An evidence-based Android cache forensics model
Download 0.49 Mb.
|
Thesis submitted to the University of South Australia School of Information Technology & Mathematical Sciences in fulfilment of the requirements for the degree of Master of Science (Cyber Security and Forensic Computing) Supervisor: Dr Kim-Kwang Raymond Choo Associate Supervisor: Ben Martini Adelaide, South Australia 2-Jun-2014 Chapter GuideChapter Guide i Table of Contents ii List of Figures v List of Tables vi List of Abbreviations vii Abstract viii Declaration ix Acknowledgements x Chapter 1: Introduction 1 Literature Review 3 Conceptual Android Cache Forensic Process 11 A Case Study 15 Conclusion and Future Work 34 Reference list 35 Appendix A – Complete List of Studied Apps 35 Appendix B – Design and Implementation Notes 38 Appendix C – Source Code 40
Table of ContentsChapter Guide i Table of Contents ii List of Figures v List of Tables vi List of Abbreviations vii Abstract viii Declaration ix Acknowledgements x Chapter 1: Introduction 1 1.1 Overview 1 1.2 Research aims and questions 1 1.3 Summary of Thesis Chapters 2 Literature Review 3 1.4 Google Android 3 1.5 PC Caches 4 1.6 Forensic Models 5 1.7 Literature gaps 9 2.2.1 Cache Diversity 9 2.2.2 Undocumented Caches 10 2.2.3 Lack of Analysis Tools 10 2.2.4 Rapid Changes 10 Conceptual Android Cache Forensic Process 11 1.8 Extending Mckemmish’s Model 12 1.8.1.1 Classification 13 1.8.1.2 Extraction 13 1.8.1.3 Cache Analysis 13 1.8.1.4 Cache Reports 13 A Case Study 15 1.9 Experimental Setup 15 1.9.1 Assumptions 16 1.9.1.1 Android mobile phone is rooted 16 1.9.1.2 Developer mode enabled 16 1.9.1.3 USB debugging is enabled 16 1.9.1.4 Internal storage is not encrypted 16 1.9.2 Hardware Used 16 1.9.3 Cache Locations 16 1.9.4 Acquisition of cache and data partitions 17 1.9.5 Acquisition using dd 17 1.9.5.1 Connect the Android device to the computer 17 1.9.5.2 Go to super-user mode 17 1.9.5.3 List the mounted partitions 17 1.9.5.4 Unmount the partitions 18 1.9.5.5 Take image of the partitions 18 1.10 Findings 19 1.10.1 System caches 19 1.10.2 Application caches 19 1.10.2.1 Generic Caches 19 1.10.2.2 Webview Cache 21 1.10.2.3 SQLite DB Cache 24 1.10.2.4 Image Cache 25 1.10.2.5 Serialized Java Objects 26 1.10.2.6 DiskLruCache 26 1.10.2.7 Custom Format 27 1.11 Open Source Android Cache Viewer Prototype 28 1.11.1 cache_r.0 28 1.11.2 WebView Cache 29 1.11.3 YouTube Cache 31 1.11.4 Android Image Gallery Cache 31 1.11.5 SQLite DB Cache 32 1.11.6 Unknown Cache 32 Conclusion and Future Work 34 1.12 Research Summary 34 1.13 Future Work 34 Reference list 35 Appendix A – Complete List of Studied Apps 35 Appendix B – Design and Implementation Notes 38 Appendix C – Source Code 40 AndroidCacheViewer.cs 40 CacheIdentity.cs 41 Plugins/ CacheAbstract.cs 41 CacheInterface.cs 46 CacheBD0.cs 47 CacheR0.cs 48 Gallery3dCache.cs 51 NotImplemented.cs 52 SQLiteDB.cs 52 WebViewCache.cs 53 YouTubeCache.cs 58 List of FiguresFigure 1 – Android Architecture (Adapted from Gandhewar and Sheikh 2011) 4 Figure 2 - Model of Forensic Computing (Adapted from McKemmish 1999) 6 Figure 3 - Palmer's Model (Adapted from Palmer 2001) 7 Figure 4 – Enhanced Digital Investigation Process (Adapted from Baryamureeba & Tushabe 2004) 9 Figure 5 – Our proposed Android Cache Taxonomy 11 Figure 6 - Conceptual Android Cache Forensic Process 12 Figure 7 - List of files for WebView Cache 22 Figure 8 - JPEG and Timestamp in YouTube Cache 26 Figure 9 - cache_r.0 Details 29 Figure 10 - cache_r.0 Data 29 Figure 11 - WebView Cache Index 30 Figure 12 - WebView Cache Data 30 Figure 13 - WebView Cache External Data 31 Figure 14 - YouTube Cache 31 Figure 15 - Android Image Gallery 32 Figure 16 - SQLite DB Cache 32 Figure 17 - Unknown Cache 33
List of TablesTable 1 –List of Apps Studied in Detail 15 Table 2 - Structure of cache_r.0 21 Table 3 - Structure of cache_bd.0 21 Table 4 - WebView cache index file 23 Table 5 - Structure of block file 24 Table 6 - Structure of a Cache Entry 24 Table 7 - Index file of Android Gallery 25 Table 8 - Data file of Android Gallery 25 Table 9 - Structure of Journal File 27 Table 10 – Complete List of Studied Apps 37 List of AbbreviationsAPI - Application Program Interface DFRWS – Digital Forensic Research Workshop ADB - Android Debugging Bridge SD Card – Secure Digital Card CPU – Central Processing Unit GPU – Graphics Processing Unit RAM – Random Access Memory GB – Gigabytes JPEG – Joint Photographic Experts Group LRU – Least Recently Used DB - Database
Directory: wki -> images images -> Research Proposal Augmented Reality Visualization of Outdoor Environmental Corrosion Download 0.49 Mb. Share with your friends:
|