An evidence-based Android cache forensics model



Download 0.49 Mb.
Page1/11
Date21.06.2017
Size0.49 Mb.
#21346
  1   2   3   4   5   6   7   8   9   10   11







An evidence-based Android cache forensics model

By
Felix Jeyareuben Chandrakumar




Thesis submitted to the University of South Australia

School of Information Technology & Mathematical Sciences in fulfilment

of the requirements for the degree of Master of Science

(Cyber Security and Forensic Computing)

Supervisor: Dr Kim-Kwang Raymond Choo

Associate Supervisor: Ben Martini

Adelaide, South Australia

2-Jun-2014


Chapter Guide




Chapter Guide i

Table of Contents ii

List of Figures v

List of Tables vi

List of Abbreviations vii

Abstract viii

Declaration ix

Acknowledgements x

Chapter 1: Introduction 1

Literature Review 3

Conceptual Android Cache Forensic Process 11

A Case Study 15

Conclusion and Future Work 34

Reference list 35

Appendix A – Complete List of Studied Apps 35

Appendix B – Design and Implementation Notes 38

Appendix C – Source Code 40



Table of Contents




Chapter Guide i

Table of Contents ii

List of Figures v

List of Tables vi

List of Abbreviations vii

Abstract viii

Declaration ix

Acknowledgements x

Chapter 1: Introduction 1

1.1 Overview 1

1.2 Research aims and questions 1

1.3 Summary of Thesis Chapters 2

Literature Review 3

1.4 Google Android 3

1.5 PC Caches 4

1.6 Forensic Models 5

1.7 Literature gaps 9

2.2.1 Cache Diversity 9

2.2.2 Undocumented Caches 10

2.2.3 Lack of Analysis Tools 10

2.2.4 Rapid Changes 10

Conceptual Android Cache Forensic Process 11

1.8 Extending Mckemmish’s Model 12

1.8.1.1 Classification 13

1.8.1.2 Extraction 13

1.8.1.3 Cache Analysis 13

1.8.1.4 Cache Reports 13

A Case Study 15

1.9 Experimental Setup 15

1.9.1 Assumptions 16

1.9.1.1 Android mobile phone is rooted 16

1.9.1.2 Developer mode enabled 16

1.9.1.3 USB debugging is enabled 16

1.9.1.4 Internal storage is not encrypted 16

1.9.2 Hardware Used 16

1.9.3 Cache Locations 16

1.9.4 Acquisition of cache and data partitions 17

1.9.5 Acquisition using dd 17

1.9.5.1 Connect the Android device to the computer 17

1.9.5.2 Go to super-user mode 17

1.9.5.3 List the mounted partitions 17

1.9.5.4 Unmount the partitions 18

1.9.5.5 Take image of the partitions 18

1.10 Findings 19

1.10.1 System caches 19

1.10.2 Application caches 19

1.10.2.1 Generic Caches 19

1.10.2.2 Webview Cache 21

1.10.2.3 SQLite DB Cache 24

1.10.2.4 Image Cache 25

1.10.2.5 Serialized Java Objects 26

1.10.2.6 DiskLruCache 26

1.10.2.7 Custom Format 27

1.11 Open Source Android Cache Viewer Prototype 28

1.11.1 cache_r.0 28

1.11.2 WebView Cache 29

1.11.3 YouTube Cache 31

1.11.4 Android Image Gallery Cache 31

1.11.5 SQLite DB Cache 32

1.11.6 Unknown Cache 32

Conclusion and Future Work 34

1.12 Research Summary 34

1.13 Future Work 34

Reference list 35

Appendix A – Complete List of Studied Apps 35

Appendix B – Design and Implementation Notes 38

Appendix C – Source Code 40

AndroidCacheViewer.cs 40

CacheIdentity.cs 41

Plugins/ CacheAbstract.cs 41

CacheInterface.cs 46

CacheBD0.cs 47

CacheR0.cs 48

Gallery3dCache.cs 51

NotImplemented.cs 52

SQLiteDB.cs 52

WebViewCache.cs 53

YouTubeCache.cs 58




List of Figures





Figure 1 – Android Architecture (Adapted from Gandhewar and Sheikh 2011) 4

Figure 2 - Model of Forensic Computing (Adapted from McKemmish 1999) 6

Figure 3 - Palmer's Model (Adapted from Palmer 2001) 7

Figure 4 – Enhanced Digital Investigation Process (Adapted from Baryamureeba & Tushabe 2004) 9

Figure 5 – Our proposed Android Cache Taxonomy 11

Figure 6 - Conceptual Android Cache Forensic Process 12

Figure 7 - List of files for WebView Cache 22

Figure 8 - JPEG and Timestamp in YouTube Cache 26

Figure 9 - cache_r.0 Details 29

Figure 10 - cache_r.0 Data 29

Figure 11 - WebView Cache Index 30

Figure 12 - WebView Cache Data 30

Figure 13 - WebView Cache External Data 31

Figure 14 - YouTube Cache 31

Figure 15 - Android Image Gallery 32

Figure 16 - SQLite DB Cache 32

Figure 17 - Unknown Cache 33



List of Tables




Table 1 –List of Apps Studied in Detail 15

Table 2 - Structure of cache_r.0 21

Table 3 - Structure of cache_bd.0 21

Table 4 - WebView cache index file 23

Table 5 - Structure of block file 24

Table 6 - Structure of a Cache Entry 24

Table 7 - Index file of Android Gallery 25

Table 8 - Data file of Android Gallery 25

Table 9 - Structure of Journal File 27

Table 10 – Complete List of Studied Apps 37




List of Abbreviations


API - Application Program Interface

DFRWS – Digital Forensic Research Workshop

ADB - Android Debugging Bridge

SD Card – Secure Digital Card

CPU – Central Processing Unit

GPU – Graphics Processing Unit

RAM – Random Access Memory

GB – Gigabytes

JPEG – Joint Photographic Experts Group

LRU – Least Recently Used

DB - Database



Download 0.49 Mb.

Share with your friends:
  1   2   3   4   5   6   7   8   9   10   11




The database is protected by copyright ©ininet.org 2024
send message

    Main page