An evidence-based Android cache forensics model


Summary of Thesis Chapters



Download 0.49 Mb.
Page3/11
Date21.06.2017
Size0.49 Mb.
#21346
1   2   3   4   5   6   7   8   9   10   11

1.3Summary of Thesis Chapters


The structure of this thesis is as follows.

Chapter 2 examines the current digital forensic literature.

Chapter 3 outlines the proposed conceptual Android Cache Forensic Process based on McKemmish’s (1999) model, as well as the Android Cache Taxonomy.

Chapter 4 describes the application of the proposed conceptual Android Cache Forensic Process to the analysis of different caches used by Android apps. The prototype of an Android Cache Viewer and its potential applications are also presented in this chapter.

Chapter 5 concludes this thesis and outlines future work.

Literature Review

1.4Google Android


Android architecture has a number of layers namely Applications, Application framework, Libraries, Android Runtime and the Linux Kernel. Android uses only the kernel portion of the Linux for its core system services. The core libraries provides the functionality of Java Programming language. Android Runtime consists of core libraries and the Delvik VM (Virtual Machine). Dalvik VM is a license free Java based VM .

Below is the list of libraries that are part of Android architecture:



  • Libc is c standard library.

  • SSL is a library for Secure Socket Layer

  • SGL is the 2D image engine library.

  • OpenGL or ES is the 3D image engine library.

  • Media Framework library forms the core part of Android multi-media

  • SQLite library is for the use of embedded database

  • WebKit, which is the same layout engine used in Google Chrome, also forms part of Android Architecture.

  • FreeType is a library for Bitmap and Vector

  • SurfaceManager is a library to manage windows for different applications.

Figure 1 – Android Architecture (Adapted from Gandhewar and Sheikh 2011)

A framework is a component that can be reused. All Android applications are based on the application framework which includes a rich and extendable Views, Content Providers that enables applications to access and share data with other applications, Resource Manager to manage localized strings, layouts and other resources, Notification manager to provide notifications and Activity Manager which manages the life-cycle of the applications .

The standard internal memory partitions on Android are as follows:



  • /boot - which enables the mobile to boot

  • /system - which contains the Android Operating System

  • /recovery - for the purpose of recovery console

  • /data - which contains the user data

  • /cache - where frequently used data and app components are stored and

  • /misc - where miscellaneous system settings are stored

Apart from the above list, /sdcard which represents the external SD card and /sd-ext which is an additional partition in the SD card .

1.5PC Caches


Unlike Android caches, forensic analysis of web caches for different browsers on personal computers are studied and well documented . Forensic analysis on internet explorer cache was well studied and widely used for more than a decade . Firefox, starting from version 3 uses SQLite database for storing caches, browser history, bookmarks . Google Chrome also uses SQLite database for storing caches, browser history and bookmarks and forensic analysis of it is well studied and documented . Recovery method for deleted record in SQLite databases used by browsers are well studied and documented .

1.6Forensic Models


Forensic computing is a field of specialization using computer technology for investigation of computer based and traditional crimes. It is the process of identification of potential evidences, preserving evidences from change, analysing those evidences by professionals and presenting legally acceptable evidence in court . Cache forensics in Android mobile devices also involves these same processes of identifying, preserving, analysing and presenting.

Caches are commonly network data that is stored locally on flash memory and reused when the same data is requested instead of fetching the same data from the network. Nearly all browsers, including mobile browsers cache data. This cached information is a potential source of evidence.In this section, we will review the existing literature for identifying caches, preserving the identified caches, analysing the cache formats and discuss means of presenting the analysed caches to the court.

The McKemmish model is primarily focused on identification, preservation, analysis and presentation of digital evidence. However McKemmish also mentions four rules for forensic computing namely, minimal handling of original, account for any change, comply with rules of evidence and not to exceed our knowledge on the subject . As caches can be a type of electronic evidence, all of McKemmish’s four key elements and the rules applies.

Figure 2 - Model of Forensic Computing (Adapted from McKemmish 1999)

In addition to McKemmish’s (1999) model, a number of forensic models have been proposed. The Computer Forensic Process proposed by is, perhaps, one of the earliest digital forensic models. It has 4 steps, namely: Acquisition, Identification, Evaluation and Admission as evidence. This is comparable to Mckemmish’s model. For example: Identification, Evaluation or Analysis are common across both models. However, the lack of preservation and presentation phases are a major drawback in Pollitt’s model.

The model proposed by during the first Digital Forensic Research Workshop (DFRWS) in 2001 is similar to that of Pollitt’s Model, but it comprises seven steps, namely: Identification, Preservation, Collection, Examination, Analysis, Presentation and Decision.



  • Identification step involves event or crime detection, resolving signature, profile detection, anomalous detection, complaints, audit analysis etc.

  • Preservation step involves case management, imaging technologies, chain of custody and time synchronization.

  • Collection step involves preservation of evidence, using approved methods, software and hardware, legal authority, using lossless compression, sampling, data reduction and recovery techniques.

  • Examination step involves preservation of evidence, traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery and hidden data extraction.

  • Analysis step involves preservation of evidence, traceability, statistical, protocols, data mining, timeline, link and special.

  • Presentation step involves documentation, expert testimony, clarification, mission impact statement, recommended countermeasure and statistical interpretation.

  • Finally the decision step.

Palmer (2001a) model adapted Pollitt’s (1995) Model and McKemmish’s (1999) Model. More specifically, Palmer’s (2001a) model includes the four key elements of McKemmish’s (1999) Model – Identification, Preservation, Analysis and Presentation –and the Collection, Examination and Decision steps from Pollitt’s (1995) Model – see Figure 3.

Figure 3 - Palmer's Model (Adapted from Palmer 2001)

It is important to note that Examination and Analysis are separate steps in Palmer’s Model but both these steps are merged as one in the Mckemmish model. The usefulness for the two separate phases Collection and Preservation are also questioned .

Reith, Carr and Gunsch (2002) also proposed a forensic model and the nine phases are as follows:.



  1. Identification – To identify the incident.

  2. Preparation – Preparation of tools and techniques, receiving authorisation, support from management etc.

  3. Approach – To maximize the collection of evidence.

  4. Preservation – Preservation of digital evidence

  5. Collection – Duplicating digital evidence using legally acceptable procedures.

  6. Examination – Systematic search of evidence.

  7. Analysis – Analysing the evidences.

  8. Presentation - Explanation of conclusion or presenting evidence to court

  9. Returning Evidence – Returning digital property to proper owner

Comparing this model with earlier models and DFRWS 2001, it has added three new phases called Preparation, Approach and return of Evidence but omits the Decision phase. The authors considered their model to be an enhancement to DFRWS 2001 model.

The model suggested by Carrier and Spafford (2003) has seventeen phases which are grouped into five. These five groups are Readiness, Deployment, Physical Investigation, Digital Investigation and Review. This model is very different from the other forensic models which were discussed above. This model groups all phases as investigations but divides into physical and digital. It can be viewed as an attempt to also include the non-digital phases to provide a more generalized forensic model.


Methodologies were classified into simple models, advanced models and complex models. Simple models contains Identification, Preservation, Collection, Examination, Analysis, Presentation and Decision . Advanced models was introduced by Carrier and Spafford in getting physical with the digital investigation process, which is based on crime scene theory for physical investigation . This model was also further enhanced .



Figure 4 – Enhanced Digital Investigation Process (Adapted from Baryamureeba & Tushabe 2004)

The above diagram from Integrated Digital Investigation Model explains that the advanced model splits the digital investigation into a separate phase, rather than just one phase as demonstrated in McKemmish’s model, which is a simple model.

The European Cyber-tools Online Search for Evidence (CTOSE) Foundation has developed a high level methodology to assist the companies to do computer forensics. CTOSE is a complex and a comprehensive model that spans across all evidence handling. It is also flexible across different organisations and countries .



Collection and analysis are integral steps in the digital forensic process. Collection generally occurs once, generally as an image, and analysis relies upon the collected image. In this methodology, an Android bootable image is created to extract Android partitions including cache and data forensically, without tampering with any data from the mobile . The general collection methodology proposed by Vidas, Zhang & Christin is similar to McKemmish’s forensic computing model, except it excludes the Identification and Presentation but focuses on preservation and analysis specifically for Android mobiles.


Download 0.49 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10   11




The database is protected by copyright ©ininet.org 2024
send message

    Main page