Book Image

Learning Android Forensics - Second Edition

By : Oleg Skulkin, Donnie Tindall, Rohit Tamma
Book Image

Learning Android Forensics - Second Edition

By: Oleg Skulkin, Donnie Tindall, Rohit Tamma

Overview of this book

Many forensic examiners rely on commercial, push-button tools to retrieve and analyze data, even though there is no tool that does either of these jobs perfectly. Learning Android Forensics will introduce you to the most up-to-date Android platform and its architecture, and provide a high-level overview of what Android forensics entails. You will understand how data is stored on Android devices and how to set up a digital forensic examination environment. As you make your way through the chapters, you will work through various physical and logical techniques to extract data from devices in order to obtain forensic evidence. You will also learn how to recover deleted data and forensically analyze application data with the help of various open source and commercial tools. In the concluding chapters, you will explore malware analysis so that you’ll be able to investigate cybersecurity incidents involving Android malware. By the end of this book, you will have a complete understanding of the Android forensic process, you will have explored open source and commercial forensic tools, and will have basic skills of Android malware identification and analysis.

Related Content you might be interested in

Current Title:

Small book image
Learning Android Forensics - Second Edition
Oleg Skulkin | Donnie Tindall | Rohit Tamma
Dec, 2018 | 328 pages
Small book image
Practical Mobile Forensics
Heather Mahalik | Rohit Tamma | Oleg Skulkin | Satish Bommisetty
Apr, 2020 | 400 pages
Small book image
Practical Mobile Forensics
Heather Mahalik | Rohit Tamma | Oleg Skulkin | Satish Bommisetty
Jan, 2018 | 402 pages
Small book image
Mobile Forensics Cookbook
Igor Mikhaylov
Dec, 2017 | 302 pages
Table of Contents (12 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
Introducing Android Forensics
Introducing Android Forensics
Mobile forensics
The mobile forensics approach
Challenges in mobile forensics
Android architecture
Android security
Android hardware components
Android boot process
Summary
2
Setting up the Android Forensic Environment
Setting up the Android Forensic Environment
Android forensic setup
Android Debug Bridge
Rooting Android
Summary
3
Understanding Data Storage on Android Devices
Understanding Data Storage on Android Devices
Android partition layout
Android file hierarchy
Application data storage on the device
Android filesystem overview
Summary
4
Extracting Data Logically from Android Devices
Extracting Data Logically from Android Devices
Logical extraction overview
Manual ADB data extraction
ADB backup extractions
ADB dumpsys
Bypassing Android lock screens
Android SIM card extractions
Summary
5
Extracting Data Physically from Android Devices
Extracting Data Physically from Android Devices
Physical extraction overview
Extracting data physically with dd
Extracting data physically with nanddump
Extracting data physically with Magnet ACQUIRE
Analyzing a full physical image
Imaging and analyzing Android RAM
Acquiring Android SD cards
Advanced forensic methods
Summary
6
Recovering Deleted Data from an Android Device
Recovering Deleted Data from an Android Device
Data recovery overview
Recovering deleted data from SD cards
Recovering deleted records from SQLite databases
Recovering deleted data from internal memory
Recovering deleted data using file carving
Summary
7
Forensic Analysis of Android Applications
Forensic Analysis of Android Applications
Application analysis overview
Why do app analysis?
Layout of this chapter
Summary
8
Android Forensic Tools Overview
Android Forensic Tools Overview
Autopsy
Belkasoft Evidence Center
Magnet AXIOM
Summary
9
Identifying Android Malware
Identifying Android Malware
An introduction to Android malware
Android malware overview
Android malware identification
Summary
10
Android Malware Analysis
Android Malware Analysis
Dynamic analysis of malicious Android applications
Static analysis of malicious Android applications
Summary
Further reading
11
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Challenges in mobile forensics

With the increased usage of Android devices and the wider array of communication platforms they support, the demand for forensic examination automatically has grown. While working with mobile devices, forensic analysts face a number of challenges. The following points shed light on some of the mobile forensics challenges faced today:

  • Preventing data alteration on the device: One of the fundamental rules to remember in forensics is to preserve the original evidence. In other words, the forensic techniques that are applied on a device to extract any information should not alter the data present on the device. However, this is usually not practical with respect to mobile forensics because simply switching on a device might also change certain state variables present on the device. With mobile devices, background processes always run, and a sudden transition from one state to another can result in the loss or modification of data. Hence, there's a chance that data may be altered either intentionally or unintentionally by the forensic analyst. Apart from this, there is a high possibility that an attacker (or the user) can remotely change or delete the contents of the device. As mobile phones use different communication channels (cellular, Wi-Fi, Bluetooth, infrared, and so on), the possibility of communicating through them should be eliminated. Features such as remote data wiping would enable an attacker to remotely wipe the entire device just by sending an SMS or by simply pressing a button that sends a wipe request to the Android device. Unlike computer forensics, mobile device forensics requires more than just isolating the device from the network, and phones cannot always be left powered off during examination.
  • The wide range of operating systems and device models: The wide range of mobile operating systems available in the market makes the life of a forensic analyst more difficult. Although Android is the most dominant operating system in the mobile world, there are mobile devices that run on other operating systems including iOS, Blackberry, and Windows, that are often encountered during investigations. Also, for a given operating system, there are millions of mobile devices available that differ in OS versions, hardware, and various other features. Based on manufacturer, the approach to acquire forensic artifacts changes. To remain competitive, manufacturers release new models and updates so rapidly that it's hard to keep a track of all of them. Sometimes, within the same operating system the data storage options and file structures also change, making it even more difficult. There's no single tool that can work on all the available types of mobile operating systems. Hence, it is crucial for forensic analysts to remain updated on all of the latest changes and techniques, and to understand the underlying concepts in this book so they can succeed when the tools fail.

  • Inherent security features: As the concept of privacy is increasingly gaining importance, mobile manufacturers are moving towards implementing robust security controls on devices, which complicates the process of gaining access to the data. For example, if the device is passcode protected, the forensic investigator has to first find a way to bypass the passcode. Similarly, full disk encryption mechanisms implemented on many modern devices prevent law enforcement agencies and forensic analysts from accessing the information on the device. Apple's iPhone encrypts all of the data present on the device by default using hardware keys built into the device. Beginning with Android Nougat, Android forces full disk encryption by default (though it can vary if the OS is modified by the manufacturer). At Google's 2017 I/O conference, they announced that 80% of Android 7.0 Nougat devices were encrypted and 70% used a secure lock screen. These numbers will likely continue to grow as encryption is forced by more manufacturers during the initial setup process. It is very difficult for an examiner to break these encryption mechanisms using techniques such as brute force.

  • Legal issues: Mobile devices can be involved in crimes that span across the globe and can cross geographical boundaries. In order to tackle these multi-jurisdictional issues, the forensic examiner needs to be aware of the nature of the crime and regional laws.

Previous Section
End of Section 4
Next Section