An evidence-based Android cache forensics model

Download 0.49 Mb.

Page	2/11
Date	21.06.2017
Size	0.49 Mb.
	#21346

1 2 3 4 5 6 7 8 9 10 11

Abstract

Android is the most popular and widely used mobile operating systems. Although Android is one of the most actively researched area in the field of mobile forensics, analysis of Android caches is an understudied research topic – the focus of this thesis. Due to the diversity of caches and the developer’s heavy reliance on third-party libraries, this thesis proposes a cache taxonomy based on its usage, as the key to investigating Android caches is to first classify and identify them. This helps to ensure the choice of appropriate tool(s) to extract potential evidential data. A systematic process to forensically extract, analyse and investigate Android caches is proposed, which is based on the widely accepted McKemmish (1995) forensic model. The proposed Android Cache Forensic Process, the primary contribution of this thesis, is validated using nearly 100 popular apps. Previously unknown cache formats are decoded and several undocumented cache formats used commonly by Android apps are documented. Based on the findings, an Android Cache Viewer prototype is developed which is the secondary contribution of this thesis. This working prototype, as demonstrated in this thesis, is able to successfully decode Android caches and display the contents in a user friendly manner.

Declaration

I declare that:

This thesis presents work carried out by myself and does not incorporate without acknowledgment any material previously submitted for a degree or diploma in any university; to the best of my knowledge it does not contain any materials previously published or written by another person except where due reference is made in the text; and all substantive contributions by others to the work presented, including jointly authored publications, is clearly acknowledged.

Signed: Felix Jeyareuben Chandrakumar Date: 2-Jun-2014

Acknowledgements

First and foremost, I thank God for the knowledge and wisdom that He had given me during this thesis period, and indeed, throughout my life: "I can do all things through Christ who strengthens me." (Philippians 4: 13).

I thank my wife, Esther and my two young daughters, Felicia and Olivia for their support, encouragement, patience and love. I thank my parents for their love and support throughout my life.

I thank my supervisor, Dr Kim-Kwang Raymond Choo and my associate supervisor, Ben Martini for their excellent academic support for doing this research. I also thank our program director, Dr Elena Sitnikova and lecturers Dr Lin Liu and Dr Sameera Mubarak for their excellent academic teaching and support during the course of my study.

I thank my employer, Hewlett Packard for granting me leave when I am required to attend workshops and meetings in the University. I thank Google for creating Android and making it open source, without which my thesis would have not existed. I thank Microsoft for providing its Visual Studio software free for the student community through Dreamspark which helped me to build the Android Cache viewer prototype. I thank the several other open source tools and libraries I had used and referred in my thesis.

I thank everyone who I haven’t mentioned here but helped me in making this thesis possible.

Introduction

1.1Overview

Android, as of December 2013, has reportedly 79% of the mobile market share . As of July 2013, Google Play had more than 1 million Android apps published with an estimated 50 billion downloads per year . This is a remarkable growth in a short period of time. According to Sundar Pichai, Senior Vice President of Chrome and Apps in Google, there are reportedly more than 1 Billion Android device activations as of September 2013 . Due to the popularity of Android devices, they could either be used for criminal activities as well becoming a target for cybercriminal activities (e.g. infected by malware to facilitate data theft). This is not surprisingly as the amount and nature of data stored on Android and other mobile devices had grown from simple contact list a decade back to several gigabytes of potentially sensitive and personally identifiable information today.

As Butler and Choo (2013, p.1) explained:

[g]iven the increase in ICT [including mobile devices] in everyday life, digital forensics is increasingly being used in the courts in Australia and overseas. The concept central to digital forensic is digital evidence.

Digital forensics is the process of gathering evidence of some type of an incident or crime that has involved ICT including mobile devices. These data can be in the form of simple contacts, browsing histories, notes and encrypted data, and the challenges are well documented ; ;. For example, in Android Architecture, the standard libraries or the API (Application Program Interface) sit in between the Linux kernel and the Application framework . As the developers are using the same APIs, these APIs may use caches for their own operations , and potential sources of evidence in an investigation. While general information on Android architectural and developer information such as the cache partitions and app cache locations are available , there is a lack of specific information regarding app caches and how to extract artefacts from the caches. In addition, research efforts on the extraction artefacts from Android devices have been limited to-date .

It is not surprising as mobile forensics is relatively new , and therefore, not as well understood in comparison to other areas of digital forensics. This thesis aims to contribute towards this knowledge gap.

1.2Research aims and questions

This research aims to identify different formats of app caches, and to understand, document and classify the various cache formats.

The two research questions are as follow:

What is the process or methodology that must be followed to forensically analyse Android caches?
How can we make use of a forensically sound process to build new tools and utilities to analyse unknown and undocumented cache file formats?

To answer the above research questions as well as assisting digital forensic practitioners, examiners, and researchers when undertaking forensic analysis of Android app caches, this research will:

Propose a conceptual Android Cache Forensic Process, and
Design an open source prototype of an Android Cache Viewer.

Directory: wki -> images
images -> Research Proposal Augmented Reality Visualization of Outdoor Environmental Corrosion