An evidence-based Android cache forensics model


Open Source Android Cache Viewer Prototype



Download 0.49 Mb.
Page7/11
Date21.06.2017
Size0.49 Mb.
#21346
1   2   3   4   5   6   7   8   9   10   11

1.11Open Source Android Cache Viewer Prototype


Android Cache Viewer is an open source application, which we have developed and is one of the two contributions in this thesis. The application is structured in a way that it can be extended easily (e.g. allowing plug-in modules by other programmers). The application attempts to cover most of the cache file structures and tries to provide a reasonable view of what is inside the cache.

The application is built using C# and requires Microsoft’s .Net framework 4.0 or above. It runs and been tested on Windows XP, Vista/7 and Windows 8/8.1.

The source code for Android Cache Viewer is uploaded to GitHub (https://github.com/fcidau/Android-Cache-Viewer) and is released under MIT License.

All cache formats discussed here are supported by Android Cache Viewer. The formats include



  • Generic Cache (cache_r.0, cache_bd.0)

  • WebViewComponent Cache

  • SQLite DB cache

  • Image gallery cache

  • Serialized Object cache and

  • DiskLruCache format

Below are example screenshots from using the Android Cache Viewer.

1.11.1cache_r.0


Below are the screenshots for cache_r.0 cache.

Figure 9 - cache_r.0 Details



Figure 10 - cache_r.0 Data

When cache_r.0 is opened, it lists all items as a tab, and each tab contains a details section and a data section. The details section lists the record values and the data displays the actual data. If the data is an image, the picture is displayed.

1.11.2WebView Cache


Below are the screenshots for cache_r.0 cache from Apps that use WebView. WebView is used by almost any app that displays web content on a browser component.

Figure 11 - WebView Cache Index



Figure 12 - WebView Cache Data



Figure 13 - WebView Cache External Data

WebView caches are displayed according to the internal data structure and their linked external files. If the data is an image or a text file, it is displayed as such.

1.11.3YouTube Cache


YouTube stores images as serialization Java Objects. Opening these caches will display the image present in them.

Figure 14 - YouTube Cache


1.11.4Android Image Gallery Cache


Figure 15 - Android Image Gallery


1.11.5SQLite DB Cache


The tool is capable of displaying all tables if the cache is a SQLite database.

Figure 16 - SQLite DB Cache


1.11.6Unknown Cache


When caches are unknown or unable to identify, the tool displays only the ASCII text in them and replaces the non-printable character with a dot.

Figure 17 - Unknown Cache


Conclusion and Future Work


Android is the world’s most popular mobile platform with more than a million new device activations every day, according to Android Developer website. Google Play also has more than 1.2 million apps as of April 2014 . Mobile digital forensics, particularly for Android is a rapidly expanding field.

1.12Research Summary


In this thesis, we have contributed towards a better understanding to both research questions identified in Chapter 1.2, as explained below.

  1. What is the process or methodology that must be followed to forensically analyse Android caches?

In the thesis, we identified literature gaps and limitations in using existing forensic models when examining Android caches. To assist forensic researchers and practitioners in examining the wide range of caches used by various Android Apps, a taxonomy for Android caches and the conceptual Android Cache Forensics Model were proposed – see Chapter 3. We then studied more than 100 popular apps (i.e. apps that have more than a million downloads or an app from a popular brand). Using the Android Cache Forensics Model, we found that 11 apps appear to be using some form of cache. These 11 apps were then studied in detail. Previously unknown cache formats were decoded and several undocumented cache formats used commonly by Android apps were documented – see Chapter 4.

  1. How can we make use of a forensically sound process to build new tools and utilities to analyse unknown and undocumented cache file formats?

Based on findings from Chapter 4, we designed Android Cache Viewer, an open source prototype tool, to decode Android cache formats, such as WebViewComponent Cache, SQLite DB cache, Image gallery cache, Serialized Object cache and DiskLruCache. We demonstrate in Chapter 4.3 that the viewer can assist forensic investigators and law enforcement in analysing undocumented Android cache formats with ease.

1.13Future Work


Much work in this area remains to be done. For example, a potential extension of this thesis is to add additional plugins for other undocumented cache file structures, adding new cache formats as new formats are introduced and making each plugin as independently loadable modules. The source code for Android Cache Viewer prototype is uploaded to GitHub (https://github.com/fcidau/Android-Cache-Viewer) and released under MIT License for collaborative further development by the open source community.


Download 0.49 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10   11



The database is protected by copyright ©ininet.org 2024
send message
    Main page
android device