Android Forensics

Investigation, Analysis,
and Mobile Security for
Google Android

Andrew Hoog

John McCash, Technical Editor

AMSTERDAM • BOSTON . HEIDELBERG • LONDON

NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO . SINGAPORE • SYDNEY • TOKYO SYNGRESS
Syngress is an imprint of Elsevier
Contents

Acknowledgements xiii
Introduction xv

About the Author xix

CHAPTER 1 Android and Mobile Forensics i

Introduction 1
Android Platform 1

History of Android 3

Google's Strategy 7

Linux, Open Source Software, and Forensics 10

Brief History of Linux 11
Android Open Source Project 25
AOSP Licenses 26

Development Process 27
Value of Open Source in Forensics 27

Downloading and Compiling AOSP 29

Internationalization 31

Unicode 31
Keyboards 31

Custom Branches 32

Android Market 33

Installing an App 34

Application Statistics 37
Android Forensics 37

Challenges 38
Summary 38
References 39

CHAPTER 2 Android Hardware Platforms ...41

Introduction 41

Overview of Core Components 41

Central Processing Unit 41
Baseband Modem/Radio 42

Memory (Random-Access Memory and NAND Flash) 42

Global Positioning System 43

Wireless (Wi-Fi.com and Bluetooth) 43

Secure Digital Card 44

Screen 44

Camera 44

Keyboard 45
viii Contents

Battery 45
Universal Serial Bus 46
Accelerometer/Gyroscope 46
Speaker/Microphone 46
Overview of Different Device Types 47
Smartphone 47

Tablet 47

Netbook 48

Google TV 48

Vehicles (In-board) 48

Global Positioning System 49

Other Devices 49
ROM and Boot Loaders 49
Power On and On-chip Boot ROM Code Execution 50
Boot Loader (Initial Program Load/Second Program
Loader) 50
Linux Kernel 51
The Init Process 51
Zygote and Dalvik 54
System Server 54
Manufacturers 56

Android Updates 57
Custom User Interfaces 58
Aftermarket Android Devices 58
Specific Devices 59

T-MobileGl 59
Motorola Droid 59
HTC Incredible 60

Google Nexus One 60

Summary 62
References 62

CHAPTER 3 Android Software Development Kit and Android

Debug Bridge 65
Introduction 65
Android Platforms 65
Android Platform Highlights Through 2.3.3

(Gingerbread) 67
Software Development Kit (SDK) 71
SDK Release History 71
SDK Install 72
Android Virtual Devices (Emulator) 81
Android OS Architecture 86
Dalvik VM 87
 Contents ix

Native Code Development 88

Android Security Model 88
Forensics and the SDK 90

Connecting an Android Device to a Workstation 90

USB Interfaces 94
100
Introduction to Android Debug Bridge
102
Summary
References 103

CHAPTER 4 Android File Systems and Data Structures 105

Introduction 105

Data in the Shell 105

What Data are Stored 106

Structure 106
App Data Storage Directory
How Data are Stored 107

of 125
Type Memory
RAM 125

File 132
Systems
rootfs, devpts, sysfs, and cgroup File Systems 133
136
proc
137
tmpfs
140
Extended File System (EXT)
FAT32/VFAT 140

YAFFS2 141

Mounted File 153

Systems
Mounted File 154
Systems
157
Summary
References 157

CHAPTER 5 Android Device, Data, and App Security 159

Introduction 159

Data Theft and Attack Vectors 160

Targets
160
Android Devices as a Target
Android Devices as an Attack Vector 168

Data 168
Storage
Devices 169
Recording
170
Security Considerations
170
Security Philosophy
US Federal Computer Crime Laws and Regulations 172

Open Source Versus Closed Source 173

Encrypted NAND Flash 175

Individual Security Strategies 176

178
Corporate Security Strategies
Policies 178
X Contents

Password/Pattern/PIN Lock 178

Remote Wipe of Device 179

to Latest Software 180

Upgrade
Remote Device Management Features 181

and Device Audit 183

Application
184
App Development Security Strategies
Mobile App Security Testing 184

App Security Strategies 186

Summary 192

References 193

CHAPTER 6 Android Forensic Techniques 195

Introduction 195

Types of Investigations 195

Difference Between Logical and Physical Techniques 196
Modification of the Target Device 197
Procedures for Handling an Android Device 198
Securing the Device 199
Network Isolation 200
How to Circumvent the Pass Code 203
Imaging Android USB Mass Storage Devices 211

SD Card Versus eMMC 211

How to Forensically Image the SD Card/eMMC 212

Logical Techniques 218

ADB Pull 218

Backup Analysis 219

AFLogical 220
Commercial Providers 228

Physical Techniques 266

Hardware-Based Physical Techniques 268
JTAG 268
Chip-off 270
Software-Based Physical Techniques and Privileges 270

AFPhysical Technique 278

Summary 284
References 284

CHAPTER 7 Android Application and Forensic Analysis 285

Introduction 285

Analysis Techniques 285

Timeline Analysis 285
File System Analysis 288
File Carving 291

Strings 293
 Contents xi

Hex: A Forensic Analyst's Good Friend 296

Android Directory Structures 301
FAT Forensic Analysis 308
FAT Timeline Analysis 309
FAT Additional Analysis 316
FAT Analysts Notes 317
YAFFS2 Forensic Analysis 321
YAFFS2 Timeline Analysis 324
YAFFS2 File System Analysis 330
YAFFS2 File Carving 332
YAFFS2 Strings Analysis 334
YAFFS2 Analyst Notes 335
Android App Analysis and Reference 340
Messaging (sms and mms) 340
MMS Helper Application 341
Browser 342
Contacts 347
Media Scanner 349
YouTube 350
Cooliris Media Gallery 353
Google Maps 354
Gmail 358
Facebook 360
Adobe Reader 363
Summary 363
References 364

Index 365