See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/322511440

Android digital forensics — Simplifying Android forensics using regular

expressions

Conference Paper · September 2017

DOI: 10.1109/ICTER.2017.8257836

CITATIONS READS
2 790

1 author:

Neera Jeyamohan

4 PUBLICATIONS   8 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Neera Jeyamohan on 09 October 2018.

The user has requested enhancement of the downloaded file.

 Android Digital Forensics – Simplifying Android
Forensics Using Regular Expressions

Neera Jeyamohan
Asia Pacific Institute of Information Technology
388, Union Place
Colombo - 02
Email –jneera@gmail.com

Abstract— Smartphones can store and process vital evidence

which is required for an investigation since they have become II. RELATED WORK
cradle of personal information of an individual. But these devices The advancement of technology has increased the computing
can be challenging during evidence acquisition and analysis since power of mobile devices and at the same time keeping their
information stored in these devices are volatile and investigation
size small enough to fit inside user’s pocket. In a research
process should be properly validated for admissibility of evidence
in court of law. Therefore, acquisition and examination of conducted it was found that mobile device market has seen an
evidence based on smartphones has become a laborious task for unbelievable growth and people are using smart phones,
forensics investigators who requires an appropriate and digital music players and personal digital assistants for their
validated forensics examination tools and methodologies to official and personal purposes [3]. It is therefore inevitably
extract evidence. In this paper, investigational methodology necessary to analyze these devices using appropriate digital
suitable for android based smart phones for acquisition and forensics procedures and methodologies. Exponentially
analysis of data is presented. growing number of mobile phone manufacturing has made it
difficult to design a framework or layout a procedure to
Keywords— Mobile Devices, Mobile Forensics, Forensic
investigational framework, Android, Smart phones, Tablets address all possible eventualities in mobile forensics. With the
increase of mobile device user base worldwide there is a need
for increase in mobile proliferation [4].
I. INTRODUCTION
Forensics investigators can collect evidence such as call logs,
The [1] defines digital evidence as “information of probative contact information, web activity logs and private messages
value that is stored or transmitted in binary form”. Hence from mobile devices [5] along with additional user related
according to specified description, digital evidence can be multimedia files and documents which can be acquired from
collected not only from computers but also from any external storage media of the device. But how ever mobile
electronic devices which stores and process user related data. forensics is still found to be lagging in performance due to
Most of the mobile device users stores sensitive information in following reasons.
mobile devices which becomes wealth of digital evidence • Mobility and ubiquity nature of mobile devices
during an investigation [2]. The challenge forensics required forensics investigators to possess specialized
investigators face is identifying potential evidence a mobile tools to acquire and analyze mobile device storage
device might contain. Since digital forensics community has • Most of the device’s data resides in volatile memory
done minimal research on mobile devices forensics, forensic and battery power drainage may cause loss of
investigators are struggling without a standard approach or evidence
procedure to follow during investigations. Therefore, validated • Device remains active other than the times when it’s
frameworks that can be used to collect evidence from mobile on hibernation or powered off state
devices are virtually not existent in current digital forensics
• Mobile devices tend to have short product cycles and
environment.
everyday new devices with different operating
systems are emerging in the market
The aim of this research is to present an appropriate
framework for mobile device forensics which can be used by
According to ACPO’s guide for police officers [6], law and
forensic investigators during their investigation. Also, this
enforcement officials should not take any actions which will
research aimed to update forensic investigators and other
result a change in data held on computers or any storage
incident response personnel regarding new generation mobile
media which will be submitted to courts as essential evidence.
devices and their value during a forensic investigation.
However not all digitally collected evidence will fall under the
scope of ACPO guide and principles specified in the guide
cannot be complied especially during mobile forensics.
Because data stored in mobile devices tend to change during create reports. Most forensics tools can obtain data from a
an investigation even without any interference from mobile device through physical acquisition or through logical
investigators. acquisition [5].

Dynamic nature of data found in mobile device is often Measures taken by forensics investigators to prevent any
considered as a critical problem to forensics investigators. further interference in potential evidence might produce an
Distinct to other digital devices which operates either in on or undesirable alteration or loss of evidence and this call for live
off state, mobile devices operate on various states such as analysis of mobile devices. Live memory analysis helps
• Nascent State: The device operates under factory forensics investigators to overcome any issues related to
configuration and contains no user data [7]. This is techniques such as encryption or password protection and it
the default state of a mobile device the device must enhances formal forensics investigation procedure [13].
be charged for a specified period before entering in to Current mobile phone forensics investigations are often
a new state. Once user performs an action this state concentrated on obtaining evidence from SIM (Subscriber
will automatically change and only a hard reset will Identity Module), external memory card and internal flash
cause the device to return to nascent state. memory [10]. However, since mobile devices have a
• Active State: If the user is using a mobile device to limitation on storage capacity, often volatile data such as
complete some task and the file system is storing data third-party application data are stored in volatile memory.
then the device is in active state. A soft reset caused Without performing live analysis on mobile devices these
during active state of a mobile device will clear the evidences which might be so critical for the investigation can
cache memory causing loss in user data [8]. be lost forever or can be overwritten easily.
• Quiescent State: Device appears to be not active
during this state but processes will be running in
III. INVESTIGATION METHODOLOGY
background and user data will be preserved using
battery life [9]. Over the past years, researchers have proposed many digital
• Semi Active State: When the device is between forensics models for gathering information from mobile
active and quiescent state it is said to be in semi devices but still there is no conclusive model which is proved
active state and device tries to save battery life by to be the most appropriate methodology to follow. This mobile
reducing brightness of screen display or completely device forensic model discussed below proposed to aid
changing screen display to dark [10]. forensics investigators to investigate mobile devices which are
based on android operating system.
A forensics investigator needs to know what state the mobile
device is on to determine whether to perform live or offline A. Phase one – Preparation and Preservation
forensics. Mobile devices normally store information in
volatile memory of the device and recovering evidence will be Preparation stage involves identifying potential source of
a tedious task. These devices consist of an internal memory evidence, searching for device, documenting complete process
and an external memory from which several types of evidence and collection of digital evidence. If the forensics investigator
can be obtained. Internal memory consists of type of flash fails to preserve the integrity of evidence it might jeopardize
memory which is embedded to the handset. The data in these whole investigation and the evidence might become
flash memories will be deleted or lost if the device battery life inadmissible in court of law. This stage also involves
has worn out [11]. Unlike in computers, investigators cannot gathering appropriate understanding of committed crime,
recover information from slack space of a mobile device as preparing tools for investigation, building a team and
these slack spaces are often filled with FF hex value. assigning roles to team members to carry out effective
Manufacturers are also now using compact drives to store investigation.
mobile operating system kernel execution codes and other
types of files. Even though forensics tools such as FTK or First responders must formulate a search plan and evaluate the
ENCASE can be used to examine these types of storage, scene for possible digital evidence. They also must secure the
proprietary files systems prevent forensics investigators to scene from unauthorized access to prevent evidence
interpret the data found in these devices [8]. contamination and to ensure safety of investigators working in
the crime scene. Top priority should be provided to prevent or
[12] did an analysis on performance of mobile device minimize corruption of evidence at this stage. If a mobile
forensics tools such as Mobiledit, cell seizure and oxygen device is found in the scene, first responders might have to
phone manager. During this analysis, it was determined that follow a series of steps as discussed below.
some tools might not deliver the features promised by these
tools. Currently available mobile forensics tools are often If the device is found in a liquid, battery of the device should
restricting themselves to support limited type of devices. be removed and if the device is found in caustic liquid it
Some forensics tools can be used to acquire device memory should be stored in same fluid until it is examined by forensics
image but cannot be used to examine collected evidence or to investigator. The device model and manufacturer name should
be identified by examining manufacturer logos, power
adapter, serial number and cables attached with it. Without C. Phase Three – Examination
appropriate identification of device forensics investigators Examination phase involves examining the evidence collected
might not be able to decide on what forensics tools to be used from mobile devices and extracting appropriate information
for further analysis or to decide what type of cables required which will be used to support or build the hypothesis of the
to connect device with a PC for data synchronization. investigators. Forensics investigators should create appropriate
backups of acquired images before conducting examination on
If the device is switched on necessary precautions must be them. In this phase, the originality and significance of
taken to ensure uninterrupted power is provided and the collected evidence will be reflected. Investigators can perform
device is shielded from any radio signals. It is required to keep keyword search, pattern matching, data filtering techniques
the device isolated to make sure that incoming traffic or any etc. to reduce the size of collected data to manageable size.
other network data does not modify or overwrite information While analyzing evidence forensics investigator also should
stored in the device. If the device is switched off, the device search for evidence for device tampering, data wiping, data
should be secured along with accessories which were found in hiding techniques and unauthorized system modifications.
scene of crime. Most of mobile devices might run out of Challenge for investigator here is detecting obscured or hidden
power before acquiring evidence. So, it is essential that first data. However, capacity of given tools plays a vital role as
responders possess a tool kit which consists standard power collected data should be searched thoroughly for unusual files
supplies. Device must be kept in existing state until and directories.
appropriate assessment is made by forensics investigator.
Conducting a thorough preparation and preservation phase D. Phase Four – Analysis
ensures the integrity of evidence and by thus eases the work of In this phase, forensic investigator should conduct a technical
forensics investigators in acquisition, analysis and review based on gathered examination results. Analyzing
examination phase. identified hidden data, recognizing relationships between data,
approving significance of found evidence from examination,
B. Phase Two – Acquisition
reconstructing event timeline and providing appropriate
The acquisition process commences once the device is handed conclusion are the essential activities performed at this stage
over to forensics investigator. Initially it is required for (NIJ, 2008). From the results of this phase forensics
forensics investigators to choose correct acquisition tool and investigator can determine whether additional tasks should be
its best practice to test the tool in similar device before performed or repeated on previous phases.
actually employing it on actual device. Tools used in
acquisition should be able to maintain the integrity of E. Phase Five – Reporting
evidence (Vidas et.al, 2011). To protect the integrity of data After following all the necessary steps, the results collected
source, data write blocking techniques can be used. Integrity should be submitted to a group of people including law and
of collected data can also be protected via creating hash of enforcement officials, legal officials and sometimes even to
collected evidence and recurrently verifying it to ensure that corporate management teams. The documented evidence and
the value is unchanged throughout the investigation. results will be submitted to court of law if it is a law and
enforcement investigation or will be submitted to investigation
Forensics investigators can employ investigative techniques to management team if it is an internal investigation within an
gain knowledge about PIN or Passcode by interviewing the organization. The report will aid management team or court of
device owner or individuals who are involved with crime. On law to decide on allegations on the incident. The report should
the other hand, they can use backdoors created by contain details about steps followed during process of digital
manufacturers to gain access to these devices. During this investigation and conclusions arrived after analyzing the
phase, mobile devices must be placed in debug mode and if evidence.
sync option is turned on it must be disabled. After acquiring
physical image investigator can switch on hot sync button to IV. EVIDENCE EXAMINATION FINDINGS FOR ANDROID
commence logical acquisition of data. The logical data will be SMARTPHONES
available in the RAM image obtained but investigator has an The scope of this section is to compare and analyze evidence
option of using sync protocol to perform logical acquisition as that can be collected from Android smartphones. Offline
well. Since most of the evidence is being transferred from an investigation methods can be used effectively to find the
off-site scene “pull the plug” approach will not be suitable [7] evidence stored in android smartphones. For the experiment
for mobile forensics. Most of mobile devices contain or store purpose a Samsung phone running Android Lollipop OS
data in volatile memory and acquiring evidence from volatile version 5.1.1 is used. The developed methodology however
memory is problematic due to dynamic nature of device state has its restrictions.
and evidence. A combination of forensics acquisition • The ADB bridge of the Android phone should be
techniques must be used to get appropriate results from enabled to acquire data through USB port
volatile memory. While acquiring nonvolatile evidence, data • The phone also needed to be rooted to capture and
will be collected from external media storage such as compact recover system related information.
flash memory cards, MMC cards and secure digital memory
cards.
 • In super user privilege mode examiner should be able /data/data/com.android.providers.contacts. It is also can be
to acquire all system partitions and files. noted that some information of the deleted contacts can also
be acquired in the newer versions of Android. The
Using Cellibrite UFED touch for the acquisition phase is corresponding table name which stores these information is
recommended but the same time it can be done using ‘dd’ ‘deleted_contacts’.
open source tool as well (Lessard and Kessler, 2010). The
acquired image is examined using regular expressions. It is
C. Messaging
necessary for the investigator to initially specify what
information is needed to define what regular expression can be Messaged are stored in the com.android.providers.telephony
used to obtain such evidence. A regular expression is like a package and resides in the
group of characters that can be used to located any content /data/data/com.android.providers.telephony directory [10].
desired. By crafting appropriate regular expressions Both MMS (Multimedia Message Service) and SMS (Short
investigators should be able to easily examine the acquired Message Service) are saved here. There will be two SQLite
image. In this section set of regular expressions that can be databases under this directory.
used by forensic analysts to quickly and easily locate
information in android smartphones are discussed.
D. Instant Messaging
A. Analysing Phone Information
Widely used IM apps are WhatsApp and Viber both having
Phone manufacturer details, carrier details, device build and over million subscribed users. Information related to this is
any other specific information can be extracted using the adb stored in SQLite databases by both apps. WhatsApp database
shell command. Table 1 displays the information that can be can be found in /data/data/com.whatsapp/databases and Viber
obtained using various adb shell commands. database can be found in /data/data/com.viber.voip/databases.
Google Hangouts database resides in
/data/data/com.google.android.talk/databases.
TABLE I
ACQUIRED PHONE INFORMATION
If an investigator wants to retrieve information related to
Results from adb shell Remarks WhatsApp related activities there are two databases that
getprop should be analyzed.
ro.build.fingerprint Device Build • mgstore.db which saves the messages and chat
ro.bootloader Boot loader information history
ro.build.date Build date • wa.db which saves WhatsApp contact information.
ro.build.version.release Android version installed in
the phone Other media files that are transferred are saved in the SD card
ro.product.brand The Product brand and can be found in the below directories:
ro.product.manufacturer Phone manufacturer • Audio: WhatsApp/Media/WhatsApp Audio
ro.product.model Product Model • Video: WhatsApp/Media/WhatsApp Video
ro.product.name Product Name • Voice notes: WhatsApp/Media/WhatsApp Voice
ro.serialno The serial Number Notes
Network Information • Calls: WhatsApp/Media/WhatsApp Calls
dhcp.wlan0.dns1 IP address • Images: WhatsApp/Media/WhatsApp Images
dhcp.wlan0.gateway Gateway IP address
dhcp.wlan0.mask Subnet mask Each folder has a sub folder named “Sent” that stores the
net.hostname Hostname for internet media files that has been sent by the user. The date when a
connection contact was added is available in the log files in
Carrier Information data/com.whatsapp/files/Logs/whatsapp.txt. By comparing the
gsm.sim.operator.iso- SIM operator country log file and the contacts table, the investigator should be able
country to identify the deleted contacts. The Viber application
gsm.sim.state SIM operator state database folder has two main databases that will be used
Other Information during analysis. One such database is viber_data.db which
persist.sys.country Phone built country stores information about the viber contacts including blocked
persist.sys.language Language the phone uses numbers. Other database is viber_messages.db which stores
persist.sys.timezone Timezone the messages, call history and participants in each
conversation. Furthermore, it’s also found that even though a
B. Contact Information and Call Logs contact is deleted from the list, the conversation history related
The contacts information and call logs related information is to the specific contact will remain in the database unless it is
available in the com.android.providers.contacts container overwritten. So, any messages related to deleted contacts can
which is stored in the be extracted from the device.
 • webview.db - This table is supposed to store
password related login information. At most
E. E-Mail
circumstances, the table is empty.
Most of the android device’s email accounts are based on
Gmail application. Gmail application saves its information in But it was learned that at the time when this research was
SQLite databases and can be found in completed, Facebook has made changes to the structure of the
/data/data/com.google.android.gm/databases. Android information stored and with the introduction of Facebook
devices also consists of another built-in email app which is messenger the valuable information lies in following two main
another method android users can use to access non-Gmail folders:
based accounts especially the accounts based on their • /data/data/com.facebook.katana – user activity, friend
organizational mail server. lists, uploaded photos, messages, etc. are saved in
/data/data/com.android.email/databases is the directory where this folder
this app stores its relevant data. • /data/data/com.facebook.orca – This folder is created
when the Facebook messenger app is installed. But, it
For the Gmail application, the email addresses are the only has the same databases as the other folder.
information that is stored in the database. The password
related informatioon is stored in google servers and used by The Twitter application on the other hand stores information
the client device only to authenticate the user. Once in /data/data/com.twitter.android directory. The databases in
authentication is successful, an auth token is provided which this directory contains records of posted tweets, photos,
in turn will be used during the subsequent login attempts to followers, and other information regarding twitter usage
provide authenticated access. Therefore, the Auth Token is (Mutawa, Baggili & Marrington, 2012).
saved instead of password. The token can be extracted from
the accounts database located in /data/system/users.

F. Browser V. CONCLUSION
The built-in browser application in Android is based on the Mobile devices are evolving rapidly with recent technological
open source WebKit project and belongs to the development but mobile forensic is evolving slowly. In this
com.android.browser package and is in the research, a new mobile forensics framework has been
/data/data/com.android.browser folder. According to [10]: proposed and this model exclusively addresses the problems
• The browser database exists in related to mobile device forensics investigation. This model
/data/data/com.android.browser/databases/browser2 depends on regular expressions to examine the acquired image
.db and does not depend on any commercial tools to perform the
examination/analysis. Activities proposed in this model are
• Password information is available in the table named
not presented completely since there are restrictions on testing
password, located in
and there is yet more work need to be done in the future.
/data/data/com.android.browser/databases/webview.
db.
Google Chrome is now used as the default browser in newer REFERENCES
version of Android devices. Most information related to 1. Science Working Group on Digital Evidence (2009). SWGDE and
Google Chrome is stored in the /data/ SWGIT Digital & Multimedia Evidence Glossary [ONLINE]
data/com.android.chrome/app_chrome/Default folder. Available
at:https://www.swgde.org/documents/Archived%20Documents/
009-05-22%20SWGDESWGIT%
G. Social Networking App 20Digital%20and%20Multimedia%20Evidence%20Glossary%20v
2.3.
Information related to the social networking applications 2. Grispos, G., Storer, T., and Glisson, W.B., (2011).A comparison of
Facebook and Twitter also can be retrieved using regular forensic evidence recovery techniques for a windows mobile smart
expressions. If these network sites are accessed through the phone. Digital Investigation.8 (), pp.23-36.
3. Canalys (2008). Smart mobile device shipments hit 118 million in
browser then the information related to them can be retrieved
2007, up 53% on 2006. [ONLINE] Available at:
through browser analysis. The records of Facebook and http://www.canalys.com/newsroom/smart-mobile-
Twitter login is stored in the /data/system/users/0/accounts.db, deviceshipments-hit-118-million-2007-53-2006.
but no password related information is stored. While 4. Slay, J. and Turnbull, B., (2006). The need for a technical
approach to digital forensics evidence collection for wireless
investigating Facebook application related information technologies. In Proceedings of the 2006 IEEE workshop on
retrieval investigator must look for two important SQLite Information Assurance.
databases such as (Mutawa, Baggili & Marrington, 2012): 5. Sansurooah, K. (2007). An overview and examination of digital
• fb.db - which has tables that list the user activity, PDA devices under forensics toolkits. Proceedings of the 5th
Australian Digital Forensics Conference
photo albums, chat messages, friend lists and 6. ACPO (2007). Good Practice Guide for Computer-Based
uploaded photos. Electronic Evidence. [ONLINE] Available at:
 http://www.7safe.com/electronic_evidence/ACPO_guidelines_com
puter_evidence.pdf.
7. Thing, V., Ng, K., and Chang, E., (2010). Live memory forensics
of mobile phones. Digital Investigation.7, pp.s74-s82.
8. Punja, S., Mislan, R., (2008).Mobile device analysis. Small Scale
Digital Device Forensics Journal. 2 (1), pp.1-16
9. Raghunathan, V., Pering, T., Want, R., Nguyen, A. and Jensen, P.,
(2004). Experience with a low power wireless mobile computing
platform. In Proceedings of ISLPED.
10. Hoog, A., (2009). Android forensics. In: Mobile Forensics World
Conference on May 2009.
11. Lim, N. and Khoo, A., (2009). Forensics of Computers and
Handheld Devices: Identical or Fraternal Twins. Communications
of The ACM. 52 (6), pp.132-135.
12. Williamson, B., Apeldoorn, P., Cheam, B. and Macdonal, M.,
(2006).Forensic analysis of the contents of nokia mobile phones.
In: Australian digital forensic conference.
13. Carrier, B.D and Grand, J.A, (2004). A hardware based memory
acquisition procedure for digital investigations. Digital
Investigation.1 (1), pp.50-60.

View publication stats