Digital Forensics, Part 10 Mobile Forensics (Android)

Over the past decade or so, the growth of the mobile market has been the
fastest growing segment of the IT industry. We now have portable smart
phones and tablets being used throughout the consumer and business
market. These add an extra challenge to the forensic investigator, but can
also contain a cornucopia of information and evidence of the suspect's
activity. These include texts (SMS) messages, emails, browsing activities,
installed apps, etc. The overall impact is that the mobile device may be
the greatest repository of information on your suspect.

Before you begin this tutorial, you may want to take a look at the Android
Basics tutorial here. In addition, Android Forensics is a large and
complex task worthy of an entire book similar to Windows , Linux or Mac
forensics, so we will attempt to only cover one small segment of Android
Forensics here. Look for my upcoming series and course on Android
forensics.

Android Forensics

In this tutorial we will be examining the .xml manifest file from a Android
device. In examining an Android device there are three primary areas we
want to focus on;

(1) /Root/system/packages

(2) AndroidManifest.xml
(3) any applications themselves. These are .apk files

The manifest file contains a list of all the applications installed on the
device and their associated permissions all in .xml format. Often we can
identify malicious packages this way by examining the permissions of the
applications. In other words, if an application has permissions that are not
required by its functionality, it should be considered suspect and is
probably malicious.

Here we have an .xml file from an android device and have moved it to
our desktop. When we open it with an .xml enabled browser, we should
see a file similar to that below.

Navigate to the ledflashlight application permissions. It should be about

mid-way down the file. If you have difficulty finding it, use the search
function and it will find all the instances of "ledflashlight". The one we
want contains the application permissions like seen below.

Note that this application, a flashlight app, has permissions to;

(1) READ_EXTERNAL_STORAGE

(2) access INTERNET

(3) WRITE_EXTERNAL_STORAGE

A legitimate flashlight application is unlikely to require those permissions.

We should be suspicious of this application! It is more than likely malware.

SQLite Analysis of BlackBerry Messenger on Android

Many applications on mobile devices store information into a SQLite

database. Due to the fact that SQLite is full relational database that is
very lightweight, it is ideal for mobile devices.

In this lab, we will examine the SQLite database from a Blackberry

Messenger on an Android device. We will need SQLite Browser. If you are
using Kali, it is pre-installed otherwise you can download it from here. If
you did that Browser Forensics tutorial, you should already have it
installed on your machine.

Here, we use the SQLite Browser to open the master.db from an Android
device. Select File and then "Open Database" and click on master.db. It
should look like the screenshot below.

Note that in the main window to the left, we see all 62 tables and the
commands to create them under the Schema column.

Next, click on the "Browser Data" tab at the top of the main window. You
should see a screen like that below. Note that in the right window we have
a listing of all 62 tables. If we want to see the data in a table, we can
simply select the table in the "Table" pull down menu at the top of the
main window.
In our case here, we want to see the table "File Transfers". Select it from
the pull down menu.

When you do, the main menu will be populated with data from the "File
Transfer" table. As you can see, we have two file transfers. Both of these
file transfers are .jpeg files. If we expand the path column we can see
where they are stored on the device.

If we scroll left through these columns we will see columns named

"UserID" and "Incoming". These columns reveal that both file transfers
were done by User ID=10 and the incoming column reveals that the first
was incoming and the second was outgoing (not incoming). Obviously, this
type of information could be useful as evidence that the suspect either
sent or received a malicious or illegal file from that phone.
This is just taste of what we can learn from a thorough forensics analysis
of an Android device. Look for my upcoming series and class on Android
Forensics where we will cover Android Forensics thoroughly from top to
bottom!