Académique Documents
Professionnel Documents
Culture Documents
My Android Analysis
Marie Whiting
University of Advancing Technology
MY ANDROID ANALYSIS
2
My Android Analysis
MY ANDROID ANALYSIS
MY ANDROID ANALYSIS
Android, turn on USB Debugging. I was now prepared to continue to (3) Now connect the phone
to a computer.
I used a mini-USB cable to connect the phone and the computer. MOBILedit cautioned
that (4) If prompted, choose connection mode to PC Sync or COM port (NOT to Mass Storage),
however, this message did not appear. See the screen shot below that shows these MOBILedit
steps.
After connecting the phone, I received a pop-up that said that the software could not
detect a phone. I wiggled the USB cable to ensure that the cable was securely connected to both
MY ANDROID ANALYSIS
the computer and the phone. I did not receive any further response or prompt from the
MOBILedit program, so I initiated the trouble shooting button, Why is my phone not listed?
After checking each step below in the list below, and then clicking on next -- my phone was
found!
MY ANDROID ANALYSIS
MY ANDROID ANALYSIS
With the proper steps taken and the device now recognized by MOBILedit, I was now
ready to run the software in order to collect the data on the phone.
MY ANDROID ANALYSIS
With the click of a button on next, MOBILedit was ready to find and record the
phonebook, organizer, messages, files, user files, call history, text messages, multimedia
messages, calendars, notes, reminders, and raw application data. It can also acquire the IMEI,
operating system and SIM details. I instructed the program to collect the whole file system.
MY ANDROID ANALYSIS
The next step was to click on the Case which was labeled at Case 1.
MY ANDROID ANALYSIS
10
MY ANDROID ANALYSIS
11
Opening up the different files gives more information. For example the phone log shows
the number of missed calls, outgoing calls, and incoming calls. In addition, the name, number,
date, and time of each call is logged.
MY ANDROID ANALYSIS
12
FTK Imager
With the data saved on the computer, I can now use FTK Imager to analyze the
information. In an investigation, normally I would use a write blocker to make sure the
information doesnt change as I investigate the data. However, I did not use one for my phone.
The phone, of course, has to be connected to the computer. Then, I had to mount the image on
the FTK Imager, then click on create image in the drop down menu. I also clicked on Add
Evidence. To the right of this there is a drive selection where I chose the image I had saved to
the computer. I then chose the physical drive with the image and saved the image using the
option labeled File, Export disk image.
The Drive/Image results were verified as can be seen in the chart below. The phone name
is listed, the sector count, and the MD5 Hash and the SHA1 Hash computed, compared, and
verified. The FTK Imager can also image the entire physical drive as well as logical drives.
MY ANDROID ANALYSIS
13
Any bad sectors were also listed. In this case, there was none.
MY ANDROID ANALYSIS
The image summary below gave me more information about the phone.
14
MY ANDROID ANALYSIS
15
MY ANDROID ANALYSIS
16
Autopsy
Another tool I used was Autopsy as can be seen in the tool below. Images displayed on
the left hand side were categorized into -- Documents and Settings, Program Files, System
Volume Information, Windows, and Orphan Files. Under Views, the file types listed were
images, videos, audio, and documents. Another view was recent files and results including
bookmarks, cookies, web history, downloads, recent documents, installed programs, and devices
attached. Autopsy also added more information that I was able to gather about my phone by
identifying the different partitions and file systems.
MY ANDROID ANALYSIS
17
The list above is pretty extensive as to the type of data that I retrieved on my phone -recent activity, hash lookup, file type identification, embedded file extractor, exif parser,
keyword search, email parser, extension mismatch detector, E01 Verifier, Android analyzer,
interesting files identifier, an photoRec carver.
My mobile phone as with many other people, has become a device I always have with
me. This miniature computer is powerful in that it captures data from phone calls to messaging to
images and much more. For those using their phone for criminal purposes, investigators with the
knowledge of the forensic tools available to capture the phone data will have a wealth of
information to take to the courts. In addition, knowing what is on our phones as this exercise
showed is valuable. The increase in exploiting network systems has a new avenue in the mobile
phone market, especially since many people are unaware of how susceptible their private
information is to hackers. Bluetooth, GPS, social media like Facebook are tools criminals can
MY ANDROID ANALYSIS
18
use to hack into someones personal information which may include passwords, usernames, and
bank account information. In addition, these features allow someone with the expertise to
possibly install a rootkit on someones phone and control the device leading to even more
damage.
Forensics like I performed on my phone are time intensive but can provide vital
information to a case. The data needs to be collected both manually and through a forensic tool.
Then the information needs to be identified and analyzed for its value. Finally, the important
information needs to be pulled out and documented in an organized fashion.
To summarize, I began the phone extraction using a manual method where I physically
examined the phone. I gathered a lot of information this way, but I am sure there could be critical
data I would miss if I were to only use a manual examination. I then used a forensic tool,
MOBILedit to examine a physical image of the phone. Every bit of data in storage can be viewed
with this type of tool -- pictures, files, phone logs, messages, and any other database present on
the device. Finally, I used both FTK Imager and Autopsy to view and then save the image to my
hard drive if I wanted to.