Beruflich Dokumente
Kultur Dokumente
WELCOME
Department of CSE
SEMINAR 2014
GENERAL
COLLECTION
METHODOLOGY
FOR ANDROID DEVICES
Acquiring Digital Evidence from Mobile Devices
Department of IT
SEMINAR 2014
WHY
Department of CSE
SEMINAR 2014
Introduction
Forensics Background
CONTENTS
3
Collection Process
Conclusion
Department of CSE
SEMINAR 2014
FORENSICS BACKGROUND
Forensics is the use of sciences to inform decisions in a legal system.
Collection refers to a stage early in a forensics process where
evidence is duplicated in the best possible way.
Digital forensics is the use of computer science in this manner.
Collection of evidence is prerequisite for other analytical process.
Improper collection leads to incorrect analysis.
Collection
Department of CSE
SEMINAR 2014
DATA COLLECTION
1
Call History
SMS/MMS
Contacts
Email, Media
Web Hist/Bookmarks
Department of CSE
SEMINAR 2014
COLLECTION TYPES
Logical
Physical
Department of CSE
SEMINAR 2014
MOTIVATION
Devices have different:
Form factors
Operating systems
Memory layouts
Connectors
Department of CSE
SEMINAR 2014
EXISTING SYSTEM
Break into the running phone to collect.
Take Screenshots of user interface.
Custom tools with disjoint set of services.
Risk data integrity and correctness.
No general collection methods.
Difficult for collector.
Department of CSE
SEMINAR 2014
PROPOSED SYSTEM
Recovery Image based collection.
Flash custom recovery software.
Use the special boot mode recovery,
Achieve collection goals,
Use ADB and USB for data transfer.
Use of cp & dd for data duplication.
10
Department of CSE
SEMINAR 2014
DATA PRESERVATION
ATOMIC COLLECTION
CORRECTNESS
DETERMINISM
EVIDENCE PRESERVATION
USABILITY
REPRODUCIBILITY
College of engineering Thalassery
11
Department of CSE
SEMINAR 2014
Create
collection
software
package
Reboot
device into
flash mode
Transfer
collection
software
Collect data
using
collection
software
Connect
Collection
Software
using ADB
Reboot
device into
recovery
mode
12
Department of CSE
SEMINAR 2014
ANDROID BOOTING
13
Department of CSE
SEMINAR 2014
ANDROID BOOTING
STAGED LOADER
Stage1 will setup RAM
Stage1 loads Stage2 in RAM
Stage2 loads binary images.
14
Department of CSE
SEMINAR 2014
RECOVERY MODE
Instead of loading a typical boot image execution is diverted to a
special recovery boot image.
15
Department of CSE
SEMINAR 2014
THREE COMPONENTS
n=
KERNAL (n pages)
kernel_size+page_size1
_
m=
ramdisk_size+page_size1
O=
second_size+page_size1
RAMDISK (m pages)
SECOND STAGE
16
(0 page)
Department of CSE
SEMINAR 2014
RAMDISK FILES
Name
default.prop
Description
Default Build properties
Init.rc
init
Initialization executable
system/
sbin/
Additional tools
sbin/adb
Sbin/recovery
Recovery executable
Res/
17
Department of CSE
SEMINAR 2014
RECOVERY COLLECTION
18
Department of CSE
SEMINAR 2014
OBTAINING KERNAL
19
Department of CSE
SEMINAR 2014
20
Department of CSE
SEMINAR 2014
21
Department of CSE
SEMINAR 2014
THIS TECHNIQUE
Applies to a wide range of devices
Doesnot modify any storage areas that holds user data
CONCLUSION
Permits a priori setup
Doesnt take volatile data into account
Requires different flashing tools based on manufacturer
22
Department of CSE
SEMINAR 2014
23
Department of CSE
SEMINAR 2014
MOVING FORWARD
Extended functionality or usability.
More devices
General software image.
24
Department of CSE
SEMINAR 2014
REFERENCES
Kaspersky
international
students
conference 2012
25
Department of CSE
SEMINAR 2014
QUESTIONS
26
Department of CSE