Scribd Logo
Hochladen

Willkommen bei Scribd!

  • General Collection Methodology For Android Forensics.

    Hochgeladen von

    sdlboss
    69 Ansichten26 Seiten
    Presentation on general collection methodology for android device forensics based on recovery method.

    Originaltitel

    General collection methodology for Android forensics.

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PPTX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Presentation on general collection methodology for android device forensics based on recovery method.

    Copyright:

    © All Rights Reserved
    Als PPTX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    69 Ansichten26 Seiten

    General Collection Methodology For Android Forensics.

    Hochgeladen von

    sdlboss
    Presentation on general collection methodology for android device forensics based on recovery method.

    Copyright:

    © All Rights Reserved
    Als PPTX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 26

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    WELCOME

    College of engineering Thalassery

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    GENERAL
    COLLECTION
    METHODOLOGY
    FOR ANDROID DEVICES
    Acquiring Digital Evidence from Mobile Devices

    MUHAMMED AFSAL C 14122007

    College of engineering Thalassery

    Department of IT

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    5,000,000 devices activated daily

    WHY

    Smartphones are used in crime

    Evidence collection is important

    College of engineering Thalassery

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    Introduction

    Forensics Background

    CONTENTS
    3

    Data Collection & Types

    Existing and Proposed systems.

    Collection Process

    Conclusion

    College of engineering Thalassery

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    FORENSICS BACKGROUND
    Forensics is the use of sciences to inform decisions in a legal system.
    Collection refers to a stage early in a forensics process where
    evidence is duplicated in the best possible way.
    Digital forensics is the use of computer science in this manner.
    Collection of evidence is prerequisite for other analytical process.
    Improper collection leads to incorrect analysis.

    Collection

    College of engineering Thalassery

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    DATA COLLECTION
    1

    Call History

    SMS/MMS

    Contacts

    Email, Media

    Web Hist/Bookmarks

    College of engineering Thalassery

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    COLLECTION TYPES

    Logical

    Physical

    Allocated data (only)

    Allocated data, and:


    Meta Data.
    Empty areas.
    Unused space.

    Often the computer is


    actively running.

    Storage device is removed.

    Faster than physical


    collection

    Called bit stream and byte


    byte duplication.

    College of engineering Thalassery

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    FRAGMENTATION AMONG MOBILE DEVICES


    MAKES IT MORE DIFFICULT TO COLLECT DATA

    MOTIVATION
    Devices have different:

    Form factors
    Operating systems
    Memory layouts
    Connectors

    College of engineering Thalassery

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    EXISTING SYSTEM
    Break into the running phone to collect.
    Take Screenshots of user interface.
    Custom tools with disjoint set of services.
    Risk data integrity and correctness.
    No general collection methods.
    Difficult for collector.

    College of engineering Thalassery

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    PROPOSED SYSTEM
    Recovery Image based collection.
    Flash custom recovery software.
    Use the special boot mode recovery,
    Achieve collection goals,
    Use ADB and USB for data transfer.
    Use of cp & dd for data duplication.

    College of engineering Thalassery

    10

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    DATA PRESERVATION
    ATOMIC COLLECTION
    CORRECTNESS

    DETERMINISM
    EVIDENCE PRESERVATION
    USABILITY
    REPRODUCIBILITY
    College of engineering Thalassery

    11

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    METHOD FOR COLLECTION

    Create
    collection
    software
    package

    Reboot
    device into
    flash mode

    Transfer
    collection
    software

    Collect data
    using
    collection
    software

    Connect
    Collection
    Software
    using ADB

    Reboot
    device into
    recovery
    mode

    College of engineering Thalassery

    12

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    MANY OF THE ANDROID


    BOOT PROCESS IS SIMILAR
    TO A LINUX SYSTEM.

    ANDROID BOOTING

    Boot Rom Locates Boot Media

    Boot Code Is Loaded To Memory


    Execution Passed To Boot code.

    College of engineering Thalassery

    13

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    ANDROID BOOTING

    STAGED LOADER
    Stage1 will setup RAM
    Stage1 loads Stage2 in RAM
    Stage2 loads binary images.

    Stage2 loads kernel from boot.


    Transfers execution to kernel

    College of engineering Thalassery

    14

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    RECOVERY MODE
    Instead of loading a typical boot image execution is diverted to a
    special recovery boot image.

    College of engineering Thalassery

    15

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    RECOVERY IMAGE STRUCTURE

    THREE COMPONENTS

    n=

    BOOT HEADER (1 page)

    KERNAL (n pages)

    kernel_size+page_size1
    _

    m=

    ramdisk_size+page_size1

    O=

    second_size+page_size1

    RAMDISK (m pages)

    SECOND STAGE

    College of engineering Thalassery

    16

    (0 page)

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    RAMDISK FILES
    Name
    default.prop

    Description
    Default Build properties

    Init.rc

    System wide initialization values.

    init

    Initialization executable

    system/

    System files and tools

    sbin/

    Additional tools

    sbin/adb

    Android debug bridge executable.

    Sbin/recovery

    Recovery executable

    Res/

    Images for recovery mode.

    College of engineering Thalassery

    17

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    RECOVERY COLLECTION

    CUSTOM BOOT IMAGE IS CRAFTED


    Binaries are added: adbd, su, nanddump
    Files are Edited: default.prop, init.rc
    enable adb, start the daemon, etc
    FILESYSTEM PERMISSIONS ARE ADJUSTED TO
    FACILITATE THE ABOVE
    Gives Full Access to the data on phone.
    Nandump allows collection of OOB(eg:spare) data

    College of engineering Thalassery

    18

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    OBTAINING KERNAL

    College of engineering Thalassery

    19

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    AQUIRING FLASH TOOL

    College of engineering Thalassery

    20

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    ANALYSIS OF COLLECTED DATA


    Collected data can be extracted.
    Media can be viewed directly.
    Databases can be read by using sqlite explorer,
    Call logs, gmail, contacts use db
    Use ADB and USB for data transfer.

    College of engineering Thalassery

    21

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    THIS TECHNIQUE
    Applies to a wide range of devices
    Doesnot modify any storage areas that holds user data
    CONCLUSION
    Permits a priori setup
    Doesnt take volatile data into account
    Requires different flashing tools based on manufacturer

    College of engineering Thalassery

    22

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    TAKES ADVANTAGE OF COMMONALITY

    ACROSS ANDROID DEVICES


    Comprehensively collects data with no impact to data areas used
    under normal operation

    College of engineering Thalassery

    23

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    MOVING FORWARD
    Extended functionality or usability.

    More devices
    General software image.

    Comprehensive list of boot mode and behaviours.

    College of engineering Thalassery

    24

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    REFERENCES

    Android Forensics: Simplifying Cell Phone


    Examinations. - Jeff Lessard.

    Kaspersky

    international

    students

    conference 2012

    Mobile device forensics: A snapshot - Ben


    Martini

    College of engineering Thalassery

    25

    Department of CSE

    SEMINAR 2014

    COLLECTIION METHODOLOGY FOR ANDROID

    QUESTIONS

    Thank you for your time!


    MUHAMMED AFSAL C, College of engineering Thalassery

    College of engineering Thalassery

    26

    Department of CSE

    Das könnte Ihnen auch gefallen