• OTW

Digital Forensics, Part 10: Mobile Forensics (Android)


Over the past decade or so, the growth of the mobile market has been the fastest growing segment of the IT industry. We now have portable smart phones and tablets being used throughout the consumer and business market. These add an extra challenge to the forensic investigator, but can also contain a cornucopia of information and evidence of the suspect's activity. These include texts (SMS) messages, emails, browsing activities, installed apps, etc. The overall impact is that the mobile device may be the greatest repository of information on your suspect.

Before you begin this tutorial, you may want to take a look at the Android Basics tutorial here. In addition, Android Forensics is a large and complex task worthy of an entire book similar to Windows , Linux or Mac forensics, so we will attempt to only cover one small segment of Android Forensics here. Look for my upcoming series and course on Android forensics.

Android Forensics

In this tutorial we will be examining the .xml manifest file from a Android device. In examining an Android device there are three primary areas we want to focus on;

(1) /Root/system/packages

(2) AndroidManifest.xml

(3) any applications themselves. These are .apk files

The manifest file contains a list of all the applications installed on the device and their associated permissions all in .xml format. Often we can identify malicious packages this way by examining the permissions of the applications. In other words, if an application has permissions that are not required by its functionality, it should be considered suspect and is probably malicious.

Here we have an .xml file from an android device and have moved it to our desktop. When we open it with an .xml enabled browser, we should see a file similar to that below.

Navigate to the ledflashlight application permissions. It should be about mid-way down the file. If you have difficulty finding it, use the search function and it will find all the instances of "ledflashlight". The one we want contains the application permissions like seen below.

Note that this application, a flashlight app, has permissions to;

(1) READ_EXTERNAL_STORAGE

(2) access INTERNET

(3) WRITE_EXTERNAL_STORAGE

A legitimate flashlight application is unlikely to require those permissions. We should be suspicious of this application! It is more than likely malware.

SQLite Analysis of BlackBerry Messenger on Android

Many applications on mobile devices store information into a SQLite database. Due to the fact that SQLite is full relational database that is very lightweight, it is ideal for mobile devices.

In this lab, we will examine the SQLite database from a Blackberry Messenger on an Android device. We will need SQLite Browser. If you are using Kali, it is pre-installed otherwise you can download it from here. If you did that Browser Forensics tutorial, you should already have it installed on your machine.

Here, we use the SQLite Browser to open the master.db from an Android device. Select File and then "Open Database" and click on master.db. It should look like the screenshot below.

Note that in the main window to the left, we see all 62 tables and the commands to create them under the Schema column.

Next, click on the "Browser Data" tab at the top of the main window. You should see a screen like that below. Note that in the right window we have a listing of all 62 tables. If we want to see the data in a table, we can simply select the table in the "Table" pull down menu at the top of the main window.

In our case here, we want to see the table "File Transfers". Select it from the pull down menu.

When you do, the main menu will be populated with data from the "File Transfer" table. As you can see, we have two file transfers. Both of these file transfers are .jpeg files. If we expand the path column we can see where they are stored on the device.

If we scroll left through these columns we will see columns named "UserID" and "Incoming". These columns reveal that both file transfers were done by User ID=10 and the incoming column reveals that the first was incoming and the second was outgoing (not incoming). Obviously, this type of information could be useful as evidence that the suspect either sent or received a malicious or illegal file from that phone.

This is just taste of what we can learn from a thorough forensics analysis of an Android device. Look for my upcoming series and class on Android Forensics where we will cover Android Forensics thoroughly from top to bottom!


2,192 views