PRESENTED BY Manish Chasta, Principal Consultant, Indusface

Android Forensics
Manish Chasta, CISSP | CHFI

Agenda

Introduction to Android
Rooting Android Seizing Android Device

Forensic Steps Chain of Custody

Indian Cyber Laws

Introduction to Android
Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is responsible for maintenance and further development

Presence in the Market

According to Gartner report, Android captured 36% market share in Q1 of 2011.

Listed as the best selling Smartphone worldwide by Canalys.

4

Android Architecture

Android Architecture: Linux Kernel

Linux kernel with system services:
Security Memory and process management Network stack

Provide driver to access hardware:

Camera Display and audio Wifi
6

Android Architecture: Android RunTime

Core Libraries:
Written in Java Provides the functionality of Java programming language Interpreted by Dalvik VM

Dalvik VM:
Java based VM, a lightweight substitute to JVM Unlike JVM, DVM is a register based Virtual Machine DVM is optimized to run on limited main memory and less CPU usage Java code (.class files) converted into .dex format to be able to run on Android platform
7

SQLite Database
SQLite Database:
SQLite is a widely used, lightweight database Used by most mobile OS i.e. iPhone, Android, Symbian, webOS SQLite is a free to use and open source database Zero-configuration - no setup or administration needed. A complete database is stored in a single crossplatform disk file.
8

How Android can be used in Cyber Crime?

Software Theft Terrorism Activity Pornography / Child Pornography Financial Crime Sexual harassment Cases Murder or other Criminal activities

Forensic Process: An Open Source Approach

Seizing the device Creating 1:1 image Recovering the useful data Analyzing the image to discover evidences Maintain Chain of Custody

10

Seizing Android Device

If device is Off Do not turn ON If device is On Let it ON and keep device charging Take photos and display of the device Seize all other accessories available i.e. Memory card, cables etc. Label all evidences and document everything
11

Creating 1:1 Image

Creating Image of Memory Card Creating Image of Device

12

Creating Image of Memory Card

Fat 32 file system Easy to create image In most cases, applications wont store any sensitive data in memory card Number of commercials and open source tools are available

13

Creating Image of Memory Card

Using Winhex

14

Creating Image of the Device

Androids file systems Importance of rooting Rooting Samsung Galaxy device

15

Rooting Android Device

Step 1: Download CF Rooted Karnal files and Odin3 Software

16

Rooting Android Device

Step 2: Keep handset on debugging mode

17

Rooting Android Device

Step 3: Run Odin3

18

Rooting Android Device

Step 4: Reboot the phone in download mode Step 5: Connect to the PC

19

Rooting Android Device

Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button

20

Rooting Android Device

If your phone is Rooted... You will see PASS!! In Odin3

21

Creating Image of the Device

Taking backup with DD
low-level copying and conversion of raw data Create bit by bit image of disk Output Can be readable by any forensic tool Typical Syntax : dd if=/dev/SDA of=/sdcard/SDA.dd Interesting Locations
\data\data\ \data\system\
22

Creating Image of the Device

23

Creating Image of the Device

Taking image with viaExtract tool

24

Recovering Data
Using WinHex

25

Analysing Image
Reading the Image
Looking for KEY data Searching techniques (DT Search)

26

Analysing Image
Winhex Manual Intelligence viaExtract

27

Analyzing SQLite
SQLite stores most critical information Interesting place for Investigators Tools
Epilog sqlite database browser sqlite_analyzer

28

Analyzing SQLite
Epilog

29

Maintaining Chain of Custody

What is Chain of Custody? CoC can have following information:
What is the evidence? How did you get it? When was it collected? Who has handled it? Why did that person handle it? Where has it travelled, and where was it ultimately stored?
30

Indian Laws covering Digital Crimes

We can categorize Cyber crimes in two ways:
The Computer as a Target
The computer as a weapon

Indian Laws:
IT Act 2000
IT(Amendment) Act, 2008 Rules under section 6A, 43A and 79

MIT site: http://mit.gov.in/content/cyber-laws

31

Manish Chasta
manish.chasta@owasp.org chasta.manish@gmail.com