Android Forensics - Simplifying Cell Phone Examinations - Lessard & Kessler (ECU) 2010.
Android Forensics - Simplifying Cell Phone Examinations - Lessard & Kessler (ECU) 2010.
Android Forensics - Simplifying Cell Phone Examinations - Lessard & Kessler (ECU) 2010.
Research Online
ECU Publications Pre. 2011
2010
Gary Kessler
Edith Cowan University
This article was originally published as: Lessard, J., & Kessler, G.C. (2010). Android Forensics: Simplifying Cell Phone Examinations. Small Scale
Digital Device Forensics Journal, 4(1), 1-12.
This Journal Article is posted at Research Online.
http://ro.ecu.edu.au/ecuworks/6479
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. 4, NO.1, SEPTEMBER 2010, ISSN# 1941-6164 1
Android Forensics:
Simplifying Cell Phone Examinations
Jeff Lessard Gary C. Kessler
Champlain College Gary Kessler Associates
j.lessard802@gmail.com Edith Cowan University
gck@garykessler.net
Authors' Note The good news is there are numerous people in the
field working on making smart phone forensics easier. Already
This paper was initially written during the fall of 2009 and since that there is material available on how to conduct an examination on
time, several new versions of Android OS have been available to Blackberry phones and a growing number of resources about
customers via upgrades or new phone purchases. With each new phone
the iPhone. However, there is a new smart phone OS on the
and firmware update, there are initial challenges to the forensic
community; the fundamentals of acquiring and analyzing an image, market named Android and it will likely gain in appeal and
however, have remained the same. market share over the next year. While Android initially
launched with only one phone on T-Mobile, phones are now
available on Sprint, Verizon and AT&T as well.
Introduction Introduction to Android
It is hardly appropriate to call the devices many use to Android is an operating system (OS) developed by the
receive the occasional phone call a telephone any more. The Open Handset Alliance (OHA). The Alliance is a coalition of
capability of these devices is growing, as is the number of more than 50 mobile technology companies ranging from
people utilizing them. By the end of 2009, 46.3% of mobile handset manufactures and service providers to semiconductor
phones in use in the United States were reported to be smart manufacturers and software developers, including Acer, ARM,
phones (AdMob, 2010). Google, eBay, HTC, Intel, LG Electronics, Qualcomm, Sprint,
With the increased availability of these powerful and T-Mobile. The stated goal of the OHA is to "accelerate
devices, there is also a potential increase for criminals to use innovation in mobile and offer consumers a richer, less
this technology as well. Criminals could use smart phones for a expensive, and better mobile experience" (OHA, 2009, n.p.).
number of activities such as committing fraud over e-mail,
harassment through text messages, trafficking of child
pornography, communications related to narcotics, etc. The
data stored on smart phones could be extremely useful to
analysts through the course of an investigation. Indeed, mobile
devices are already showing themselves to have a large volume
of probative information that is linked to an individual with just
basic call history, contact, and text message data; smart phones
contain even more useful information, such as e-mail, browser
history, and chat logs. Mobile devices probably have more
probative information that can be linked to an individual per
byte examined than most computers -- and this data is harder to
acquire in a forensically proper fashion.
Part of the problem lies in the plethora of cell phones
available today and a general lack of hardware, software, and/or
interface standardization within the industry. These differences
range from the media on which data is stored and the file Figure 1. Android architecture (Android.com, 2009b).
system to the operating system and the effectiveness of certain
tools. Even different model cell phones made by the same The basic architecture of Android is shown in Figure
manufacture may require different data cables and software to 1. At its core, Android OS builds are based on the Linux 2.6
access the phone's information. kernel. When running on a hard drive, the Linux system device
defaults to the first physical hard drive, or /dev/hd0. In
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. 4, NO.1, SEPTEMBER 2010, ISSN# 1941-6164 2
Examination of Memory
Figure 9. Recovered files: Web page (left) and Google search
The examination of the memory image files was history (right).
performed using Access Data's Forensic Tool Kit (FTK) v1.81.
FTK was selected because of its data carving and searching One particularly interesting document that contained
capabilities; since today's forensic software does not mount the useful information was the single recovered PDF file. This file
YAFFS2 file system, the ability for string searches was was extremely fragmented and while Acrobat Reader reported
paramount. that the file was corrupt and could not be opened, FTK was able
When setting up the analysis in FTK, select options to view the contents. The file was 2 MB in size and was
for full indexing and data carving, and add all six files for substantially larger than all of the other recovered documents. It
analysis. In this case, the subject phone was approximately two contained information such as text messages, phone book
months old and had been used extensively for data applications. information, browser history, Facebook status updates, Google
After data carving, 207 Hypertext Markup Language (HTML) search history (Figure 9, right), YouTube videos visited, and
music played from the SD card. It was difficult to look through
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. 4, NO.1, SEPTEMBER 2010, ISSN# 1941-6164 6
because it was so fragmented but searching the document made from browser Web pages, pictures taken with the Hero's camera
information easier to find. and sent to someone via the Multimedia Messaging Service
(MMS) or e-mail to those from applications such as Facebook,
Recovered images cover art from Pandora, image previews of videos from
SprintTV and YouTube, and icons from applications.
As on a typical computer, this Android device had
nearly 13,000 images, only some of which would be interesting Searching
in a forensics examination. The first noteworthy images found
were the ones displayed as the phone is booting up. There are While browsing through images and documents
three different images: the HTC logo, a Hero splash screen, and yielded some helpful information, FTK was unable to locate
a Sprint screen. The HTC logo screen is displayed at two points text messages, e-mails, contacts, and call history. The search
in the booting process and features the HTC logo in a beveled tool is quite powerful but in order to use it, an examiner needs
silver text on a reflective black background. As the phone to have an idea of what to search for. When trying to find
boots, the source of light in the image changes as it pans across emails, a logical starting point would be to search for the
the logo this seems like a loading screen, indicating suspect's e-mail address. A search for j.lessard802@gmail.com,
something is happening like a progress bar would. This logo for example, yielded 1628 hits over 92 files. The files generally
was merely an animated GIF file. started with the e-mail address, followed by a preview of the
The mtd3.dd file contained images for different body of the message and then the rest of the e-mail and
applications. Backgrounds for a labyrinth style game; images recipient information. Many of the strings found looked like
for bookmarks, weather, alarm clocks, keyboards, and widgets; this one:
grids for Sudoku games; and icons for check boxes, contacts,
camera, and navigation apps were found. j.lessard802@gmail.com >..7`..7c$Ryan
and Ysa I quite impressed with the talk they
gave our class. Maybe impre....Ryan and
Ysa<br><br>I quite impressed with the talk
they gave our class. Maybe impressed isnt
quite the right word for it - perhaps amazed
they let everyone in to their life like that. I
never really thought about the difficulty of
communicating across cultures and how it
would impact a relationship. Specifically if
they didnt speak each others language. I
guess the international language is truly
dance.<br>
Figure 10. Recovered images: Corrupted image file (left) and
intact image file (right). It is likely that if the suspect were using a mobile e-
mail client (such as a gmail application) would yield more
The mtd4.dd file contains contents of the Android messages than a system where only Web mail has been
cache. Recovered images from this location included some that employed.
were viewed from e-mail; some of the images were corrupted
while others were perfectly intact (Figure 10).
Interestingly, only 30 images from the user's Gmail
account were found. The highly fragmented condition of some
of these images suggests that the amount of space allowed for
caching of images viewed from Gmail is not large.
Alternatively, it is possible that FTK was not able to locate or
identify the images.
Another interesting result was that two of the images
in the cache, although on the Gmail account, were never
specifically called up or viewed on the phone. The best
explanation is that they were preloaded from viewing the email,
although the user never selected to download or view them.
The mtd5.dd file contains the user data and, not Figure 11. User names and passwords found in plaintext,
surprisingly, is where the majority of the recovered images blacked out for publication.
were found. These were the types of pictures one would expect
to find, namely images ranging from contact photos, downloads
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. 4, NO.1, SEPTEMBER 2010, ISSN# 1941-6164 7
Hoog (2009b) has reported that the Android browser valuable files were uncovered. As before, the files were copied
stores passwords in plaintext right next to a username and to the SD card using the dd command (Figure 13):
Uniform Resource Locator (URL). As expected, several of the
search hits found the displayed username and password for dd if=/data/data/subdir/databases/file.db
several Web sites, one of which yielded a piece of a database of=/sdcard/file.db
that held all of the password information (Figure 11). This is
very helpful for the forensic examiner although a poor security
practice from the user perspective. While many people
appropriately worry about saving their username and password
information on their computers, and may even know how to
hide those traces, most are likely less careful with similar data
stored on their phone.
When searching for e-mail addresses, references were
found to a file named contacts.db. After searching for that Figure 13. dd commands to create images of database (.db)
string, contact and phonebook information was found quite files.
easily. It was located in a few different places and in pieces but
that is likely due to the fact that FTK was unable to recognize
the operating system and, before data carving, everything was
just considered unallocated space. The actual path for the Figure 14. Username and password of HTC Twitter user.
contacts appears to be
/data/data/com.android.providers.contacts/
databases/contacts.db.
Logical Examination Figure 15. Information about Twitter sites that the user follows.
Although it is valuable to perform a physical The database files found by a logical examination of
examination to access deleted information that might otherwise the Android device yielded a significant amount of interesting
go unnoticed, much of the data that was viewable in FTK was information. The first such file examined was /data/data
fragmented and difficult to read. Looking at files logically can /com.htc.htctwitter/databases/htcchrip.db,
show whole databases that are not fragmented. the database associated with htctwitter, the Twitter application
called Peep, developed by HTC. This database file yielded
account information (including an unencrypted password)
(Figure 14) as well as account information for Twitter sites that
the user follows (Figure 15).
In addition, 1460 Twitter updates were found, with
detailed information about the sender. This output also contains
a field named is_public, which defines whether the message
was a private (0) or a normal tweet (1).
Summary of Results
Figure 33. Some of the SMS messages extracted by the UFED
[Phone numbers truncated for publication]. This experiment in acquiring information from an
Android device using multiple methods is far from conclusive,
although it provided some interesting insights:
Data extraction with the CelleBrite UFED program at Champlain College. He is a Certified Computer
o Pros: Recovered MMS/SMS messages, call Examiner (CCE) and Certified Information Systems Security
logs, photos, video, and contact information; Professional (CISSP), and is an associate editor at the Journal
simple, stand-alone method. of Digital Forensic Practice and Journal of Digital Forensics,
o Cons: Logical extraction only (physical Security and Law.
acquisition not yet supported); did not
recover e-mails, browser, or search history. References
It appears that browsing the databases logically netted AdMob. (2010, January). AdMob mobile metrics report. Retrieved
the most information in an easily viewable way. Obtaining a dd February 2, 2010, from http://metrics.admob.com/wp-
image is extremely valuable but, aside from the user content/uploads/2010/01/AdMob-Mobile-Metrics-Dec-09.pdf
reconstructing where all the pieces fit, it was not the best
method in this case. A different tool or forensics software with Android.com. (2009a, December 16). Android security and
permissions. Retrieved December 21, 2009, from
specific YAFFS2 support would make the physical analysis a http://developer.android.com/guide/topics/security/security.html
winner. As it stands now, however, FTK would be most
valuable when searching for very specific strings of text. Android.com. (2009b, December 16). What is android? Retrieved
December 21, 2009, from
Conclusion http://developer.android.com/guide/basics/what-is-android.html
Cell phones are becoming even more sophisticated and Android-DLs.com. (2009, December 7). Edit and re-pack boot images.
able. Both law enforcement and the private sector need to Android-DLs Web site. Retrieved December 21, 2009, from
http://android-dls.com/wiki/index.php
invest time and money into learning about new operating
?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images
systems and developing new forensic methods.
While Android forensics is still in its infancy, steps are Android Developers. (2009, December). Download the Android SDK.
being made to meet the new technology. CelleBrite (2010), Android Developers Web site. Retrieved December 21, 2009, from
Paraben (2008), and .XRY (Micro Systemation, 2008) all http://developer.android.com/sdk/index.html
currently offer some type of Android solution and more tools
will be adding support as Android gains in popularity. Android CelleBrite. (2010). UFED standard kit. CelleBrite Web site. Retrieved
is not just for phones either; it can be used on computers, August 15, 2010, from http://www.cellebrite.com/UFED-Standard-
kitchen appliances, and military applications (Spencer, 2009). Kit.html
Expect to begin seeing it everywhere. DalvikVM.com. (2008). Dalvik virtual machine. Retrieved December
The number of Android phones will be continuously 21, 2009, from http://www.dalvikvm.com/
increasing as more manufactures adopt the budding OS. As it
stands now, Android sales, by some estimates, will overtake Dedekind. (2009, January 12). Memory technology devices. Linux
iPhone sales within the next two to three years (Lomas, 2009). Memory Technology Devices FAQ. Retrieved December 21, 2009,
While Android is powerful, complex, has multiple firmware from http://www.linux-mtd.infradead.org/faq /general.html
implementations and some with manufactures making custom
UIs, the standardization will make mobile forensics simpler in Hoog, A. (2009a, March 16). Input/output error trying to dd Android
/dev/block devices. viaForensics Web site. Retrieved December 21,
the long run. Indeed, as the market for Android continues to 2009, from http://viaforensics.com/forum/android-
grow, learning how to forensically acquire information from forensics/inputoutput-error-trying-to-dd-android-devblock-devices/
these devices becomes essential for mobile device examiners.
Hoog, A. (2009b, October 19). Android browser stores passwords and
Author Information other sensitive data in plain text. viaForensics Web site. Retrieved
December 21, 2009, from http://viaforensics.com/android-
Jeff Lessard received a B.S. degree in Computer & Digital forensics/android-browser-stores-passwords-sensitive-data-plain-
Forensics from Champlain College (Burlington, Vermont) in text.html
December 2009. This paper is an expansion of his senior thesis
HTC. (2009). HTC Sense user interface [Video]. HTC Web site.
project. All screen shots, unless otherwise noted, were taken by Retrieved December 21, 2009, from
Jeff. http://www.htc.com/us/content/interactive/mediagallery/htc-sense.flv
Gary C. Kessler, Ed.S., is president of Gary Kessler Associates, Lomas, N. (2009, March 6). Android could overtake iPhone by 2012.
adjunct associate professor at Edith Cowan University (Perth, BusinessWeek Online. Retrieved December 21, 2009, from
Western Australia), and mobile device examiner for the http://www.businessweek.com/globalbiz/content/mar2009/gb2009036
Vermont Internet Crimes Against Children (ICAC) Task Force. _886305.htm
At the time of this project, he was an Associate Professor and
director of the M.S. in Digital Investigation Management
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL. 4, NO.1, SEPTEMBER 2010, ISSN# 1941-6164 12
Purdy, K. (2009, August 21). Five great reasons to root your Android
phone. lifehacker Web site. Retrieved December 21, 2009, from
http://lifehacker.com/5342237/five-great-reasons-to-root-your-
android-phone
The Unlockr.com. (2009, November 7). How to: Root your Sprint
HTC Hero. Retrieved December 21, 2009, from
http://theunlockr.com/2009/11/07/how-to-root-your-cdma-htc-hero-
sprint-verizon/