An evidence-based Android cache forensics model



Download 0.49 Mb.
Page6/11
Date21.06.2017
Size0.49 Mb.
#21346
1   2   3   4   5   6   7   8   9   10   11

1.10Findings


There are several interesting findings that were identified during the cache analysis.

1.10.1System caches


System cache in Android is Dalvik VM Cache. For the purpose of faster run time execution, byte-code alignment, verification and optimization are done well ahead and stored as optimized DEX in dalvik cache. This optimization happens when the application is first run after the installation. The dalvik-cache is found in a system folder which can be found at /data/data/dalvik-cache .

1.10.2Application caches


Most apps use private caches in some way or the other. While some Android developers specifically handle cache in their apps, most developers may not even know that their app will cache internally because they use certain APIs. A pattern of similarity is noticed across apps and the usage of standard cache APIs creating stand set of cache files. However, most of these cache file formats are undocumented. In this research, some attempts had been made to document these undocumented cache formats.

1.10.2.1Generic Caches


Most of the analysed apps have these files. It is usually found inside the Android private cache location and accompanied by two other folders namely debug and testdata. It generally creates around 12 files or more.

  • cache_bd.0

  • cache_bd.m

  • cache_its.m

  • cache_its_ter.m

  • cache_r.0

  • cache_r.m

  • cache_vts_
    .0

  • cache_vts_
    .m

  • cache_vts_inaka_
    .0

  • cache_vts_inaka_
    .m

  • cache_vts_labl_
    .0

  • cache_vts_labl_
    .m

Below is the structure of cache_r.0 file

Length

Offset

Example

Description

4

0

0x01 0x00 0x00 0x01

A constant 0x01 0x00 0x00 0x01 across all apps seems to be a header for the record.

4

4

0x35 0xbe 0x5d 0x0f

While confirmed as a date/time, unable to yet decode to get date/time back – require more time and investigation.

1

8

0xb4

Counter. Seems to decrease with next record.

1

9

0x12

A constant 0x12 across all apps.

1

10

0x0e

Length of the URL of the cached data

u = length of url found at offset 10

11

/building.list

URL of the cached data

4

11+u

0x18 0xc8 0x01 0x21

A constant 0x18 0xc8 0x01 0x21 across all apps.

4

15+u

0x20 0xff 0x6c 0x9a

Unknown

4

19+u

0x00 0x00 0x00 0x00

A constant 0x00 0x00 0x00 0x00 across all apps.

1

23+u

0x32

A constant 0x32 across all apps.

2

24+u

0xe8 0x97

It is assumed to be the length of the data, but unable to confirm as the bytes are not not decoded yet.

v = length of data found at offset 24+u

26+u

(data)

The actual data for which this cache record is for.

1

26+u+v

0x3a

A constant 0x3a across all apps.

1

27+u+v

0x12

The length of the content-type in ASCII string.

w = length of the content-type of data

28+u+v

image/png

Content-Type of the data.

Table 2 - Structure of cache_r.0
Below is the structure of cache_bd.0 file

Length

Offset

Example

Description

16

0

0x35 0x37 0x31 0x64 0x66 0x34 0x36 0x30 0x36 0x39 0x39 0x61 0x35 0x37 0x34 0x35

Unknown.

4

16

0xFF 0xFF 0xFF 0xFF

A constant 0xFF 0xFF 0xFF 0xFF across all apps seems to be a header for the record.

4

20

0x00 0x00 0x01 0x43

Unknown

4

24

0xC6 0xBE 0x65 0xDB

Unknown, Could be date/time.

4

28

0x00 0x00 0x00 0x26

Length of the Data

1

32

0A

Seperator

1

33

24

Length of Data Record

u=length of data

34




Data

Table 3 - Structure of cache_bd.0

1.10.2.2Webview Cache


When an app uses WebView component to load web pages, the pages and other resources related to that page are cached in the private cache location of each app. WebView in Android 4.4 and above by default uses Chromium WebView while less than version 4.4 uses Android WebView . This means, the WebView caches on Android versions less than 4.4 will be different than the WebView Caches on version 4.4 and above.

In this experiment, Android version 4.1.2_r2 is considered because Android 4.4 is relatively new and only a few models exist.

WebView caches are found inside a directory called webviewCacheChromium under the private cache location.

E.g., /data/data/


/cache/webviewCacheChromium

The cache consists of many files but only three different file formats. There is only one index file, a few data_ files and several f_xxxxxx where x is a hexadecimal number.



Figure 7 - List of files for WebView Cache

The WebView caches are stored on disk as a collection of block-files with an index file and a collection of several external files. The Android source header file disk_format.h located inside the project chromium under net/disk_cache contains several important information regarding cache structures and working mechanisms.

When cache data is larger than the block size specified in (net/addr.h), then the cache is stored on a separate file called f_xxxxxx where x is a hexadecimal number. Smaller data are stored in series of blocks on a block file.

The index file which is just ‘index’ without any extensions, is a hash table that maps the cache entry to the cache address value.

Length

Offset

Example

Description

4

0

C3 CA 03 C1

(0xC103CAC3)



Index Magic – File Identifier

4

4

01 00 02 00

(Version 2.1)



Version

4

8




Number of entries currently stored

4

12




Total size of the stored data.

4

16




Last external file created.

4

20

01 00 00 00

(Flag 1 or 0)



Dirty Flag

4

24




Storage for usage data

4

28




Actual size of the table

4

32

01 00 00 00

(Flag 1 or 0)



Signals a previous crash.

4

36




Id of an ongoing test.

8

40

E2 E5 E3 06 2C 51 2E 00

Creation time for this set of files.

208

48




Padded content

8

256




Pad

4

264




Flag to tell when cache is filled.

20

268




Sizes. Array of 5 entries with each entry having 4 bytes.

20

288




Heads cache address. Array of 5 entries with each entry having 4 bytes.

20

308




Tails cache address. Array of 5 entries with each entry having 4 bytes.

4

312




Transaction cache address.

4

316




Actual in-flight operation.

4

320




In-flight operation list.

28

324




Pad

4 times the actual size of the table, value located at offset 28

352




Cache Addresses, where each address is of 4 bytes, as an array of up to the actual size of the table.

Table 4 - WebView cache index file

Block-file is the last element of the cache which stores blocks of data of a given size. It can store data from one to four consecutive blocks and can grow up to 64K blocks. It has a fixed size header used to track free of blocks on the file. The first file contains the number of the second file, and the second file contains the number of a third file, created when the second file reaches its limit. Any given block can be located directly by its address from these linked-chain of files, which contains the file number and starting block inside the file.

Every time a new cache is initialized, it is done so with four block files (data_0, data_1, data_2 and data_3) with each file dedicated to store blocks of a given size. The number at the end of the file name is the block file number which is in decimal.

There are two special types of blocks namely, an entry and a rankings node. While entry node contains information related to the same cache entry, a rankings node has volatile information that changes frequently for a given entry. All cache entries also have a dirty identifier.



Length

Offset

Example

Description

4

0

C3 CA 04 C1 (0xC104CAC3)

Index Magic – File Identifier

4

4

00 00 02 00 (Version 2.0)

Version

2

8




Index of this file.

2

10




Next file when this one is full.

4

12




Size of the blocks of this file.

4

16




Number of stored entries.




20




Current maximum number of entries.

16

36




Counters of 4 empty entries for each type.

16

52




Last used position for 4 entry types.

4

56




Keep track of updates to the header.

20

60




User. Represented as an array of 5 integers.

2028

80




Allocation Bitmap. 507 total entries. The value is derived from max blocks.

Table 5 - Structure of block file

Length

Offset

Example

Description

4

0




Full hash of the key.

4

4




Next cache entry address with the same hash or bucket.

4

8




Rankings node for this entry.

4

12




Reuse Count (how often it is requested)

4

16




Refetch Count (how often it is fetched from internet)

4

20




Current state.

8

24




Creation Date

4

32




Key Length

4

36




Optional address of a long key.

16

40




Size. 4 data streams for each entry of size 4 bytes

16

56




Cache Address. 4 data streams for each entry of size 4 bytes

4

72




Entry flags:

1 – Parent Entry

2 – Child Entry


20

76




Pad

160

26




Key as String.

Table 6 - Structure of a Cache Entry

The other files f_xxx are raw data files like Html, JavaScript etc., either compressed or uncompressed files.


1.10.2.3SQLite DB Cache


SQLite is a powerful, compact, embedded relational database management system . Several Apps that take advantage of SQLite database which is on public domain, used by default by most modern browsers and has default developer support from Android, instead of just files. These files can be viewed by any SQLite database browser. Android Cache Viewer, the primary contribution of this thesis provides default support for SQLite database caches.

1.10.2.4Image Cache


Standard Android gallery uses a format different from other caches. It creates of three files where one file is the index and the other two are data files. One data file is active while the other is inactive. New entries are appended into the active region until it exceeds the size limit. If it exceeds the limit, the active file and the inactive file are interchanged, and the new active file is simply truncated and the index for that file is also cleared. The index file is a hash table .

Length

Offset

Example

Description

4

0




Magic number: 0xB3273030

4

4




Max number of hash entries per region.

4

8




Max number of data bytes per region (including header).

4

12




The active growing region: 0 or 1.

4

16




The number of hash entries used in the active region.

4

20




The number of data bytes used in the active region.

4

24




Version number.

4

28




Checksum of bytes from 0 to 28.

u = (12 * Maximum Entries bytes).

32




Hash entries for region 0. The size is u

v = (12 * Maximum Entries bytes).

32+u




Hash entries for region 1. The size is also u.

Table 7 - Index file of Android Gallery

Length

Offset

Example

Description

4

0




Magic number (Header: 0xBD248510

Data

(Data is present as a blob and concatenated)

8

0




Key

4

8




Chksum

4

12




Offset

4, u=length

16




Length

U (value of offset 16)

20




Actual Data (or) Blob

Table 8 - Data file of Android Gallery

The structure is found in the below source location.



  • /Android-4.1.2_r2 /gallerycommon/src/com/android/gallery3d/common/BlobCache.java

1.10.2.5Serialized Java Objects


Some Android apps caches data in the form of serialized Java objects and one good example is YouTube. Because serialized objects in various apps can represent various structures, let us analyse YouTube as an example. YouTube caches images as serialized objects. Skipping 0x95 bytes from each of the .cache file located in the private cache directory, will yield a JPEG image from the video watched. Offset 76-7D provides the timestamp in milliseconds of the Unix epoch time.

Figure 8 - JPEG and Timestamp in YouTube Cache

In the above example, 0x000001442571F983 corresponds to Wed, 12 Feb 2014 09:33:50 GMT.

1.10.2.6DiskLruCache


DiskLruCache is a least recently used cache implementation where cache is written on the disk. In Android, this cache uses a specified amount of space and each cache entry contains a key and a fixed number of values. The values can be of any data even streams. The cache uses a journal file which looks similar to the one below:

libcore.io.DiskLruCache

1

100


2

CLEAN 3400330d1dfc7f3f7f4b8d4d803dfcf6 832 21054

DIRTY 335c4c6028171cfddfbaae1a9c313c52

CLEAN 335c4c6028171cfddfbaae1a9c313c52 3934 2342

REMOVE 335c4c6028171cfddfbaae1a9c313c52

DIRTY 1ab96a171faeeee38496d8b330771a7a

CLEAN 1ab96a171faeeee38496d8b330771a7a 1600 234

READ 335c4c6028171cfddfbaae1a9c313c52

READ 3400330d1dfc7f3f7f4b8d4d803dfcf6
The first five lines are the header of the journal file.

Data Type

Example

Description

Header




String

libcore.io.DiskLruCache

A constant string.

String

1

Disk Cache Version

String

100

Application Version

String

2

Value Count

Empty String

N/A

Blank Line

Data




String

CLEAN

State of the cache entry

String

335c4c6028171cfddfbaae1a9c313c52

Key

String

1600

Optional State Specific Values

Table 9 - Structure of Journal File

Cache entries with DIRTY status is actively being created or updated. Also, all successful DIRTY operation must be followed by a CLEAN or REMOVE status. DIRTY lines with no CLEAN or REMOVE means, temporary files must be removed. Cache entries can only be read from CLEAN track entries. READ status tracks the LRU cache access. REMOVE status indicates the removal of cache entry .

A temporary file named "journal.tmp" will be used during compacting journal file. This is helpful to data carve the journal.tmp for forensic purposes.

Many apps like LinkedIn use DiskLruCache as it is a standard API. The structure is found in the below source location.



  • \Android-4.1.2_r2\libcore\luni\src\main\java\libcore\io\ DiskLruCache.java


1.10.2.7Custom Format


Several Apps also use custom and third party cache libraries which could have different formats apart from what were discussed.


Download 0.49 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10   11




The database is protected by copyright ©ininet.org 2024
send message

    Main page