1 / 26

Android anti-forensics through a local paradigm

By Alessandro Disfano, Gianluigi Me, Francesco Pace. Android anti-forensics through a local paradigm. 11/08/2013 Fri. Daun Jeong. Outline. Introduction Definition of Anti-forensics The Android Operating System Android Anti-forensics Experiments Conclusion. Introduction.

babu
Download Presentation

Android anti-forensics through a local paradigm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. By Alessandro Disfano, Gianluigi Me, Francesco Pace Android anti-forensics through a local paradigm 11/08/2013 Fri. Daun Jeong

  2. Outline • Introduction • Definition of Anti-forensics • The Android Operating System • Android Anti-forensics • Experiments • Conclusion

  3. Introduction • Anti-forensics techniques applied to mobiles devices • Test for effectiveness of such techniques vs. both the cursory examination of the device and some acquisition tools • Trend • Uptick in the use of Anti-forensics • Confined in the classic forensics environment ⇒ The instance of some common AF techniques to Android mobile devices

  4. Definition of Anti-forensics • Any attempts to compromise the availability or usefulness of evidence in the forensic process. • The availability of evidence can be compromised by preventing its creation, hiding its existence and by manipulating the evidence. • The usefulness can be compromised by deleting the evidence or by tampering its integrity.

  5. Types of Anti-forensics • Destroying Evidence: Destruction of evidence in order to make it unusable. • Hiding Evidence: Decreasing the visibility of the evidence ⇒ Both 1 and 2 processes can make other evidence • Eliminating Evidence Sources : Preventing Evidence Creation • Counterfeiting Evidence : Creating a fake version of evidence.

  6. The Android OS – 1. Architecture

  7. The Android OS – 2. File System • Supported by YAFFS2 File System. • YAFFS: Yet Another Flash File System • YAFFS1: designed for old NAND chips with 512 byte pages plus 16 byte spare areas. • YAFFS2: evolved from YAFFS1 to accommodate newer chips with 2048 byte pages plus 64 bytes spare areas.

  8. The Android OS – 3. Security Architecture • Application & Sandboxes : Android binds any running application to a secure Sandbox which cannot interfere with any other application. • User IDs and Permissions : Android manages each application as a different Linux user. Includes <uses-permission> tags in application’s Android manifest.xml.

  9. Androi Anti-forensics • Current Android Forensics Techniques & Tools • Instantiating Anti-forensics • The Evidence Export Process • The Evidence Import Process • The Evidence Destruction Process

  10. Current Android Forensics Techniques & Tools 1. Android Debug Bridge (ADB) A tool provided with Android SDK which allows the interaction between the mobile device and a remote station. 2. Nandroid Backup Nandroid is a set of tools supporting the backup and restore capabilities for rooted Android devices. Support the full NAND flash memory imaging which can be performed by a special boot mode.

  11. Current Android Forensics Techniques & Tools (cont’) 3. Physical Imaging by dd The dd tool allows the byte-level physical imaging of Unix files and can be applied to regular files and to devices files as well because of the availability of a Unix-like command shell. 4. Commercial Tools Commercial Tools: Parabon corporation, Micro Systemation, Celle brite. Open Source Tools: Mobile Internal Acquisition Tool.

  12. Current Android Forensics Techniques & Tools (cont’) 5. Serial Commands over USB Capabilities to eavesdrop the data conveyed over-the-wire. 6. Simulated SD card To use a modified update file in order to avoid the destruction of internal memory data and to provide kernel-level tools to support the acquisition of data.

  13. Current Android Forensics Techniques & Tools (cont’) 7. Softeware Application Applications that are able to explore, read, and mirror the contents stored by the File System even for the internal memory storage volume.

  14. Instantiating Anti-forensics • Exploiting android features • Strong Linux process & User management policies • A private folder : A directory that is inaccessible for any other applications • Private folders in internal memory are hard to examine because of isolation and physical imaging • Anti-forensics by a common application : Evidence Export/Import/Destruction Process

  15. The Evidence Export Process • Android Destroying Evidence : Text messages, The browser bookmark, Call log ⇒ Deletion of Related Database • Android Hiding Evidence : Multimedia files ⇒ Move them into internal storage (private folder) • Android Eliminating Evidence Sources : Multimedia Messages (MMSs) ⇒ Modify identifiers to be invisible to end-user • Android Counterfeiting Evidence : Contact Information ⇒ Modify flag & related number

  16. The Evidence Import Process • Restore the previous state of the device. • The private storage of the evidence • Organize the exported evidence using set of common files in the private folder • A XML-style file(export.xml) is responsible for the storage of all evidence • A number of files of various format are imported by the removable memory card.

  17. The Evidence Import Process (cont’) • How to reconstruct the evidence? • Fully Automated Evidence Reconstruction: AFDroid • Private folder inspection • export.xml file processing • Related DB & table • The connection DB • Other file processing

  18. The Evidence Destruction Process • Internal Memory & Data Recovery • It is still incomplete to acquire the image of internal memory. (JTAG) • Fully Automated Process ⇒ Uninstall of AFDroid • All the related data are logically deleted by the FS. • Can avoid human errors. • Reduces time.

  19. Experiment- 1. Definition • Objectives : To test the strength of the Evidence Export/ Destruction process in relation to the tools that are currently able to acquire a snapshot of the internal memory of the target device. • Used devices : Samsung Galaxy i7500 device equipped with the Android 1.5 S아. • Used acquisition tools : Paraben Device Seizure/Nandroid/MIAT

  20. Experiment- 1. Definition • Experimental Workflows • Evidence export process • First imaging with Nandroid tool • Execution of AFDroid • Acquisition with MIAT tool • Second imaging with Nandroid tool • Evidence destruction process • First imaging with Nandroid tool • Execution of AFDroid • Second imaging with Nandroid tool • Uninstall of the AFDroid • Acquisition with the MIAT tool • Third imaging with the Nandroid tool

  21. Experiment- 2. Results (EEP) Cursory examination of the SMS/MMS database before and after the EEP. The entire se of SMS/MMS message is emptied .

  22. Experiment- 2. Results (EEP) The Nandroid tool and MIAT tool can recover all the evidence that has been previously exported in the private folder

  23. Experiment- 2. Results (EEP) A large amount of the multimedia data can negatively affect the duration of the process. It is realistic to suppose that just reduced amount of such data can be exported into the private folder because of the limited capacity of the current internal memory.

  24. Experiment- 2. Results (EDP) • When the application is uninstalled and the EDP completed, private folder is removed including all the stored contents. • After that, neither the Nandroid nor the MIAT tools were able to recover the deleted data.

  25. Conclusion • Current and Future Work 1. Improving the AFDroid application • To selectively choose the target evidence • The expansion of the kinds of target evidence 2. Expanding the compatibility to other operating system • Windows Moble, Symbian.

  26. Reference Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano, Gianluigi Me and Francesco Pace, Digital Investigation 7 (2010) s83-s94.

More Related