ANDROID FORENSICS

MOBILE
VOL.2NO.4

STEP BY STEP ANALYSIS OF FACEBOOK AND TWITTER DATA ON ANDROID DEVICES EMULATION DETECTION TECHNIQUES FOR ANDROID ANDROID FORENSICS A CASE STUDY OF THE NAXUS S VIRTUAL DEVICE APPROACH TO EXTRACTING DATA USING HARDWARE AND SOFTWARE MECHANISMS POTENTIAL IDENTITY THEFT OVER APPLES iOS DEVICES CELLEBRITE A STANDARD IN MOBILE FORENSICS HOW TO ADDRESS END USER RISK AGREEMENT FOR BYOD
Issue 03/2013 (8) April

STATE_OF_ART OF MOBILE FORENSICS

Comparative research of techniQues on BLackBerry OS (incL. PLayBook) and Android OS
by Yury Chemerkin

At present, the BlackBerry holds the palm of insufficient security examination despite of existing approaches more than Android (because Android was not developed to be secured) but all security techniques implemented in these mobile devices are indecisive argument on security. It means its argument to the forensics. All security agencies are facing with dealing with mobiles forensics repeatedly.

What you will learn:

Whats the difference between similar mobile OS based on different kernels (BB OS, Playbook OS) Hows differ the Android forensics from BlackBerry

What you should know:

Basic knowledge on forensics Android & BlackBerry Basic knowledge on classic forensics techniques and live forensics (live monitoring) techniques

orensics tools may give incredible opportunity to gain all kind of data but there are too many slight objections. Until companies go in only one of ways classic forensics or live monitoring (DLP or else) it fails, because of limited cases and therefore forensics field need more effective synthesis of mechanism.

Mobile device forensics is relating to recovery of digital evidence or data from a mobile device. The memory type, custom interface and proprietary nature of mobile devices require a different forensic process compared to other forensics. Mobile extraction techniques tend to be unique less especially throughout logical acquisition. This level manages with known data types for any user and this data set rarely differs

Introduction

among of iOS, Android or BlackBerry. Data set often contains the following items such as messages (SMS/ MMS/Email/IM), social network data, contacts, calendar, phone logs, wallet and other financial application data, media data (Audio/Photos/Videos) and other data even file structure, browser data (web history as a timeline and bookmarks), and shared folders. Nowadays mobile devices provide amount of features to integrate all possible communications following aggregation with data on BlackBerry as well as Android. The native and third party applications often connect to the email, maps IM messenger and social statutes. They keep users connected and do far more. The BlackBerry apps environment is known is wide-bind and amazing than Android. On another hand, An-

22

STATE_OF_ART OF MOBILE FORENSICS

droid has enough not only third-party applications that is very different but also hundreds variations depend on manufacturer. As opposed to the BlackBerry PlayBook is on QNX OS offers implemented modern technologies take away from real development. All above brings in the zoo-world of mobile phones and highlights issues of misusing security techniques in development area. New special skills that forensics experts required rarely based on experience only. Each year the classic forensics techniques face on a huge problem while live forensics (or live monitoring) gives new opportunities to manipulate with data. Sometimes, company IT Policy or OS vision may be helpful to be sure that no triggers will break investigation. Physical approach is trust but nonoperability, while logical is more dangerous because of synchronization process via network, cellular, and OTA. There are too many cases when it cannot afford not to use prevent methods or tools to simplify the classic forensics. This paper describes technical problems encountered by forensics as well as different live solutions maybe useful and those became right way with vendors development. There are several techniques are pertaining to mobile forensic: Physical acquisition technique is a bit-by-bit copy of an entire physical stories, doing a full physical copy (i.e., all the bits in memory, not just the files) of the entire memory store on the device. Logical acquisition technique is a bit-by-bit copy of logical storage objects (e.g., directories and files). Using commercially available forensic software tools (as extend previous) which, as time passes, are becoming increasingly more capable and sophisticated. Backup this technique is relatively easy, and it allows a significant amount of user-created data (photographs, songs, and emails, texts) to be preserved. Manual acquisition technique is user interface utilizing to get pictures of data from the screen, simply manipulating the phone (by navigating through the email, photographs, or contacts list, for example) while videotaping and/or photographing the results. As the manual acquisition has no difference among mobile devices, so it would be missed as well as physical acquisition aimed to gain deleted data without relying on the file system itself. Logical techniques highlights easy and fast data extracting, "simple" data type (format) or SQL-based type (format).
www.eForensicsMag.com

Potential attack vector can be various, however, the most popular of them are:
Table 1. Extractable data

PotentiaL Data as Evidence

Type
Address Book Calendar Events Call History Browser history and bookmarks Process Management Memos and Tasks Screen-shots Camera-shots Videocamera-shots Clipboard

OS BlackBerry BlackBerry Smarpthone Playbook

+ + + + + + + + + + + + + + + + + + + +

Location tracking (cell, wifi, + gps, bluetooth) SMS/MMS/Emails/IM Saved Messages Pictures, Videos, Voice notes, and other files File and Folder structure IMs Passwords Clipboard + + + + + + +

Approach

One of the main ongoing considerations for analysts is preventing the device from any network changes that is achievable for PlayBook sometimes, which has not cellular connection, but only a network connection (Wi-Fi, 4G). As mentioned early it might bring in new data. However, any interaction with the devices like plugging and unplugging the device will modify them. The first idea is dismounting encryption or preventing of blocking to examine the device while it is running. PlayBook as another else device is difficult to analyze forensically without negative affecting because of storage cannot be easily removed, storage is only internal and there no external storage like SD-card as it is for BlackBerry smartphone. The worst case in forensics is remote wiping initiated or data added/overwritten outside control from any triggers often SMS or incoming call is impossible through BlackBerry Bridge even: SMS for
23

Network IsoLantion

BlackBerry Bridge simply didnt developed and incoming call notification cannot be caught as well as all Bridges events throughout API. Nevertheless, forensics experts still have to prevent a connection. A powerful way airplane mode (or the same named in different way) helps. Android problem to stop network communications is awful GUI and forensics officer should press and hold the Power off button and select Airplane mode at first (if this hotkey will work) or then press Menu (from the home screen), Settings, finally, the Wireless option which is generally near the top. Its only to disable cellular network while to block wireless connection like Bluetooth or Wi-Fi he have to walk out home screen to the settings that have upset because time is counting and no one can be sure if setting GUI is the same among devices. BlackBerry allows do it very quickly by clicking on tray on home screen. BlackBerry (smartphone) was primary engineered for email and come with a built-in mobile phone providing access to the email from anywhere. It is always on and participating in wireless push technology and does not require any kind of desktop synchronization like the others. BlackBerry PlayBook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring and contacts directly from a tethered BlackBerry phone. PlayBook does not have neither push technology for email/ calendar/else (only IMAP4 and POP3 except MS Exchange link) nor BIS except BlackBerry Mobile Fusion that managed non-blackberry smartphone devices and BES existed in company. In addition, email and social accounts may broke and ask user reenter his password that may help to discard pushing data. It means the PlayBook is not all always on there is rarely types of information can be pushed to it following overwriting or deletion. Similar to the PlayBook, Android gives a time to change network state. For example, only main email box folders maybe changed via IMAP or Exchange because PlayBook or Android need a time or manually update-button pressing to retrieve new data from Internet. As opposed to smartphone, PlayBook and Android was made filled by stand-alone applications that might use internet connect in standby mode or when applications swiped down; by default, PlayBook has option to restrict activity in this state. The PlayBook address-book application has Facebook, Twitter and LinkedIn connections, but synchronizing has never happened before user runs application and waits until it is done. Sometimes it takes one minute even or more.
24

BlackBerry devices come with password protection and attempt limit (by defaults five out ten, min three out ten; PlayBook may differ from five to ten where ten is often for PlayBook device and five is for BlackBerry Desktop Software and plugged PlayBook). If it is exceed, device will wipe then (factory resetting). All data stored on external memory will keep because thats not part of the factory configuration if talking about smartphone not PlayBook, which has not external storage. The ability to circumvent the pass code on an Android device is becoming more important as they are utilized frequently and do not allow data extraction in most cases as well as for BlackBerry. There are three types of pass codes on Android. pattern lock as default on the initial Android devices when users are accessing the device should draw a pattern on the locked phone. pass code is the simple personal identification number (PIN) which is commonly found on other mobile devices. full alphanumeric code thats more secure than PIN. If the device screen is active, it should be checked to change existing short period (from less than a minute up to about 1 hour). BLackBerry Accessing encrypted information stored in password-protected backups it possible via Elcomsoft products that offer to restore the original password of backup and device. The toolkit allows eligible customers acquiring bit-to-bit images of devices file systems, extracting phone secrets (pass codes, passwords, and encryption keys) and decrypting the file system dump. It also reads BlackBerry Wallet data and Password Keeper data. The recovery of BlackBerry password is possible only if the user-selectable Device Password security option is enabled to encrypt media card data. Android As Android devices used the pattern lock for pass code protection instead of a numeric or alphanumeric code, theres an interesting option that a clean touch screen is primarily, but touch screen marked with fingerprint and fingerprints directed a good solution to bypass pattern lock. Therefore, it is possible to determine the pattern lock of a device by enhancing photographs of the devices screen [6]. Android has so-called Password and Pattern Lock Protection. Password Lock can contain characters, numbers, and special marks while the first

Password Protection

Push-TechnoLogy

Password Extraction and Byspassing

STATE_OF_ART OF MOBILE FORENSICS

of them looks like a number set of gestures that must be performed to unlock device where is allowed to choose at least four of nine points in tendigit set. Directions between them will be stored in file /data/system/gesture.key on internal storage as hashed sequence of byte via SHA-1. Password Locks file is stored in file /data/system/pc.key on internal storage as hashed sequence of byte via SHA-1 too. It works only if the device is already rooted and has USB Debugging mode ON. Live techniQues (or spyware) Security researcher Thomas Cannon [6] developed a technique that allows a screen lock bypass by installing directly an app through the new webbased Android Market. The procedure is quite simple really. Android sends out a number of broadcast messages that an application can receive, such as SMS received. An application has to register its receiver to receive broadcast messages. Once application launched it is just calling the disableKeyguard() method in KeyguardManager. This is a legitimate API to enable applications to disable the screen lock e.g. an incoming phone call is detected. Similar techniques for BlackBerry were discussed [1], [4], [5]: default feature to show password without asterisks that's a possible to screen-capture. If screenshot API isnt disable it works (by de faults its allowed) scaled preview for typed character through virtual keyboard. It works too and maybe screenshooted. As further consideration agent may XOR two screenshots and extract preview of pressed key as well as typed text. stealing password during synchronization from BlackBerry Desktop Software. It works because of security issues of Windows API. Moreover, it works not only to grab device password but backup password too. redrawing fake-window to catch typed password on device. Some social engineering aspect to announce something is crashed and lock the device, please unlock by re-entering a password The last two techniques (stealing and redrawing) work on PlayBook as well. Moreover, developers must have a swipe-down event listeners else application will not be closed or minimized until battery discharges. Gathering Logs and Dumps The main evidence procedure violates the forensic method by requiring to record logs kept and dump. It is possible to view some debug log on the device
www.eForensicsMag.com

pressing hotkeys on BlackBerry smartphone, while Android and Playbook did not provide the same feature, or throughout SDK Tools. BLackBerry Smartphone The BlackBerry SDK tools or BBSAK Allow to extract BlackBerry event logs to the text file via USB. Two tools named javeloader.exe and loader.exe allow to extract not only events logs but also dump of device, all executable modules (.cod file), with dependence modules, screenshots, device info. The first of them needs PIN and Password while the second does not [1]. BLackBerry PLayBook All SDK provided by RIM, e.g. Adobe Air SDK has a tool blackberry-connect is just a wrapper for Connect.jar. But before connect RSA key-pair should be generated by ssh-keygen -t rsa -b 4096 and Dev Mode option enabled. Then should be typed target ip (often 169.254.0.1 for USB), device password and ssh key as parameters. This tools extracts device information (like os, fingerprint, hardware id, vendors id, debug mode tokens, etc.), application list information (like module, version, icon ID, name, vendor, source, etc.) and more. Also, Wi-Fi logs stored ip, dns, subnet mask, information about (un-)successful attempts may only be analysed by manual acquisition. Android Some kind of data storage mechanism providing the low-level interaction with the network, web servers, etc. is available to the developers to store and retrieve via packages named as java.net and android.net. Such log-files store actions with date and time stamps, error/warning/successful authenticate events, logins, some data as email addresses, access keys, private keys or application id keys as well as SQL db files may store all upload, downloaded and transferred data via an application often without ciphering. They might contain as much more data than BlackBerry if only developers hear and use them. Similar to the BlackBerry, Android has an SDK tool adb to gather information too that as a daemon running on the device and proxies the recursive copy only runs with shell permissions. Successful accessing aims to extracting (copying) the entire /data partition to the local directory and such useful files such as unencrypted apps, most of the tmpfs file systems that can include user data such as browser history, and system information found in /proc, /sys, and other readable directories. Backup BLackBerry Smartphone and TabLet Managing with backup starts with BlackBerry Desktop Manager that results .ipd (early, now it is
25

CLassic Forensics

.bbb file is just compress with tar) in a destination folder. This file stores on BlackBerry smartphone very granulated data (incl. settings) like Address Book, Alarm, Attachment, AutoText, BlackBerry Bridge, BlackBerry Wallet, Bluetooth, Browser, Calendar, Camera, Certificate, etc. on BlackBerry tablet only Application Data, Media and Settings. As PlayBook does not provide native Password Wallet, many third party applications often save data in shared\ documents folder in .db format easy analysed if no encryption. BLackBerry SimuLation This feature unfortunately unavailable for Android and PlayBook, despite of thats very useful and valuable. The BlackBerry Simulator built for simulating a backup copy of the physical device. This is helpful if the device is low on battery, needs to be turned off, or else not to alter the data on the physical device. Android Android did not provide a mechanism for users to backup their personal data despite of that the backup API is now available the synchronization provide outlook linking. Instead, a large number of backup applications were developed and distributed on the Android Market, often with Save to SD Card feature as well as putting into cloud. Anyway, backup area is covered by following items: Application installers (if phone has root access, this includes APK Data and Market Links) Contacts, Call log, Calendars Browser bookmarks SMS (text messages), MMS (attachments in messages) System settings Home screens (including HTC Sense UI) Alarms, Dictionary, Music playlists Integrated third-party applications

There some situations that is not desirable to shut down, seize the digital device, and perform the forensic analysis at the lab. For example, if there is an indication that an encryption mechanism is used on the digital device that was discovered, then the investigator should not shutdown this digital device. Otherwise, after shutdown all the information (potential evidence) that was encrypted will be unintelligible. By performing Live Analysis, the investigators attempt to extract the encryption key from the running system.
26

Live Forensics (incLude fiLes on storage)

An up-to-date BlackBerry has many data, such as several mobile or home phone number, faxes, emails, work and home addresses, web-pages or dates; IM data and social data, private data such as tracking info, habits, time marked a free, time when users possible sleeping, time when users at home/company can come to light and many else. However, all those can be extracted only with API or Backup file. Androids data set stores on internal storage and on external, but only internal storage keeps a strong folder structure because Android API controls it. Typically internal place to store any kind of data is /data/data/ where cache and databases stored in PackageName folder. Android data stored on internal and external storage as binary (or simply text) files as well as packed into xml or SQLlite database formats. XML format allows including Boolean, integer, float or string data types provide developers to create, load, and save configuration values that power their application. Internal files allow developers to store very complicated data types and saved them in several places on the internal storage that by default, can only be read by the application and even the device owner is prevented from viewing the files unless they have root access. While files stored on the internal devices storage have strict security and location parameters, files on the various external storage devices have far fewer constraints. SQLite is one of the most popular database formats appearing in many mobile systems for many reasons such as high quality, open source, tend to be very compact, cross-platform file, and finally, cause of the Android SDK provides API to use SQLite databases in their applications. The SQLite files are generally stored on the internal storage under / data/data/<packageName>/databases without any restrictions on creating databases elsewhere. The Android contact (address book) data is stored in file /data/data/com.android.providers. contacts on internal storage. This stores the call logs for the device in the calls table. There are over 30 tables in contacts2.db contains additional values about contacts and additional data about some extending by different accounts Gmail, Exchange, Facebook, Twitter, etc. If pictures of the contacts are available, they are stored in the files directory and named thumbnail_photo_[NNNNN].jpg. Additionally, a Facebook data stores in file /data/data/com.facebook/fb.db and contains nearly all of the information includes albums, info_contacts, notifications, chatconversations, mailbox_messages, photos, chatmessages, search results, default user images, mailbox profiles, stream photos, events, mailbox threads, friends and others. Gmail data is located in /data/ data/com.google.android.gm which stores each configured Gmail account via separate SQLite

STATE_OF_ART OF MOBILE FORENSICS

database filled by the entire e-mail content. GMaps data located on /data/data/com.google. android.apps.maps stores amount of information about maps, tiles, searches, and more in the files directory often provide by search_history.db or actual spoken directions stored as map data on the SD card in .wav files; the time stamps on the file prefaced with a ._speech simplify movement timeline. In addition, Android provide a file-folder storage located /data/data/com.android.providers.telephony filled by the MMS attachments (images, video, or any other supported data), sms message as database table with all messages. A bit more information filepath /data/data/com.android.mms provides with cached data or data is outcoming. Clipboard is breakable too because user have to see a password to retype in another application that can easily be screen-captured or to copy into clipboard that not protected, because user still have to put data (password) into non-protected text-box, sometimes in plaintext even. In other words, endpoint object is vulnerable. As Clipboard API exists like getClipboard() on BlackBerry, getData() on PlayBook, getText() on Android. To access to the Pictures, Videos, Voice notes, and other files, some of them may be videocaptured or audiocaptured, forensics expert rarely need to intercept API events or break root rights; all needs is listen file events of creating and deleting files or grab these files from internal/external storage. Pictures are more inquisitive as camera-snapshots since it has EXIF-header. Metadata is, quite simply, data about data. EXIF header is stored in an application segment of a JPEG file, or as privately defined tags in a TIFF file. Not only basic cameras have these headers, but both mobile devices provide the Camera Make as RIM/ BlackBerry/Android/HTC data as well as Camera Model may often be device model. GPS or date tag often renames filename by placing into beginning city name except Android and PlayBook. They place GPS and date tag in EXIF only. Instant messaging is a well-established means of fast and effective communication. IM forensic were to answer the two questions as identifying an author of an IM conversation based strictly on author behaviour and classifying behaviour characteristics. For example, BlackBerry smartphone stores all chats (from Google, Yahoo, Windows Live, BlackBerry Messenger, AIM(AOL)) in plaintext mode in .csv file. File paths are often easy to find too [1]. On Playbook each application has access to its own working directory in the file system, and might access to the shared folder (sandbox) because of the access to the files and folders governed by UNIX-style groups and permissions. It means applications cannot create new directories in the
www.eForensicsMag.com

working directory; they can only access the folders listed below.
Table 2. Playbook shared folders structure

Folder
app data

What data contains

The installed applications files. The applications private data. The applications temporary working files. System logs for an application (stderr and stdout) Subfolders that contain shared data grouped by type. Web browser bookmarks that can be shared among applications. eBook files that can be shared among applications. Data copied or cut from another application (txt, html, uri format). Documents that can be shared among applications. Web browser downloads.

Access type
read-only read and write access read and write access read and write access no access

temp

logs

shared

shared/ bookmarks shared/ books shared/ clipboard shared/ documents shared/ downloads

read and write access read and write access read and write access read and write access read and write access read and write access read and write access read and write access read and write access

shared/misc Miscellaneous data that can be shared among applications. shared/ music shared/ photos shared/ videos shared/ voice Music files that can be shared among applications. Photos that can be shared among applications. Videos that can be shared among applications.

Audio recordings that can be read and shared among applications. write access

Despite of mentioned folders there is ability to recreate folder structure partially and have readonly access to files [7].
27

References

[1] Y. Chemerkin, To get round to the heart of fortress, Hakin9 Extra Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 3 Issue 03/2011 (03) ISSN 1733-7186, pp. 2037, August 2011 [2] Y. Chemerkin, Comparison of Android and BlackBerry Forensic Techniques, Hakin9 Extra Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 11 4 Issue 04/2012 (11) ISSN 1733-7186, pp. 2836, April 2012 [3] Y. Chemerkin, When Developers API Simplify User-Mode Rootkits Developing, Hakin9 Mobile Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 2 2 Issue 02/2012 (3) ISSN 1733-7186, pp. 1621, February 2012 [4] Y. Chemerkin, When Developers API Simplify User-Mode Rootkits Development Part II, Hakin9 OnDemand Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 4 Issue 04/2012 (4) ISSN 17337186, pp. 5681, July 2012 [5] A. Hoog, Android Forensics: Investigation, Analysis and Mobile Security for Google Android. Syngress, 2011. [6] D. M. Gomez, A. Davis, BlackBerry PlayBook Security: Part one. NGS Secure, 2011. [7] Y. Chemerkin Insecurity of blackberry solutions: Vulnerability on the edge of the technologies, vol. 6, pp. 20-21, December 2011 [Annual InfoSecurity Russia Conf., 2011] [8] Y. Chemerkin, BlackBerry Playbook New Challenges Hakin9 E-Book Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 3 Issue 03/2012 (3) ISSN 1733-7186, pp. 134, September 2012

The BlackBerry devices as well as Android devices share the same evidentiary value as any other Personal Digital Assistant (mobile device). As the investigator may suspect of most file systems, a delete is by no means a total removal of data on the device. However, the BlackBerry smartphone is always-on, wireless push technology adds a unique dimension to forensic examination. Android and Playbook instead tends to be more offline and wake up by user actions. Moreover, the trend of app world installation only is coming that means complication only. All mentioned above highlights value and up-todate techniques on forensics area, some of them based on issues misunderstanding development concepts or else. Similar to the BlackBerry, Pushtechnology allows information be pushed through its radio antenna at any time, potentially overwriting previously deleted data. Classic Forensics techniques or DLP system is ineffective to stop it because of time, applications that exchanged data in real-time. In addition, the password has a longterm problem. Some techniques very impactful but limited special cases. Its obvious Android should be rooted, BlackBerry smartphone should have a backup or correspond to the forensics methods and tools, while Playbook limits with shared folder only and theres no way to root it or mirror all data to the PlayBook simulator as it was for BlackBerry smartphone. The files store on external or internal storage might be useful to obtain some data stored in backup or available to API. It means forensics needs more practical and preventive techniques to extract data. Simply using developers API helps to grab data like password for social networks or mail inbox in blackberry smartphone cases that do not stored anywhere. In addition, IM chats do not store else external/internal storage and can only be accessible in way data extracting but if password is known and storage does not encrypted. It means
28

ConcLusion

live techniques through API make sense only. Moreover, there is technique preventing successful USB or Bluetooth connection as a live-agent performing DDoS to the event-listener [8]. Finally, all security holes or vendor vision about security on their OS are very astounding to use, it reduces the risks for loss of valuable data and improve existing solutions. In addition, forensics expert protected from almost all objectives capable break and stop forensics investigation.

Currently in the postgraduate program at RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security Research, Documentation, and as a contributing Security Writer. Also, researching Cloud Security and Social Privacy. The last several years, worked on mobile & social security, forensics, cloud security & compliance & transparency. yury.chemerkin@gmail.com

Author bio