SlideShare a Scribd company logo

Android Forensics: Exploring Android Internals and Android Apps

Moe Tanabian
Moe Tanabian
Technology
1 of 52
Android Forensics: Exploring Android Internals and Android Apps Moe Tanabian
Devices used – Examples in this presentation are demonstrated on the following devices: Google Galaxy Nexus HTC Thunderbolt (ICS 4.0.3, Samsung) (Gingerbread 2.3.4) 2
A quick overview of Android Devices – Software : §  A patched version of Linux OS kernel §  Overhauled user space, bionic libc, utilities §  Application security based uid, gid: 1 uid per application to protect each app’s space from other apps §  Permission model to access system resources (e.g. phone HW, databases, etc) §  Run Java applications in Dalvik VM environment §  Can run native applications through JNI Hardware: §  Mostly ARM based, x86 becoming more popular §  Form factors: smartphones, tables, TVs, ebook readers, refrigerators, etc
Outline Android System Acquisition and Analysis Analyzing Android Applications Other tools and references 4
The 3 levels of accessing data on an Android Device – Accessing the Device, Physical Extraction, and Logical Extraction Physical Data Logical Data Device access Extraction Extraction 1 2 3 5
Device access 1 Source: http://www.ifixit.com/ 6
Bypassing Security – Bypassing pattern by Smudge Attack __: •  There are research and proposals that suggest that one can detect the Android security pattern by examining screen’s touch residue •  While there are some merits in these, still it is pretty hard to do this consistently. Smudge pattern on a device: Before and after contrast adjustment Photography and Lighting setup Source: Smudge Attacks on Smartphone Touch Screens, By: Adam J. Aviv, et al. 7
Bypassing Security – Bypassing security code __: you can find user’s gmail account information, then Android will allow you to •  If reset the pass code (after 5 attempts) •  If not: •  Reboot to bootloader mode (or press down-volume + power, etc) $ adb reboot bootloader •  Using fastboot, load a different ROM (e.g. Clockwork recovery image) •  Remove the key file related to challenge $ adb shell! $ su # cd /data/system! # rm gesture.key! Or in case of password or PIN: # rm password.key! ! Source: Smudge Attacks on Smartphone Touch Screens, By: Adam J. Aviv, et al. 8
Network isolation – Making device unreachable A shielded box or tent (Faraday cage) can isolate the device and prevent it from being manipulated remotely. A Faraday tent Don’t try this at Home! A Faraday cage work desk 9
Physical Extraction 2 10
Android Mass Storage – MTD, FTL, MMC, eMMC §  The Linux kernel is designed to deal with Block (sectorized) storage devices §  Raw flash storage is not a block device §  SSD, MMC, eMMC, RS-MMC, SD, mini-SD, micro-SD, USB flash drive, CompactFlash, MemoryStick, MemoryStick and other FTL devices are block devices, not raw flash devices, meaning FTL is built in to HW §  To use a conventional file system – e.g. ext2, ext3,ext4, XFS, JFS, FAT on top of a raw flash device an abstraction layer AKA “Flash Translation Layer” or FTL is needed Source: http://www.linux-mtd.infradead.org/faq/general.html 11
Android Mass Storage – MTD, FTL, MMC, eMMC More recent Android devices use eMMC which is a block device and does not require software FTL, hence no MTD Applications Applications Files system e.g. YAFFS2 Files system FTL e.g. ext4 MTD (SW) FTL Raw Flash (HW) Raw Flash (HW) Earlier Android devices More recent Android devices 12
Android Mass Storage – MTD, FTL, MMC, eMMC §  MTD (Memory Technology Device) provides a very simple FTL: Block interface, ECC, wear leveling and few other functions §  Most current Android devices use the FTL that comes with MTD (mtdblock) §  Wear leveling writes rewritten logical blocks to avoid writing physical blocks repeatedly until all blocks have been utilized Stage 2 stage 1 Wear leveling in FTL Source: http://lwn.net/Articles/428793/ 13
Android Mass Storage – SD and eMMC §  Android’s partitions: /dev/block, /dev/mtd, etc # cat /proc/mtd! dev: size erasesize name! mtd0: 00100000 00001000 "w25q80"! # shell@android:/dev/mtd # ls -l /dev/mtd! crw-rw---- media media 90, 0 2012-05-10 02:54 mtd0! crw------- root root 90, 1 2012-05-10 02:54 mtd0ro! 14
Physical data extraction– Write blockers •  When performing physical extraction, use a write blocker to protect the data on the device against accidental / malfunction writing •  The last option which often is USB Write Blocker destructive to the device, is to un- solder the flash chip and use special tools to read its content USB Write Blocker 15
Android Mass Storage – dd, dc3dd # mount! rootfs / rootfs rw,relatime 0 0! tmpfs /dev tmpfs rw,relatime,mode=755 0 0! devpts /dev/pts devpts rw,relatime,mode=600 0 0! proc /proc proc rw,relatime 0 0! sysfs /sys sysfs rw,relatime 0 0! /dev/block/mmcblk0p25 /system ext3 ! "rw,relatime,errors=continue,barrier=0,data=ordered 0 0! /dev/block/mmcblk0p26 /data ext3 ! "rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0! /dev/block/mmcblk0p27 /cache ext3! "rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0! /dev/block/mmcblk0p29 /devlog ext3! "rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0! ....! 16
Physical data extraction – dd, dc3dd ! # dd if=/dev/block/platform/omap/omap_hsmmc.0/by-name/cache ! "of=/sdcard/cache.imgdd! ! ! On the host:! $ adb pull /sdcard/userdata.imgdd ./userdata.imgdd! ! $ od –x userdata.imgdd! ! $ strings userdata.imgdd | grep <desired pattern regex>! ! ! 17
JTAG, Chip-off – The last resorts •  If all other access methods fail, JTAG access or chip-off (de- soldering of the flash chip) can provide access to the device’s internal flash: •  With JTAG (and using a tool such as Riff-Box) – it is possible put the CPU in debug mode Samsung Galaxy S JTAG pin-outs and dump the content of internal flash •  The last option which often is destructive to the device, is to un-solder the flash chip and use special tools to read its content Connecting Galaxy S to Riff-Box Source: http://www.bongozone.com/jtag-service-i9000-unbrick-others/ 18
Logical Extraction 3 Source: xxxxxxxx 19
Getting ready for logical extraction: to Root or Not to Root – n  Rooting can potentially change the status of the data on the device, and destroy information Rooting an Android n  Nonetheless, a rooted device provides full access, and for most of the device techniques here, rooting is needed n  ROM is the collection of stuff that makes your device to work: §  Kernel §  The rest of the OS §  Drivers §  Configuration files §  System apps n  ROMs are usually provided by the manufacturer and get customized by the mobile operator n  There are also custom ROMs that enhance some functions of the standard ROM that comes with the device and remove some of the limitations e.g. CyonegenMod ROM n  Before you can run a custom ROM, you need to to recovery mode, flash the ROM file 20
Three different ways to perform logical extraction on an Android device: n  Can be done recursively adb pull n  Use tar to create archive n  User gzip to compress Logical extraction n  Access to over sql databses on the devices including in Android system apps sqlite3! n  No programming needed n  Can use familiar sql statements Accessing n  Can be done programmatically Content n  Can be used to build forensic data collection tools Providers n  Access to over 45+ Content Providers on the device 21
Getting ready for logical extraction – Busybox n  Get and install Busybox on the device Busybox: most commonly Unix commands in Android shell 22
Getting ready for logical extraction – BusyBox # busybox! BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a! "link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as.! ! Currently defined functions:! "[, [[, ash, awk, base64, basename, blkid, bunzip2, bzcat, bzip2, cal,! "cat, chat, chattr, chgrp, chmod, chown, chroot, chrt, cksum, clear,! "comm, cp, crond, crontab, cut, date, dd, depmod, devmem, df, diff,! "dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, echo, egrep, env,! "ether-wake, expand, expr, fakeidentd, fdflush, fdformat, fdisk, fgrep,! "find, fold, free, freeramdisk, fsck, fsync, ftpd, ftpget, ftpput,! "getopt, grep, groups, gunzip, gzip, hd, head, hexdump, hostid,! "hostname, httpd, hwclock, id, ifconfig, ifenslave, inetd, inotifyd,! "insmod, install, ionice, iostat, ip, ipaddr, ipcalc, iplink, iproute,! "iprule, iptunnel, kill, killall, killall5, less, ln, logname, losetup,! "ls, lsattr, lsmod, lsof, lsusb, lzop, lzopcat, md5sum, microcom, mkdir,! "mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, mkswap, modinfo,! "modprobe, more, mount, mountpoint, mt, mv, nameif, nanddump, nandwrite,! "nc, netstat, nice, nmeter, nslookup, ntpd, od, patch, pgrep, pidof,! "ping, ping6, pkill, pmap, powertop, printenv, printf, ps, pscan, pwd,! "rdate, rdev, readahead, realpath, renice, reset, rev, rfkill, rm,! "rmdir, rmmod, route, run-parts, script, scriptreplay, sed, seq,! "...! "test, tftp, tftpd, time, timeout, top, touch, tr, traceroute,! "traceroute6, tty, ttysize, tunctl, umount, uname, uncompress, unexpand,! "uniq, unix2dos, unlzop, unzip, uptime, usleep, uudecode, uuencode,! "vconfig, vi, watch, wc, wget, which, who, whoami, whois, xargs, zcat! 23
Getting ready for logical extraction – sqlite3 n  Get and install sqlite3 1.  Only available on some development devices Getting sqlite3 e.g. Google Nexus series 2.  You can get it from sqlite.org (source code), and compile/built/etc 3.  Easiest way is to get from your emulator installation: "$ cd /Applications/android-sdk-macosx/tools! "$ adb push ./sqlite3 /system/xbin/sqlite3! "$ adb shell ! "$ su! "# cd /system/xbin! "# chmod 755 sqlite3! 24
Logical extraction – important directories / "system/! Android files system notable directories " " bin/! " " xbin/! "! "data/ ! " " data/! " " app/! "mnt/! " " sdcard/! " " ! "dev/! " " mtd/! " " block/ 25
Logical extraction: adb pull with tar – n  adb supports recursive pull $ adb pull <remote> <local>! Recursive adb pull with tar ! Example: $ adb shell ! $ su! # cd /data/app! # tar -cvf /sdcard/all-apps.tar ./*apk! # gzip all-apps.tar all-apps.tar.gz! ^C! $ adb pull /sdcard/all-apps.tar.gz ./! $ tar -xvf all-apps.tar ./*apk! ! 26
Logical extraction: logs – Example: # adb logcat > logs! logcat # cat logs! ! /SystemServer( 197): Wi-Fi P2pService! I/SystemServer( 197): Wi-Fi Service! I/SystemServer( 197): Connectivity Service! D/ConnectivityService( 197): ConnectivityService starting up! I/ActivityManager( 197): Config changed: {1.0 0mcc0mnc en_US layoutdir=0 sw360dp w360dp h592dp nrml port ?uimode ?night finger -keyb/v/h -nav/h s.3}! E/ConnectivityService( 197): Ignoring protectedNetwork 10! E/ConnectivityService( 197): Ignoring protectedNetwork 11! E/ConnectivityService( 197): Ignoring protectedNetwork 12! E/MobileDataStateTracker( 197): default: Ignoring feature request because could not acquire PhoneService! E/MobileDataStateTracker( 197): default: Could not enable APN type "default"! D/NetworkManagementService( 197): Registering observer! D/NetworkManagementService( 197): Registering observer! I/WifiService( 197): WifiService starting up with Wi-Fi enabled! D/NetworkManagementService( 197): rsp <213 00:90:4c:11:22:33 0.0.0.0 0 [down broadcast multicast]>! ! 27
Logical extraction: snooping around with sqlite3 - # shell@android:/ # find data -name "*.db" -print | wc -l ! 74 (this is nonly for this device)! # find data -name "*.db" –print /data/data/! data/data/com.google.android.browser/app_appcache/ApplicationCache.db! data/data/com.google.android.browser/app_databases/Databases.db! data/data/com.google.android.browser/app_geolocation/CachedGeoposition.db! data/data/com.android.providers.calendar/databases/calendar.db! data/data/com.android.providers.contacts/databases/profile.db! data/data/com.android.providers.contacts/databases/contacts2.db! data/data/com.android.providers.downloads/databases/downloads.db! data/data/com.google.android.email/databases/EmailProvider.db! data/data/com.google.android.gm/databases/internal.mometan@gmail.com.db! data/data/com.google.android.gm/databases/mailstore.mometan@gmail.com.db! data/data/com.google.android.gm/databases/webviewCookiesChromium.db! data/data/com.google.android.music/databases/music.db! data/data/com.android.providers.telephony/databases/telephony.db! data/data/com.android.providers.telephony/databases/mmssms.db! data/system/accounts.db! ! DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only. 28
Logical extraction: sqlite3 – # find data -name "*.db" -print! Sqlite> ! Useful sqlite3 commands ".help! ".databases! ".tables! ".schema <TABLE>! ".header on! ".mode <column | line>! ".output <FILE NAME>! ! Example:! Sqlite> select * from accounts;! Sqlite> select * from sms where rowid < 5;! ! ! 29
Logical extraction: snooping around with sqlite3 – # sqlite3 /data/data/com.android.providers.contacts/databases/contacts2.db! ! Sqlite> .schema accounts! CREATE TABLE accounts (account_name TEXT, account_type TEXT, data_set TEXT);! sqlite> select * from accounts;! ||tanabianmoe@gmail.com|! ! sqlite> .mode line;! sqlite> select data1 from data;! ||tanabianmoe@gmail.com|! ! ! sqlite> select * from data;! ! 8448||9|1154|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/tanabianmoe%40gmail.com/ 595d6cef09539135|||0! 8449||7|1154|0|0|0|0|John Ford|John|Ford|||||||1|3||||||||10! 8450||11|1154|0|0|0|0|||||||||||||||||||10! 8451||3|1154|0|0|0|0|||||||||||||||||||10! 8452||12|1154|0|0|0|0||||||||4|5||||||||||10! 8453||1|1154|0|1|0|1|john.ford@myemail.com|1|||||||||||||||||10! 8454||8|1154|0|0|0|0|123 Spring Dale st.! Beverly Hills, CA 90210! USA|1||123 Spring Dale st.|||Beverly Hills|CA|90210|USA|||||||||10! 8455||10|1154|0|0|0|0|8||||||||||||||||||10! 8456||5|1154|0|0|0|0|+1-310-555-1876|2||+13105551876|||||||||||||||10! 8457||15|1154|0|0|0|0|www.johnfordontheweb.com|3|||||||||||||||||10! 8458||9|1155|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/tanabianmoe%40gmail.com/ 795ec48099e213e|||0! 8459||7|1155|0|0|0|0|Jenny Hackson|Jenny|Hackson|||||||1|3||||||||10 ...! DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only. 30
Logical extraction: snooping around with sqlite3 – ! #! # sqlite3 /data/data/com.android.providers.telephony/databases/mmssms.db! ! Sqlite> .mode column! sqlite> .header on! ! sqlite> select address, date, body from sms;! ! address date body ! ------------ ------------- -----------------------------------------------------! +11113272608 1336592918275 AT&T Free Msg: Welcome to GoPhone! To learn more ... 310498xxxx 1336720180796 Hey, nice day today. Up for a hike?:-) ! +1310498xxxx 1336720230196 Hike sounds good:) kahuna beach canyon? ! 310498xxxx 1336720272373 Laguna is good. See you at 5:30. ! ! sqlite> Date: GMT: Fri, 11 May 2012 07:10:30 GMT (ms since 1/1/1970) ... ! DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only. 31
Logical extraction: snooping around with sqlite3 – ! #! # sqlite3 /data/data/com.google.android.gm/databases/mailstore.mometan@gmail.com.db! Sqlite> .schema messages! .schema messages;! ! CREATE TABLE messages (_id INTEGER PRIMARY KEY,messageId INTEGER,conversation INTEGER,fromAddress TEXT,toAddresses TEXT,ccAddresses TEXT,bccAddresses TEXT,replyToAddresses TEXT,dateSentMs INTEGER,dateReceivedMs INTEGER,subject TEXT,snippet TEXT,listInfo TEXT,personalLevel INTEGER,body TEXT,bodyEmbedsExternalResources INTEGER,joinedAttachmentInfos STRING,synced INTEGER,error TEXT, clientCreated INTEGER, refMessageId INTEGER DEFAULT 0, forward INTEGER DEFAULT 0, includeQuotedText INTEGER DEFAULT 0, quoteStartPos INTEGER DEFAULT 0, bodyCompressed BLOB DEFAULT NULL, customFromAddress TEXT DEFAULT NULL, queryId INTEGER DEFAULT 1, UNIQUE(messageId));! ! Sqlite> select fromAddress, toAddresses, dateSentMs, subject from messages; ! ! fromAddress toAddresses dateSentMs subject ! ------------------------------------------------- -------------------------- ------------- --------------------------! "Google+ team" <noreply-daa26fef@plus.google.com> "" <tanabianmoe@gmail.com> 1336438677000 Getting started on Google+! "Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438616000 Customize Gmail with color! "Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438616000 Import your contacts and o! "Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438613000 Get Gmail on your mobile p! ! ! Sqlite> ! Date: GMT: Tue, 08 May 2012 00:56:53 GMT (ms since 1/1/1970) DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only. 32
Logical extraction: Content Providers – build a forensics data-collection tool •  Content Providers: A specialized type of complex data store in Android to standardize access and manipulation of stored data •  Some useful Content Providers for forensic purposes: •  Browser: bookmarks, browse history, etc •  CallLog: missed calls, call details, etc •  Contacts: Contact details •  MediaStore: Media files (audio, video, images, etc) Source: http://ofps.oreilly.com/titles/9781449390501/Main_Building_Blocks.html 33
Logical extraction: Content Providers – build a forensics data-collection tool •  The database of a content provider is always addressed via URI. URI is a means to encapsulate exposing data: •  General URI format: <standard_prefix>://<authority>/<data_path>/<id> content://com.android.contacts/data/phones/2 •  Content Providers allow CRUD operations to be performed on databases: •  Create, Read, Update, Delete •  They use a SQL like query called cursor object through managedQuery() (deprecated but still usable) 34
Logical extraction: Content Providers – build a forensics data-collection tool Steps to query a content provider: Steps to query a content provider: 1. Identify URI of the desired content provider 2. Create a projection (String array which holding the names of the columns to query) 3. Use managedQuery() to query the CP into a Cursor object 4. Add needed permissions to AndroidManifest.xml 35
Logical extraction: Content Providers – build a forensics data-collection tool ! package com.example.ContentProvider; ! import com.example.ContentProvider.R;! import android.app.ListActivity; ! 2.Projection (columns) import android.database.Cursor; ! import android.net.Uri; ! import android.os.Bundle; ! import android.provider.ContactsContract; ! Filtering import android.widget.SimpleCursorAdapter; ! (WHERE) ! public class ContentProviderActivity extends ListActivity { ! "/** Called when the activity is first created. */ ! Sorting "@Override ! ORDER BY "public void onCreate(Bundle savedInstanceState) { ! " "super.onCreate(savedInstanceState); ! " 1. URI "setContentView(R.layout.main); ! " "Uri allContacts = Uri.parse("content://contacts/people"); ! ! " "Cursor c= managedQuery(allContacts, null, null, null, null); ! " "String[] columns = new String[] { ! 3. managedQuery()" " "ContactsContract.Contacts.DISPLAY_NAME, ! " " "ContactsContract.Contacts._ID};! " "int[] views = new int[] {R.id.contactName, R.id.contactID}; ! " "SimpleCursorAdapter adapter = ! " " "new SimpleCursorAdapter(this, R.layout.main, c, columns, views); ! " "this.setListAdapter(adapter); ! "}! }! 36
Logical extraction: Content Providers – build a forensics data-collection tool ! ! <?xml version="1.0" encoding="utf-8"?>! <manifest xmlns:android="http://schemas.android.com/apk/res/android"! package="com.example.ContentProvider"! android:versionCode="1"! android:versionName="1.0" >! 4. Permissions ! <uses-sdk android:minSdkVersion="7" />! "<uses-permission android:name="android.permission.READ_CONTACTS" /> ! "<application! android:icon="@drawable/ic_launcher"! android:label="@string/app_name" >! <activity! android:name="com.example.ContentProvider.ContentProviderActivity"! android:label="@string/app_name" >! <intent-filter>! <action android:name="android.intent.action.MAIN" />! <category android:name="android.intent.category.LAUNCHER" />! </intent-filter>! </activity>! </application>! ! </manifest>! 37
Logical extraction: Content Providers – Let’s put it all together 38
Outline Android System Acquisition and Analysis Analyzing Android Applications Other tools and references 39
Android Applications – The development flow Android Asset Packaging Tool Manifest Resources aapt Packaged Create Packaged Resource apkbuilder -u Resources Create unsigned apk File Assets dx Source code Javac Dalivk Compile Classes.dex Unsigned Bytecode apk Libraries Libraries Libraries jarsigner adb Sign apk Signed Publish or Test KEY apk 40
Android Applications – Java bytecode versus Dalvik bytecode ! public int method( int i1, int i2 ) { ! int i3 = i1 * i2;! return i3 * 2; ! } ! ! - var 0 is “this” ! -  this: v1 (Ltest2;) ! - var 1 is argument #1 ! Java bytecode -  parameter[0] : v2 (I) ! Dalvik bytecode - Var 2 is argument #2! (VM stack based) -  parameter[1] : v3 (I) ! (VM register based) ! !method public method(II)I ! method public method(II)I ! ! "iload _1 ! "mul­int v0,v2,v3 ! "iload _2 ! "mul­int/lit­8 v0,v0,2 ! ! "imul! "return v0! "istore _3 ! .end method! ! "iload _3 ! "iconst _2 ! "imul! "ireturn! .end method ! ! ! Source: Practice of Android Reverse Engineering, Jim Haung 41
Android Applications – apktoolit n  Get and install apktoolkit 1.  http://code.google.com/p/android-apktool/ Getting apktoolkit 1.  Download apktool-install-macos-* file 2.  Download apktool-* file 3.  Unpack both to /usr/local/bin directory (you must have root permissions) 2. To unpack and decode an apk: "$ abd pull <the apk you want> (from /data/app)! "$ apktool d com.example.ContentProvider-1.apk ./! "$ ls -l ! -rw-r--r-- 1 moetan ANTDomain Users 801 May 13 12:41 AndroidManifest.xml! -rw-r--r-- 1 moetan ANTDomain Users 112 May 13 12:41 apktool.yml! drwxr-xr-x 8 moetan ANTDomain Users 272 May 13 12:41 res! drwxr-xr-x 4 moetan ANTDomain Users 136 May 13 12:41 smali 42
Android Applications – Unpacking apk using apktoolit To unpack and decode an apk: $ abd pull <the apk you want> (from /data/app)! $ apktool d com.example.ContentProvider-1.apk ./! $ ls -l ! ! -rw-r--r-- 1 moetan ANTDomain Users 801 May 13 12:41 AndroidManifest.xml! -rw-r--r-- 1 moetan ANTDomain Users 112 May 13 12:41 apktool.yml! drwxr-xr-x 8 moetan ANTDomain Users 272 May 13 12:41 res! drwxr-xr-x 4 moetan ANTDomain Users 136 May 13 12:41 smali 43
Android Applications – Decompiled code from smali (apktoolkit) $ cd smali/com/example/ContentProvider! $ ls -l ! ! -rw-r--r-- 1 moetan ANTDomain Users 355 May 13 12:41 BuildConfig.smali! -rw-r--r-- 1 moetan ANTDomain Users 2400 May 13 12:41 ContentProviderActivity.smali! -rw-r--r-- 1 moetan ANTDomain Users 519 May 13 12:41 R$attr.smali! -rw-r--r-- 1 moetan ANTDomain Users 599 May 13 12:41 R$drawable.smali! -rw-r--r-- 1 moetan ANTDomain Users 640 May 13 12:41 R$id.smali! -rw-r--r-- 1 moetan ANTDomain Users 588 May 13 12:41 R$layout.smali! -rw-r--r-- 1 moetan ANTDomain Users 641 May 13 12:41 R$string.smali! -rw-r--r-- 1 moetan ANTDomain Users 616 May 13 12:41 R.smali! ! $ ls –l! $ vim ContentProviderActivity.smali! ! ! 44
Android Applications – Decompiled code from smali (apktoolkit) ! class public Lcom/example/ContentProvider/ ContentProviderActivity;! .super Landroid/app/ListActivity;! ! .source "ContentProviderActivity.java”! ! ! ....! ! # virtual methods! .method public onCreate(Landroid/os/Bundle;)V! .locals 10! .parameter "savedInstanceState"! ! .prologue! const/high16 v9, 0x7f03! ! const/4 v8, 0x2! ! const/4 v2, 0x0! ! .line 16! invoke-super {p0, p1}, Landroid/app/ListActivity;- >onCreate(Landroid/os/Bundle;)V! ! .line 17! invoke-virtual {p0, v9}, Lcom/example/ ContentProvider/ContentProviderActivity;- >setContentView(I)V! ! .line 18! const-string v0, "content://contacts/people"! ! ....! Total: 100+ LoC 45
Android Applications – Decompiling apk using dex2jar, jd-gui n  Get and install dex2jar tool , and jar decompiler 1.  http://code.google.com/p/dex2jar/, Getting Dex2jar, jd-gui 2.  Download dex2jar-x.x.x.x.tar.gz file (x: version digits) 3.  http://java.decompiler.free.fr/?q=jdgui, and intstall the .dmg file 1. To unpack and decode an apk: "$ dex2jar.sh com.example.ContentProvider-1.apk "$ ls –l *jar ! ! rw-r--r-- 1 moetan ANTDomain Users 4278 May 13 15:20 com.example.ContentProvider-1_dex2jar.jar! ! "$ jd-gui com.example.ContentProvider-1_dex2jar.jar&! 46
Android Applications – jd-gui .jar decompiler __: n  _ n  _ n  _ n  _ 47
Outline Android System Acquisition and Analysis Analyzing Android Applications Other tools and references 48
Commercial tools •  Standalone device Cellbright UFED •  Can extract data from 1600+ devices •  Covers Android devices •  Built-in SIM reader and cloner •  Can store output on SD, Flash or PC •  http://www.cellebrite.com/mobile-forensics-products, •  Software solution •  Android, Blackberry, iOS and WinMobile enCase Forensics •  Device Settings •  Contacts , Call logs •  E-mail •  Images •  SMS/MMS •  Calendars 49
Commercial tools •  Software and Hardware bundle Micro Systemation •  Comes in different packaging for lab, field, etc XRY •  Built-in SIM reader and cloner •  Runs on Windows •  Supports Physical and Logical extractions •  http://www.msab.com/xry, •  Software solution •  Logical recovery of Viaforensics •  call logs, ViaExtract •  contacts, browser history, •  SMS/MMS •  Logical extraction •  https://viaforensics.com/products/viaextract/, ! 50
Further reading 51
Thank You! Moe Tanabian @motanabian 52

Recommended

Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)ClubHack
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Android OS Presentation
Android OS PresentationAndroid OS Presentation
Android OS PresentationEks Dhiee ジ
 

Recommended

Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Android forensics (Manish Chasta)
Android forensics (Manish Chasta)Android forensics (Manish Chasta)
Android forensics (Manish Chasta)ClubHack
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Android OS Presentation
Android OS PresentationAndroid OS Presentation
Android OS PresentationEks Dhiee ジ
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Android Anatomy
Android AnatomyAndroid Anatomy
Android AnatomyBhavya Siddappa
 
An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...William Liang
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Is Security Team 2 Glba
Is Security Team 2 GlbaIs Security Team 2 Glba
Is Security Team 2 Glbaguestfd062
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authenticationAkhil Kumar
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools Dr. Richard Adams
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Database security
Database securityDatabase security
Database securityCAS
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
USB flash drive security
USB flash drive securityUSB flash drive security
USB flash drive securityjin88lin
 
Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Ahsanul Karim
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp ForensicAnimesh Shaw
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 

More Related Content

What's hot

Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...William Liang
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Is Security Team 2 Glba
Is Security Team 2 GlbaIs Security Team 2 Glba
Is Security Team 2 Glbaguestfd062
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authenticationAkhil Kumar
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Database security
Database securityDatabase security
Database securityCAS
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
USB flash drive security
USB flash drive securityUSB flash drive security
USB flash drive securityjin88lin
 
Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Ahsanul Karim
 

What's hot (20)

Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Android Anatomy
Android AnatomyAndroid Anatomy
Android Anatomy
 
An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
Android security
Android securityAndroid security
Android security
 
Is Security Team 2 Glba
Is Security Team 2 GlbaIs Security Team 2 Glba
Is Security Team 2 Glba
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authentication
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Database security
Database securityDatabase security
Database security
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
USB flash drive security
USB flash drive securityUSB flash drive security
USB flash drive security
 
Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)
 

Viewers also liked

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...Christoph Matthies
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie StealingSecurityTube.Net
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Expert system
Expert systemExpert system
Expert systemkhair20
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security ModelMichael Rushanan
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
 
Fast-paced Introduction to Android Internals
Fast-paced Introduction to Android InternalsFast-paced Introduction to Android Internals
Fast-paced Introduction to Android InternalsHamilton Turner
 
Ms Tech Ed Best Practices For Exchange Server Cluster Deployments June 2003
Ms Tech Ed Best Practices For Exchange Server Cluster Deployments June 2003Ms Tech Ed Best Practices For Exchange Server Cluster Deployments June 2003
Ms Tech Ed Best Practices For Exchange Server Cluster Deployments June 2003Armando Leon
 
Proxmox 4.2 usage in the Standards Interoperability PLM Project
Proxmox 4.2 usage in the Standards Interoperability PLM Project Proxmox 4.2 usage in the Standards Interoperability PLM Project
Proxmox 4.2 usage in the Standards Interoperability PLM Project Dr Nicolas Figay
 
Secure Data Center on Cloud Environment, Case Study on GamaBox Cloud Infrastr...
Secure Data Center on Cloud Environment, Case Study on GamaBox Cloud Infrastr...Secure Data Center on Cloud Environment, Case Study on GamaBox Cloud Infrastr...
Secure Data Center on Cloud Environment, Case Study on GamaBox Cloud Infrastr...idsecconf
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 

Viewers also liked (20)

WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Expert system
Expert systemExpert system
Expert system
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
 
iOS Views
iOS ViewsiOS Views
iOS Views
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Fast-paced Introduction to Android Internals
Fast-paced Introduction to Android InternalsFast-paced Introduction to Android Internals
Fast-paced Introduction to Android Internals
 
2016 nas 年會簡報
2016 nas 年會簡報2016 nas 年會簡報
2016 nas 年會簡報
 
Ms Tech Ed Best Practices For Exchange Server Cluster Deployments June 2003
Ms Tech Ed Best Practices For Exchange Server Cluster Deployments June 2003Ms Tech Ed Best Practices For Exchange Server Cluster Deployments June 2003
Ms Tech Ed Best Practices For Exchange Server Cluster Deployments June 2003
 
Proxmox 4.2 usage in the Standards Interoperability PLM Project
Proxmox 4.2 usage in the Standards Interoperability PLM Project Proxmox 4.2 usage in the Standards Interoperability PLM Project
Proxmox 4.2 usage in the Standards Interoperability PLM Project
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
 
Secure Data Center on Cloud Environment, Case Study on GamaBox Cloud Infrastr...
Secure Data Center on Cloud Environment, Case Study on GamaBox Cloud Infrastr...Secure Data Center on Cloud Environment, Case Study on GamaBox Cloud Infrastr...
Secure Data Center on Cloud Environment, Case Study on GamaBox Cloud Infrastr...
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP Solution
 

Similar to Android Forensics: Exploring Android Internals and Android Apps

Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Ron Munitz
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesIbrahim Mosaad
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Veduruparthy Bharat
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROMAnant Shrivastava
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataMichael Smith
 
Behind The Code // by Exness
Behind The Code // by ExnessBehind The Code // by Exness
Behind The Code // by ExnessMaxim Gaponov
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Opersys inc.
 
Block I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktraceBlock I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktraceBabak Farrokhi
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...Priyanka Aash
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side AnalysisAadarsh N
 
Rooting Android Devices
Rooting Android DevicesRooting Android Devices
Rooting Android DevicesLokendra Rawat
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewRajKumar Rampelli
 

Similar to Android Forensics: Exploring Android Internals and Android Apps (20)

Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveries
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
 
Man-In-The-Disk
Man-In-The-DiskMan-In-The-Disk
Man-In-The-Disk
 
Storage device
Storage deviceStorage device
Storage device
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
 
Security Issues in Android Custom Rom
Security Issues in Android Custom RomSecurity Issues in Android Custom Rom
Security Issues in Android Custom Rom
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
Behind The Code // by Exness
Behind The Code // by ExnessBehind The Code // by Exness
Behind The Code // by Exness
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
 
Block I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktraceBlock I/O Layer Tracing: blktrace
Block I/O Layer Tracing: blktrace
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
iOS Client Side Analysis
iOS Client Side AnalysisiOS Client Side Analysis
iOS Client Side Analysis
 
Rooting Android Devices
Rooting Android DevicesRooting Android Devices
Rooting Android Devices
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver Overview
 

Recently uploaded

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Recently uploaded (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 

Android Forensics: Exploring Android Internals and Android Apps

  • 1. Android Forensics: Exploring Android Internals and Android Apps Moe Tanabian
  • 2. Devices used – Examples in this presentation are demonstrated on the following devices: Google Galaxy Nexus HTC Thunderbolt (ICS 4.0.3, Samsung) (Gingerbread 2.3.4) 2
  • 3. A quick overview of Android Devices – Software : §  A patched version of Linux OS kernel §  Overhauled user space, bionic libc, utilities §  Application security based uid, gid: 1 uid per application to protect each app’s space from other apps §  Permission model to access system resources (e.g. phone HW, databases, etc) §  Run Java applications in Dalvik VM environment §  Can run native applications through JNI Hardware: §  Mostly ARM based, x86 becoming more popular §  Form factors: smartphones, tables, TVs, ebook readers, refrigerators, etc
  • 4. Outline Android System Acquisition and Analysis Analyzing Android Applications Other tools and references 4
  • 5. The 3 levels of accessing data on an Android Device – Accessing the Device, Physical Extraction, and Logical Extraction Physical Data Logical Data Device access Extraction Extraction 1 2 3 5
  • 6. Device access 1 Source: http://www.ifixit.com/ 6
  • 7. Bypassing Security – Bypassing pattern by Smudge Attack __: •  There are research and proposals that suggest that one can detect the Android security pattern by examining screen’s touch residue •  While there are some merits in these, still it is pretty hard to do this consistently. Smudge pattern on a device: Before and after contrast adjustment Photography and Lighting setup Source: Smudge Attacks on Smartphone Touch Screens, By: Adam J. Aviv, et al. 7
  • 8. Bypassing Security – Bypassing security code __: you can find user’s gmail account information, then Android will allow you to •  If reset the pass code (after 5 attempts) •  If not: •  Reboot to bootloader mode (or press down-volume + power, etc) $ adb reboot bootloader •  Using fastboot, load a different ROM (e.g. Clockwork recovery image) •  Remove the key file related to challenge $ adb shell! $ su # cd /data/system! # rm gesture.key! Or in case of password or PIN: # rm password.key! ! Source: Smudge Attacks on Smartphone Touch Screens, By: Adam J. Aviv, et al. 8
  • 9. Network isolation – Making device unreachable A shielded box or tent (Faraday cage) can isolate the device and prevent it from being manipulated remotely. A Faraday tent Don’t try this at Home! A Faraday cage work desk 9
  • 11. Android Mass Storage – MTD, FTL, MMC, eMMC §  The Linux kernel is designed to deal with Block (sectorized) storage devices §  Raw flash storage is not a block device §  SSD, MMC, eMMC, RS-MMC, SD, mini-SD, micro-SD, USB flash drive, CompactFlash, MemoryStick, MemoryStick and other FTL devices are block devices, not raw flash devices, meaning FTL is built in to HW §  To use a conventional file system – e.g. ext2, ext3,ext4, XFS, JFS, FAT on top of a raw flash device an abstraction layer AKA “Flash Translation Layer” or FTL is needed Source: http://www.linux-mtd.infradead.org/faq/general.html 11
  • 12. Android Mass Storage – MTD, FTL, MMC, eMMC More recent Android devices use eMMC which is a block device and does not require software FTL, hence no MTD Applications Applications Files system e.g. YAFFS2 Files system FTL e.g. ext4 MTD (SW) FTL Raw Flash (HW) Raw Flash (HW) Earlier Android devices More recent Android devices 12
  • 13. Android Mass Storage – MTD, FTL, MMC, eMMC §  MTD (Memory Technology Device) provides a very simple FTL: Block interface, ECC, wear leveling and few other functions §  Most current Android devices use the FTL that comes with MTD (mtdblock) §  Wear leveling writes rewritten logical blocks to avoid writing physical blocks repeatedly until all blocks have been utilized Stage 2 stage 1 Wear leveling in FTL Source: http://lwn.net/Articles/428793/ 13
  • 14. Android Mass Storage – SD and eMMC §  Android’s partitions: /dev/block, /dev/mtd, etc # cat /proc/mtd! dev: size erasesize name! mtd0: 00100000 00001000 "w25q80"! # shell@android:/dev/mtd # ls -l /dev/mtd! crw-rw---- media media 90, 0 2012-05-10 02:54 mtd0! crw------- root root 90, 1 2012-05-10 02:54 mtd0ro! 14
  • 15. Physical data extraction– Write blockers •  When performing physical extraction, use a write blocker to protect the data on the device against accidental / malfunction writing •  The last option which often is USB Write Blocker destructive to the device, is to un- solder the flash chip and use special tools to read its content USB Write Blocker 15
  • 16. Android Mass Storage – dd, dc3dd # mount! rootfs / rootfs rw,relatime 0 0! tmpfs /dev tmpfs rw,relatime,mode=755 0 0! devpts /dev/pts devpts rw,relatime,mode=600 0 0! proc /proc proc rw,relatime 0 0! sysfs /sys sysfs rw,relatime 0 0! /dev/block/mmcblk0p25 /system ext3 ! "rw,relatime,errors=continue,barrier=0,data=ordered 0 0! /dev/block/mmcblk0p26 /data ext3 ! "rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0! /dev/block/mmcblk0p27 /cache ext3! "rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0! /dev/block/mmcblk0p29 /devlog ext3! "rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0! ....! 16
  • 17. Physical data extraction – dd, dc3dd ! # dd if=/dev/block/platform/omap/omap_hsmmc.0/by-name/cache ! "of=/sdcard/cache.imgdd! ! ! On the host:! $ adb pull /sdcard/userdata.imgdd ./userdata.imgdd! ! $ od –x userdata.imgdd! ! $ strings userdata.imgdd | grep <desired pattern regex>! ! ! 17
  • 18. JTAG, Chip-off – The last resorts •  If all other access methods fail, JTAG access or chip-off (de- soldering of the flash chip) can provide access to the device’s internal flash: •  With JTAG (and using a tool such as Riff-Box) – it is possible put the CPU in debug mode Samsung Galaxy S JTAG pin-outs and dump the content of internal flash •  The last option which often is destructive to the device, is to un-solder the flash chip and use special tools to read its content Connecting Galaxy S to Riff-Box Source: http://www.bongozone.com/jtag-service-i9000-unbrick-others/ 18
  • 19. Logical Extraction 3 Source: xxxxxxxx 19
  • 20. Getting ready for logical extraction: to Root or Not to Root – n  Rooting can potentially change the status of the data on the device, and destroy information Rooting an Android n  Nonetheless, a rooted device provides full access, and for most of the device techniques here, rooting is needed n  ROM is the collection of stuff that makes your device to work: §  Kernel §  The rest of the OS §  Drivers §  Configuration files §  System apps n  ROMs are usually provided by the manufacturer and get customized by the mobile operator n  There are also custom ROMs that enhance some functions of the standard ROM that comes with the device and remove some of the limitations e.g. CyonegenMod ROM n  Before you can run a custom ROM, you need to to recovery mode, flash the ROM file 20
  • 21. Three different ways to perform logical extraction on an Android device: n  Can be done recursively adb pull n  Use tar to create archive n  User gzip to compress Logical extraction n  Access to over sql databses on the devices including in Android system apps sqlite3! n  No programming needed n  Can use familiar sql statements Accessing n  Can be done programmatically Content n  Can be used to build forensic data collection tools Providers n  Access to over 45+ Content Providers on the device 21
  • 22. Getting ready for logical extraction – Busybox n  Get and install Busybox on the device Busybox: most commonly Unix commands in Android shell 22
  • 23. Getting ready for logical extraction – BusyBox # busybox! BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a! "link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as.! ! Currently defined functions:! "[, [[, ash, awk, base64, basename, blkid, bunzip2, bzcat, bzip2, cal,! "cat, chat, chattr, chgrp, chmod, chown, chroot, chrt, cksum, clear,! "comm, cp, crond, crontab, cut, date, dd, depmod, devmem, df, diff,! "dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, echo, egrep, env,! "ether-wake, expand, expr, fakeidentd, fdflush, fdformat, fdisk, fgrep,! "find, fold, free, freeramdisk, fsck, fsync, ftpd, ftpget, ftpput,! "getopt, grep, groups, gunzip, gzip, hd, head, hexdump, hostid,! "hostname, httpd, hwclock, id, ifconfig, ifenslave, inetd, inotifyd,! "insmod, install, ionice, iostat, ip, ipaddr, ipcalc, iplink, iproute,! "iprule, iptunnel, kill, killall, killall5, less, ln, logname, losetup,! "ls, lsattr, lsmod, lsof, lsusb, lzop, lzopcat, md5sum, microcom, mkdir,! "mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, mkswap, modinfo,! "modprobe, more, mount, mountpoint, mt, mv, nameif, nanddump, nandwrite,! "nc, netstat, nice, nmeter, nslookup, ntpd, od, patch, pgrep, pidof,! "ping, ping6, pkill, pmap, powertop, printenv, printf, ps, pscan, pwd,! "rdate, rdev, readahead, realpath, renice, reset, rev, rfkill, rm,! "rmdir, rmmod, route, run-parts, script, scriptreplay, sed, seq,! "...! "test, tftp, tftpd, time, timeout, top, touch, tr, traceroute,! "traceroute6, tty, ttysize, tunctl, umount, uname, uncompress, unexpand,! "uniq, unix2dos, unlzop, unzip, uptime, usleep, uudecode, uuencode,! "vconfig, vi, watch, wc, wget, which, who, whoami, whois, xargs, zcat! 23
  • 24. Getting ready for logical extraction – sqlite3 n  Get and install sqlite3 1.  Only available on some development devices Getting sqlite3 e.g. Google Nexus series 2.  You can get it from sqlite.org (source code), and compile/built/etc 3.  Easiest way is to get from your emulator installation: "$ cd /Applications/android-sdk-macosx/tools! "$ adb push ./sqlite3 /system/xbin/sqlite3! "$ adb shell ! "$ su! "# cd /system/xbin! "# chmod 755 sqlite3! 24
  • 25. Logical extraction – important directories / "system/! Android files system notable directories " " bin/! " " xbin/! "! "data/ ! " " data/! " " app/! "mnt/! " " sdcard/! " " ! "dev/! " " mtd/! " " block/ 25
  • 26. Logical extraction: adb pull with tar – n  adb supports recursive pull $ adb pull <remote> <local>! Recursive adb pull with tar ! Example: $ adb shell ! $ su! # cd /data/app! # tar -cvf /sdcard/all-apps.tar ./*apk! # gzip all-apps.tar all-apps.tar.gz! ^C! $ adb pull /sdcard/all-apps.tar.gz ./! $ tar -xvf all-apps.tar ./*apk! ! 26
  • 27. Logical extraction: logs – Example: # adb logcat > logs! logcat # cat logs! ! /SystemServer( 197): Wi-Fi P2pService! I/SystemServer( 197): Wi-Fi Service! I/SystemServer( 197): Connectivity Service! D/ConnectivityService( 197): ConnectivityService starting up! I/ActivityManager( 197): Config changed: {1.0 0mcc0mnc en_US layoutdir=0 sw360dp w360dp h592dp nrml port ?uimode ?night finger -keyb/v/h -nav/h s.3}! E/ConnectivityService( 197): Ignoring protectedNetwork 10! E/ConnectivityService( 197): Ignoring protectedNetwork 11! E/ConnectivityService( 197): Ignoring protectedNetwork 12! E/MobileDataStateTracker( 197): default: Ignoring feature request because could not acquire PhoneService! E/MobileDataStateTracker( 197): default: Could not enable APN type "default"! D/NetworkManagementService( 197): Registering observer! D/NetworkManagementService( 197): Registering observer! I/WifiService( 197): WifiService starting up with Wi-Fi enabled! D/NetworkManagementService( 197): rsp <213 00:90:4c:11:22:33 0.0.0.0 0 [down broadcast multicast]>! ! 27
  • 28. Logical extraction: snooping around with sqlite3 - # shell@android:/ # find data -name "*.db" -print | wc -l ! 74 (this is nonly for this device)! # find data -name "*.db" –print /data/data/! data/data/com.google.android.browser/app_appcache/ApplicationCache.db! data/data/com.google.android.browser/app_databases/Databases.db! data/data/com.google.android.browser/app_geolocation/CachedGeoposition.db! data/data/com.android.providers.calendar/databases/calendar.db! data/data/com.android.providers.contacts/databases/profile.db! data/data/com.android.providers.contacts/databases/contacts2.db! data/data/com.android.providers.downloads/databases/downloads.db! data/data/com.google.android.email/databases/EmailProvider.db! data/data/com.google.android.gm/databases/internal.mometan@gmail.com.db! data/data/com.google.android.gm/databases/mailstore.mometan@gmail.com.db! data/data/com.google.android.gm/databases/webviewCookiesChromium.db! data/data/com.google.android.music/databases/music.db! data/data/com.android.providers.telephony/databases/telephony.db! data/data/com.android.providers.telephony/databases/mmssms.db! data/system/accounts.db! ! DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only. 28
  • 29. Logical extraction: sqlite3 – # find data -name "*.db" -print! Sqlite> ! Useful sqlite3 commands ".help! ".databases! ".tables! ".schema <TABLE>! ".header on! ".mode <column | line>! ".output <FILE NAME>! ! Example:! Sqlite> select * from accounts;! Sqlite> select * from sms where rowid < 5;! ! ! 29
  • 30. Logical extraction: snooping around with sqlite3 – # sqlite3 /data/data/com.android.providers.contacts/databases/contacts2.db! ! Sqlite> .schema accounts! CREATE TABLE accounts (account_name TEXT, account_type TEXT, data_set TEXT);! sqlite> select * from accounts;! ||tanabianmoe@gmail.com|! ! sqlite> .mode line;! sqlite> select data1 from data;! ||tanabianmoe@gmail.com|! ! ! sqlite> select * from data;! ! 8448||9|1154|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/tanabianmoe%40gmail.com/ 595d6cef09539135|||0! 8449||7|1154|0|0|0|0|John Ford|John|Ford|||||||1|3||||||||10! 8450||11|1154|0|0|0|0|||||||||||||||||||10! 8451||3|1154|0|0|0|0|||||||||||||||||||10! 8452||12|1154|0|0|0|0||||||||4|5||||||||||10! 8453||1|1154|0|1|0|1|john.ford@myemail.com|1|||||||||||||||||10! 8454||8|1154|0|0|0|0|123 Spring Dale st.! Beverly Hills, CA 90210! USA|1||123 Spring Dale st.|||Beverly Hills|CA|90210|USA|||||||||10! 8455||10|1154|0|0|0|0|8||||||||||||||||||10! 8456||5|1154|0|0|0|0|+1-310-555-1876|2||+13105551876|||||||||||||||10! 8457||15|1154|0|0|0|0|www.johnfordontheweb.com|3|||||||||||||||||10! 8458||9|1155|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/tanabianmoe%40gmail.com/ 795ec48099e213e|||0! 8459||7|1155|0|0|0|0|Jenny Hackson|Jenny|Hackson|||||||1|3||||||||10 ...! DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only. 30
  • 31. Logical extraction: snooping around with sqlite3 – ! #! # sqlite3 /data/data/com.android.providers.telephony/databases/mmssms.db! ! Sqlite> .mode column! sqlite> .header on! ! sqlite> select address, date, body from sms;! ! address date body ! ------------ ------------- -----------------------------------------------------! +11113272608 1336592918275 AT&T Free Msg: Welcome to GoPhone! To learn more ... 310498xxxx 1336720180796 Hey, nice day today. Up for a hike?:-) ! +1310498xxxx 1336720230196 Hike sounds good:) kahuna beach canyon? ! 310498xxxx 1336720272373 Laguna is good. See you at 5:30. ! ! sqlite> Date: GMT: Fri, 11 May 2012 07:10:30 GMT (ms since 1/1/1970) ... ! DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only. 31
  • 32. Logical extraction: snooping around with sqlite3 – ! #! # sqlite3 /data/data/com.google.android.gm/databases/mailstore.mometan@gmail.com.db! Sqlite> .schema messages! .schema messages;! ! CREATE TABLE messages (_id INTEGER PRIMARY KEY,messageId INTEGER,conversation INTEGER,fromAddress TEXT,toAddresses TEXT,ccAddresses TEXT,bccAddresses TEXT,replyToAddresses TEXT,dateSentMs INTEGER,dateReceivedMs INTEGER,subject TEXT,snippet TEXT,listInfo TEXT,personalLevel INTEGER,body TEXT,bodyEmbedsExternalResources INTEGER,joinedAttachmentInfos STRING,synced INTEGER,error TEXT, clientCreated INTEGER, refMessageId INTEGER DEFAULT 0, forward INTEGER DEFAULT 0, includeQuotedText INTEGER DEFAULT 0, quoteStartPos INTEGER DEFAULT 0, bodyCompressed BLOB DEFAULT NULL, customFromAddress TEXT DEFAULT NULL, queryId INTEGER DEFAULT 1, UNIQUE(messageId));! ! Sqlite> select fromAddress, toAddresses, dateSentMs, subject from messages; ! ! fromAddress toAddresses dateSentMs subject ! ------------------------------------------------- -------------------------- ------------- --------------------------! "Google+ team" <noreply-daa26fef@plus.google.com> "" <tanabianmoe@gmail.com> 1336438677000 Getting started on Google+! "Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438616000 Customize Gmail with color! "Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438616000 Import your contacts and o! "Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438613000 Get Gmail on your mobile p! ! ! Sqlite> ! Date: GMT: Tue, 08 May 2012 00:56:53 GMT (ms since 1/1/1970) DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only. 32
  • 33. Logical extraction: Content Providers – build a forensics data-collection tool •  Content Providers: A specialized type of complex data store in Android to standardize access and manipulation of stored data •  Some useful Content Providers for forensic purposes: •  Browser: bookmarks, browse history, etc •  CallLog: missed calls, call details, etc •  Contacts: Contact details •  MediaStore: Media files (audio, video, images, etc) Source: http://ofps.oreilly.com/titles/9781449390501/Main_Building_Blocks.html 33
  • 34. Logical extraction: Content Providers – build a forensics data-collection tool •  The database of a content provider is always addressed via URI. URI is a means to encapsulate exposing data: •  General URI format: <standard_prefix>://<authority>/<data_path>/<id> content://com.android.contacts/data/phones/2 •  Content Providers allow CRUD operations to be performed on databases: •  Create, Read, Update, Delete •  They use a SQL like query called cursor object through managedQuery() (deprecated but still usable) 34
  • 35. Logical extraction: Content Providers – build a forensics data-collection tool Steps to query a content provider: Steps to query a content provider: 1. Identify URI of the desired content provider 2. Create a projection (String array which holding the names of the columns to query) 3. Use managedQuery() to query the CP into a Cursor object 4. Add needed permissions to AndroidManifest.xml 35
  • 36. Logical extraction: Content Providers – build a forensics data-collection tool ! package com.example.ContentProvider; ! import com.example.ContentProvider.R;! import android.app.ListActivity; ! 2.Projection (columns) import android.database.Cursor; ! import android.net.Uri; ! import android.os.Bundle; ! import android.provider.ContactsContract; ! Filtering import android.widget.SimpleCursorAdapter; ! (WHERE) ! public class ContentProviderActivity extends ListActivity { ! "/** Called when the activity is first created. */ ! Sorting "@Override ! ORDER BY "public void onCreate(Bundle savedInstanceState) { ! " "super.onCreate(savedInstanceState); ! " 1. URI "setContentView(R.layout.main); ! " "Uri allContacts = Uri.parse("content://contacts/people"); ! ! " "Cursor c= managedQuery(allContacts, null, null, null, null); ! " "String[] columns = new String[] { ! 3. managedQuery()" " "ContactsContract.Contacts.DISPLAY_NAME, ! " " "ContactsContract.Contacts._ID};! " "int[] views = new int[] {R.id.contactName, R.id.contactID}; ! " "SimpleCursorAdapter adapter = ! " " "new SimpleCursorAdapter(this, R.layout.main, c, columns, views); ! " "this.setListAdapter(adapter); ! "}! }! 36
  • 37. Logical extraction: Content Providers – build a forensics data-collection tool ! ! <?xml version="1.0" encoding="utf-8"?>! <manifest xmlns:android="http://schemas.android.com/apk/res/android"! package="com.example.ContentProvider"! android:versionCode="1"! android:versionName="1.0" >! 4. Permissions ! <uses-sdk android:minSdkVersion="7" />! "<uses-permission android:name="android.permission.READ_CONTACTS" /> ! "<application! android:icon="@drawable/ic_launcher"! android:label="@string/app_name" >! <activity! android:name="com.example.ContentProvider.ContentProviderActivity"! android:label="@string/app_name" >! <intent-filter>! <action android:name="android.intent.action.MAIN" />! <category android:name="android.intent.category.LAUNCHER" />! </intent-filter>! </activity>! </application>! ! </manifest>! 37
  • 38. Logical extraction: Content Providers – Let’s put it all together 38
  • 39. Outline Android System Acquisition and Analysis Analyzing Android Applications Other tools and references 39
  • 40. Android Applications – The development flow Android Asset Packaging Tool Manifest Resources aapt Packaged Create Packaged Resource apkbuilder -u Resources Create unsigned apk File Assets dx Source code Javac Dalivk Compile Classes.dex Unsigned Bytecode apk Libraries Libraries Libraries jarsigner adb Sign apk Signed Publish or Test KEY apk 40
  • 41. Android Applications – Java bytecode versus Dalvik bytecode ! public int method( int i1, int i2 ) { ! int i3 = i1 * i2;! return i3 * 2; ! } ! ! - var 0 is “this” ! -  this: v1 (Ltest2;) ! - var 1 is argument #1 ! Java bytecode -  parameter[0] : v2 (I) ! Dalvik bytecode - Var 2 is argument #2! (VM stack based) -  parameter[1] : v3 (I) ! (VM register based) ! !method public method(II)I ! method public method(II)I ! ! "iload _1 ! "mul­int v0,v2,v3 ! "iload _2 ! "mul­int/lit­8 v0,v0,2 ! ! "imul! "return v0! "istore _3 ! .end method! ! "iload _3 ! "iconst _2 ! "imul! "ireturn! .end method ! ! ! Source: Practice of Android Reverse Engineering, Jim Haung 41
  • 42. Android Applications – apktoolit n  Get and install apktoolkit 1.  http://code.google.com/p/android-apktool/ Getting apktoolkit 1.  Download apktool-install-macos-* file 2.  Download apktool-* file 3.  Unpack both to /usr/local/bin directory (you must have root permissions) 2. To unpack and decode an apk: "$ abd pull <the apk you want> (from /data/app)! "$ apktool d com.example.ContentProvider-1.apk ./! "$ ls -l ! -rw-r--r-- 1 moetan ANTDomain Users 801 May 13 12:41 AndroidManifest.xml! -rw-r--r-- 1 moetan ANTDomain Users 112 May 13 12:41 apktool.yml! drwxr-xr-x 8 moetan ANTDomain Users 272 May 13 12:41 res! drwxr-xr-x 4 moetan ANTDomain Users 136 May 13 12:41 smali 42
  • 43. Android Applications – Unpacking apk using apktoolit To unpack and decode an apk: $ abd pull <the apk you want> (from /data/app)! $ apktool d com.example.ContentProvider-1.apk ./! $ ls -l ! ! -rw-r--r-- 1 moetan ANTDomain Users 801 May 13 12:41 AndroidManifest.xml! -rw-r--r-- 1 moetan ANTDomain Users 112 May 13 12:41 apktool.yml! drwxr-xr-x 8 moetan ANTDomain Users 272 May 13 12:41 res! drwxr-xr-x 4 moetan ANTDomain Users 136 May 13 12:41 smali 43
  • 44. Android Applications – Decompiled code from smali (apktoolkit) $ cd smali/com/example/ContentProvider! $ ls -l ! ! -rw-r--r-- 1 moetan ANTDomain Users 355 May 13 12:41 BuildConfig.smali! -rw-r--r-- 1 moetan ANTDomain Users 2400 May 13 12:41 ContentProviderActivity.smali! -rw-r--r-- 1 moetan ANTDomain Users 519 May 13 12:41 R$attr.smali! -rw-r--r-- 1 moetan ANTDomain Users 599 May 13 12:41 R$drawable.smali! -rw-r--r-- 1 moetan ANTDomain Users 640 May 13 12:41 R$id.smali! -rw-r--r-- 1 moetan ANTDomain Users 588 May 13 12:41 R$layout.smali! -rw-r--r-- 1 moetan ANTDomain Users 641 May 13 12:41 R$string.smali! -rw-r--r-- 1 moetan ANTDomain Users 616 May 13 12:41 R.smali! ! $ ls –l! $ vim ContentProviderActivity.smali! ! ! 44
  • 45. Android Applications – Decompiled code from smali (apktoolkit) ! class public Lcom/example/ContentProvider/ ContentProviderActivity;! .super Landroid/app/ListActivity;! ! .source "ContentProviderActivity.java”! ! ! ....! ! # virtual methods! .method public onCreate(Landroid/os/Bundle;)V! .locals 10! .parameter "savedInstanceState"! ! .prologue! const/high16 v9, 0x7f03! ! const/4 v8, 0x2! ! const/4 v2, 0x0! ! .line 16! invoke-super {p0, p1}, Landroid/app/ListActivity;- >onCreate(Landroid/os/Bundle;)V! ! .line 17! invoke-virtual {p0, v9}, Lcom/example/ ContentProvider/ContentProviderActivity;- >setContentView(I)V! ! .line 18! const-string v0, "content://contacts/people"! ! ....! Total: 100+ LoC 45
  • 46. Android Applications – Decompiling apk using dex2jar, jd-gui n  Get and install dex2jar tool , and jar decompiler 1.  http://code.google.com/p/dex2jar/, Getting Dex2jar, jd-gui 2.  Download dex2jar-x.x.x.x.tar.gz file (x: version digits) 3.  http://java.decompiler.free.fr/?q=jdgui, and intstall the .dmg file 1. To unpack and decode an apk: "$ dex2jar.sh com.example.ContentProvider-1.apk "$ ls –l *jar ! ! rw-r--r-- 1 moetan ANTDomain Users 4278 May 13 15:20 com.example.ContentProvider-1_dex2jar.jar! ! "$ jd-gui com.example.ContentProvider-1_dex2jar.jar&! 46
  • 47. Android Applications – jd-gui .jar decompiler __: n  _ n  _ n  _ n  _ 47
  • 48. Outline Android System Acquisition and Analysis Analyzing Android Applications Other tools and references 48
  • 49. Commercial tools •  Standalone device Cellbright UFED •  Can extract data from 1600+ devices •  Covers Android devices •  Built-in SIM reader and cloner •  Can store output on SD, Flash or PC •  http://www.cellebrite.com/mobile-forensics-products, •  Software solution •  Android, Blackberry, iOS and WinMobile enCase Forensics •  Device Settings •  Contacts , Call logs •  E-mail •  Images •  SMS/MMS •  Calendars 49
  • 50. Commercial tools •  Software and Hardware bundle Micro Systemation •  Comes in different packaging for lab, field, etc XRY •  Built-in SIM reader and cloner •  Runs on Windows •  Supports Physical and Logical extractions •  http://www.msab.com/xry, •  Software solution •  Logical recovery of Viaforensics •  call logs, ViaExtract •  contacts, browser history, •  SMS/MMS •  Logical extraction •  https://viaforensics.com/products/viaextract/, ! 50
  • 52. Thank You! Moe Tanabian @motanabian 52