Transcript Android anti-forensics through a local paradigm

By Alessandro Disfano, Gianluigi Me, Francesco Pace
11/08/2013 Fri.
Daun Jeong

Introduction

Definition of Anti-forensics

The Android Operating System

Android Anti-forensics

Experiments

Conclusion

Anti-forensics techniques applied to mobiles
devices

Test for effectiveness of such techniques vs.
both the cursory examination of the device
and some acquisition tools

Trend
 Uptick in the use of Anti-forensics
 Confined in the classic forensics environment
⇒ The instance of some common AF techniques to
Android mobile devices

Any attempts to compromise the availability
or usefulness of evidence in the forensic
process.
 The availability of evidence can be compromised
by preventing its creation, hiding its existence and
by manipulating the evidence.
 The usefulness can be compromised by deleting
the evidence or by tampering its integrity.
1.
Destroying Evidence: Destruction of evidence
in order to make it unusable.
2.
Hiding Evidence: Decreasing the visibility of
the evidence
⇒ Both 1 and 2 processes can make other evidence
3.
Eliminating Evidence Sources
: Preventing Evidence Creation
4.
Counterfeiting Evidence
: Creating a fake version of evidence.

Supported by YAFFS2 File System.

YAFFS: Yet Another Flash File System

YAFFS1: designed for old NAND chips with
512 byte pages plus 16 byte spare areas.
YAFFS2: evolved from YAFFS1 to
accommodate newer chips with 2048 byte
pages plus 64 bytes spare areas.


Application & Sandboxes
: Android binds any running application to a secure
Sandbox which cannot interfere with any other
application.

User IDs and Permissions
: Android manages each application as a different
Linux user.
Includes <uses-permission> tags in application’s
Android manifest.xml.
1.
Current Android Forensics Techniques &
Tools
2.
Instantiating Anti-forensics
3.
The Evidence Export Process
4.
The Evidence Import Process
5.
The Evidence Destruction Process
1. Android Debug Bridge (ADB)
A tool provided with Android SDK which allows the
interaction between the mobile device and a
remote station.
2. Nandroid Backup
Nandroid is a set of tools supporting the backup and
restore capabilities for rooted Android devices.
Support the full NAND flash memory imaging which
can be performed by a special boot mode.
3. Physical Imaging by dd
The dd tool allows the byte-level physical imaging of
Unix files and can be applied to regular files and
to devices files as well because of the availability
of a Unix-like command shell.
4. Commercial Tools
Commercial Tools: Parabon corporation, Micro
Systemation, Celle brite.
Open Source Tools: Mobile Internal Acquisition Tool.
5. Serial Commands over USB
Capabilities to eavesdrop the data conveyed overthe-wire.
6. Simulated SD card
To use a modified update file in order to avoid the
destruction of internal memory data and to
provide kernel-level tools to support the
acquisition of data.
7. Softeware Application
Applications that are able to explore, read, and
mirror the contents stored by the File System
even for the internal memory storage volume.

Exploiting android features
 Strong Linux process & User management policies

A private folder : A directory that is inaccessible
for any other applications
 Private folders in internal memory are hard to examine
because of isolation and physical imaging

Anti-forensics by a common application
: Evidence Export/Import/Destruction Process
1)
Android Destroying Evidence
: Text messages, The browser bookmark, Call log
⇒ Deletion of Related Database
2)
Android Hiding Evidence
: Multimedia files
⇒ Move them into internal storage (private folder)
3)
Android Eliminating Evidence Sources
: Multimedia Messages (MMSs)
⇒ Modify identifiers to be invisible to end-user
4)
Android Counterfeiting Evidence
: Contact Information
⇒ Modify flag & related number


Restore the previous state of the device.
The private storage of the evidence
 Organize the exported evidence using set of
common files in the private folder
 A XML-style file(export.xml) is responsible for the
storage of all evidence
 A number of files of various format are imported
by the removable memory card.

How to reconstruct the evidence?

Fully Automated Evidence Reconstruction:
AFDroid
1) Private folder inspection
2) export.xml file processing
▪ Related DB & table
▪ The connection DB
3) Other file processing

Internal Memory & Data Recovery
 It is still incomplete to acquire the image of
internal memory. (JTAG)

Fully Automated Process
⇒ Uninstall of AFDroid
 All the related data are logically deleted by the FS.
 Can avoid human errors.
 Reduces time.
Objectives
: To test the strength of the Evidence Export/
Destruction process in relation to the tools
that are currently able to acquire a snapshot
of the internal memory of the target device.


Used devices
: Samsung Galaxy i7500 device equipped with the
Android 1.5 S아.

Used acquisition tools
: Paraben Device Seizure/Nandroid/MIAT

Experimental Workflows
1) Evidence export process
▪
▪
▪
▪
First imaging with Nandroid tool
Execution of AFDroid
Acquisition with MIAT tool
Second imaging with Nandroid tool
2) Evidence destruction process
▪
▪
▪
▪
▪
▪
First imaging with Nandroid tool
Execution of AFDroid
Second imaging with Nandroid tool
Uninstall of the AFDroid
Acquisition with the MIAT tool
Third imaging with the Nandroid tool
Cursory examination
of the SMS/MMS
database before and
after the EEP.
The entire se of
SMS/MMS message
is emptied .
The Nandroid tool and MIAT tool
can recover all the evidence that has
been previously exported in the
private folder
A large amount of the
multimedia data can negatively
affect the duration of the
process.
It is realistic to suppose that just
reduced amount of such data
can be exported into the private
folder because of the limited
capacity of the current internal
memory.

When the application is uninstalled and the
EDP completed, private folder is removed
including all the stored contents.

After that, neither the Nandroid nor the MIAT
tools were able to recover the deleted data.

Current and Future Work
1. Improving the AFDroid application
▪ To selectively choose the target evidence
▪ The expansion of the kinds of target evidence
2. Expanding the compatibility to other operating
system
▪ Windows Moble, Symbian.
Android Anti-Forensics Through a Local Paradigm.
Alessandro Distefano, Gianluigi Me and Francesco
Pace, Digital Investigation 7 (2010) s83-s94.