How can we make use of a forensically sound process to build new tools and utilities to analyze unknown and undocumented cache file formats?
LITERATURE REVIEW
ANDROID ARCHITECTURE
Android Architecture (Adapted from Gandhewar and Sheikh 2011)
ANDROID PARTITIONS
/boot - which enables the mobile to boot
/system - which contains the Android Operating System
/recovery - for the purpose of recovery console
/data - which contains the user data
/cache - where frequently used data and app components are stored and
/misc - where miscellaneous system settings are stored
FORENSIC MODELS – POLLITT’S MODEL Acquisition
Identification
Evaluation and
Admission as evidence
It is one of the earliest digital forensic models
FORENSIC MODELS - MCKEMMISH
Model of Forensic Computing (Adapted from McKemmish 1999)
FORENSIC MODELS – PALMER
Palmer's Model (Adapted from Palmer 2001)
FORENSIC MODELS – BARYAMUREEBA & TUSHABE’S MODEL
Enhanced Digital Investigation Process (Adapted from Baryamureeba & Tushabe 2004)
LITERATURE GAPS
Cache Diversity. E.g,. Volley, Android Cache Library, Ignition, FileCache, Picasso, etc.
Undocumented Caches.
Lack of Analysis Tools
Rapid Changes. Roughly every 4 months, the Android API level increases
CONCEPTUAL ANDROID CACHE FORENSIC PROCESS
PROPOSED ANDROID CACHE TAXONOMY
CONCEPTUAL ANDROID CACHE FORENSIC PROCESS
Extending Mckemmish’s (1999) Model
WHY EXTEND MCKEMMISH MODEL? Most of the gaps we have noted are technical barriers.
McKemmish’s model continues to be broadly applicable to Android cache forensics but the technologies used in various elements varies greatly.
This causes an imbalance in the four elements of McKemmish model from an effort and volume of that element as a result of technological advancement.
A CASE STUDY
The Experiment
EXPERIMENT
Applications that are widely used i.e. which has at least 1 million downloads or if the application is from a significant brand or company, are considered.
Nearly 100 apps were identified and analyzed for caches. Out of these 100 apps, 11 apps are selected and studied in detail based on the usage of caches that are common across other apps.
LIST OF APPS STUDIED IN DETAIL
App Name
Different caches used by the same App
Web View Cache
SQLite DB Cache
Volley Serialized Java Objects
Network File Caches
Custom Cache
Adobe Reader Yes Yes
Amazon Kindle Yes
Carsales Yes Yes
Domain Real Estate Yes Yes - JSON Cache
eBay Yes Yes Yes - Image Cache, Gzipped XML Cache
Facebook Yes Yes - Image, Audio and Upload Caches
LinkedIn Yes
NAB Yes
Realestate.com.au Yes Yes Yes - JSON Cache
Skype Yes Yes
YouTube Yes
ASSUMPTIONS
Android mobile phone is rooted
Developer mode enabled
USB debugging is enabled
Internal storage is not encrypted
HARDWARE USED
Mobile: Samsung Galaxy Note N7000
Android Version: 4.1.2 Jelly Bean
Chipset: Exynos
CPU: Dual-core 1.4 GHz ARM Cortex-A9
GPU: Mali-400
Memory Internal: 16 GB storage, 1 GB RAM
Memory Card: microSD, up to 64 GB, 2 GB included
ACQUISITION USING DD
Connect the Android device to the computer using ADB (Android Debugging Bridge)
D:\ADT\sdk\platform-tools>adb devices
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
xxxxxxxxxxxxxx device
ACQUISITION USING DD
Go to super-user mode
shell@Android:/ $ su
su
root@Android:/ #
ACQUISITION USING DD
List the mounted partitions
root@Android:/ # mount
mount
rootfs / rootfs ro,relatime 0 0
:
/dev/block/mmcblk0p7 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered 0 0
/dev/block/mmcblk0p10 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered,noauto_da_alloc,discard 0 0
:
ACQUISITION USING DD
Unmount the partitions
root@Android:/ # umount /cache
umount /cache
root@Android:/ # umount /data
umount /data
failed: Device or resource busy
Note: “Device or resource busy”, does not cause any drawback in our process because, live acquisition in forensics is always done on an unmounted partition which is a standard procedure
ACQUISITION USING DD
Take image of the partitions
root@Android:/ # dd if=/dev/block/mmcblk0p7 bs=64K | gzip -c > /sdcard/cache.img.gz
4K | gzip -c > /sdcard/cache.img.gz <
3276800+0 records in
3276800+0 records out
209715200 bytes transferred in 60.809 secs (3448752 bytes/sec)
root@Android:/ # dd if=/dev/block/mmcblk0p10 bs=64K | gzip -c > /sdcard/data.img.gz
64K | gzip -c > /sdcard/data.img.gz <
33554432+0 records in
33554432+0 records out
2147483648 bytes transferred in 821.632 secs (2613680 bytes/sec)
FINDINGS – CACHE ANALYSIS Several cache structures decoded.
cache_r.0 cache_bd.0 WebView Component Caches SQLite DB Caches Image Caches Android Gallery Caches YouTube Caches Least Recently Used Disk Cache Etc.
EXAMPLE – YOUTUBE CACHE
In the above example, 0x000001442571F983 corresponds to
Wed, 12 Feb 2014 09:33:50 GMT.
EXAMPLE – ANDROID GALLERY
Length Offset Example Description4 0 Magic number: 0xB32730304 4 Max number of hash entries per
region.4 8 Max number of data bytes per
region (including header).4 12 The active growing region: 0 or 1.4 16 The number of hash entries used in
the active region.4 20 The number of data bytes used in
the active region.4 24 Version number.4 28 Checksum of bytes from 0 to 28.u = (12 * Maximum Entries bytes).
32 Hash entries for region 0. The size is u
v = (12 * Maximum Entries bytes).
32+u Hash entries for region 1. The size is also u.
Index file of Android Gallery
EXAMPLE – ANDROID GALLERY (CONT..)
Data file of Android Gallery
Length Offset Example Description4 0 Magic number (Header:
0xBD248510Data (Data is present as a blob and concatenated)8 0 Key4 8 Chksum4 12 Offset4, u=length 16 LengthU (value of offset 16)
20 Actual Data (or) Blob
ANDROID CACHE VIEWER PROTOTYPE Built using C# and requires Microsoft .Net 4.0
Supports Generic Cache (cache_r.0, cache_bd.0) WebViewComponent Cache SQLite DB cache Image gallery cache Serialized Object cache and DiskLruCache format
It runs and been tested on Windows XP, Vista/7 and Windows 8/8.1.
SCREENSHOTS - CACHE_R.0
SCREENSHOTS - CACHE_R.0 DATA
SCREENSHOTS - WEBVIEW CACHE INDEX
SCREENSHOTS - WEBVIEW CACHE DATA
SCREENSHOTS - WEBVIEW CACHE EXTERNAL DATA
SCREENSHOTS - YOUTUBE CACHE
SCREENSHOTS - ANDROID IMAGE GALLERY
SCREENSHOTS - SQLITE DB CACHE
SCREENSHOTS - UNKNOWN CACHE
OPEN SOURCE
The source code for Android Cache Viewer is uploaded to GitHub (https://github.com/fcidau/Android-Cache-Viewer)
Released under MIT License
CONCLUSION & FUTURE WORK
CONCLUSION
In the thesis, we identified literature gaps and limitations in using existing forensic models when examining Android caches.
To assist forensic researchers and practitioners in examining the wide range of caches used by various Android Apps, a taxonomy for Android caches and the conceptual Android Cache Forensics Model were proposed
More than 100 popular apps tested. 11 apps appear to be using some form of cache and they were studied in detail.
Previously unknown cache formats were decoded and several undocumented cache formats used commonly by Android apps were documented
Based on the findings, Android Cache Viewer, an open source prototype tool was developed, to decode Android cache formats.
FUTURE WORK
Much work in this area remains to be done. Potential extensions of this thesis are as follows:
Adding additional plugins for other undocumented cache file structures
Adding new cache formats as new formats are introduced.
Making each plugin as independently loadable modules.
REFERENCE LIST
Gandhewar, N & Sheikh, R 2011, 'Google Android: An Emerging Software Platform For Mobile Devices', International Journal on Computer Science & Engineering.
Pollitt, M 1995, 'Computer forensics: An approach to evidence in cyberspace', Proceedings of the National Information Systems Security Conference, pp. 487-491.
McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology,
Palmer, G 2001, 'A road map for digital forensic research', First Digital Forensic Research Workshop, Utica, New York, pp. 27-30.
Baryamureeba, V & Tushabe, F 2004, 'The enhanced digital investigation process model', Proceedings of the Fourth Digital Forensic Research Workshop, Citeseer.
REFERENCE LIST (CONT..)
AppBrain 2014, Number of Android applications, appbrain.com, viewed 16-May-2014, <http://www.appbrain.com/stats/number-of-android-apps>.
QUESTIONS & ANSWERS
