Your SlideShare is downloading. ×
0
PRESENTED BY                Manish Chasta,                Principal Consultant,                IndusfaceAndroid ForensicsM...
Agenda     Introduction to Android     Rooting Android     Seizing Android Device     Forensic Steps     Chain of Custody ...
Introduction to Android•   Most widely used mobile OS•   Developed by Google•   OS + Middleware + Applications•   Android ...
Presence in the Market• According to Gartner report, Android captured  36% market share in Q1 of 2011.• Listed as the best...
Android Architecture                       5
Android Architecture: Linux Kernel• Linux kernel with system services:  – Security  – Memory and process management  – Net...
Android Architecture: Android RunTime• Core Libraries:   – Written in Java   – Provides the functionality of Java programm...
SQLite Database• SQLite Database:  – SQLite is a widely used, lightweight database  – Used by most mobile OS i.e. iPhone, ...
How Android can be used in Cyber Crime?•   Software Theft•   Terrorism Activity•   Pornography / Child Pornography•   Fina...
Forensic Process: An Open Source Approach•   Seizing the device•   Creating 1:1 image•   Recovering the useful data•   Ana...
Seizing Android Device• If device is Off – Do not turn ‘ON’• If device is On – Let it ON and keep device  charging• Take p...
Creating 1:1 Image• Creating Image of Memory Card• Creating Image of Device                                  12
Creating Image of Memory Card• Fat 32 file system• Easy to create image• In most cases, applications wont store any  sensi...
Creating Image of Memory Card• Using Winhex                                14
Creating Image of the Device• Android’s file systems• Importance of rooting• Rooting Samsung Galaxy device                ...
Rooting Android DeviceStep 1: Download CF Rooted Karnal        files and Odin3 Software                                   ...
Rooting Android Device• Step 2: Keep handset on debugging mode                                           17
Rooting Android Device• Step 3: Run Odin3                         18
Rooting Android Device• Step 4: Reboot the phone in download mode• Step 5: Connect to the PC                              ...
Rooting Android Device• Step 6: Select required file i.e: PDA, Phone, CSC files• Step 7: Click on Auto Reboot and F. Reset...
Rooting Android Device• If your phone is Rooted... You will see PASS!! In Odin3                                           ...
Creating Image of the Device• Taking backup with DD  – low-level copying and conversion of raw data  – Create bit by bit i...
Creating Image of the Device                               23
Creating Image of the Device• Taking image with viaExtract tool                                      24
Recovering Data• Using WinHex                  25
Analysing Image• Reading the Image• Looking for KEY data• Searching techniques (DT Search)                                ...
Analysing Image• Winhex• Manual Intelligence• viaExtract                        27
Analyzing SQLite• SQLite stores most critical information• Interesting place for Investigators• Tools  – Epilog  – sqlite ...
Analyzing SQLite• Epilog                              29
Maintaining ‘Chain of Custody’• What is Chain of Custody?• CoC can have following information:   What is the evidence?  ...
Indian Laws covering Digital Crimes • We can categorize Cyber crimes in two ways:    – The Computer as a Target    – The c...
Manish Chasta   manish.chasta@owasp.org   chasta.manish@gmail.com
Upcoming SlideShare
Loading in...5
×

Manish Chasta - Android forensics

615

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
615
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
49
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Manish Chasta - Android forensics"

  1. 1. PRESENTED BY Manish Chasta, Principal Consultant, IndusfaceAndroid ForensicsManish Chasta, CI S S P | CHF I
  2. 2. Agenda Introduction to Android Rooting Android Seizing Android Device Forensic Steps Chain of Custody Indian Cyber Laws
  3. 3. Introduction to Android• Most widely used mobile OS• Developed by Google• OS + Middleware + Applications• Android Open Source Project (AOSP) is responsible for maintenance and further development
  4. 4. Presence in the Market• According to Gartner report, Android captured 36% market share in Q1 of 2011.• Listed as the best selling Smartphone worldwide by Canalys. 4
  5. 5. Android Architecture 5
  6. 6. Android Architecture: Linux Kernel• Linux kernel with system services: – Security – Memory and process management – Network stack• Provide driver to access hardware: – Camera – Display and audio – Wifi – … 6
  7. 7. Android Architecture: Android RunTime• Core Libraries: – Written in Java – Provides the functionality of Java programming language – Interpreted by Dalvik VM• Dalvik VM: – Java based VM, a lightweight substitute to JVM – Unlike JVM, DVM is a register based Virtual Machine – DVM is optimized to run on limited main memory and less CPU usage – Java code (.class files) converted into .dex format to be able to run on Android platform 7
  8. 8. SQLite Database• SQLite Database: – SQLite is a widely used, lightweight database – Used by most mobile OS i.e. iPhone, Android, Symbian, webOS – SQLite is a free to use and open source database – Zero-configuration - no setup or administration needed. – A complete database is stored in a single cross- platform disk file. 8
  9. 9. How Android can be used in Cyber Crime?• Software Theft• Terrorism Activity• Pornography / Child Pornography• Financial Crime• Sexual harassment Cases• Murder or other Criminal activities 9
  10. 10. Forensic Process: An Open Source Approach• Seizing the device• Creating 1:1 image• Recovering the useful data• Analyzing the image to discover evidences• Maintain Chain of Custody 10
  11. 11. Seizing Android Device• If device is Off – Do not turn ‘ON’• If device is On – Let it ON and keep device charging• Take photos and display of the device• Seize all other accessories available i.e. Memory card, cables etc.• Label all evidences and document everything 11
  12. 12. Creating 1:1 Image• Creating Image of Memory Card• Creating Image of Device 12
  13. 13. Creating Image of Memory Card• Fat 32 file system• Easy to create image• In most cases, applications wont store any sensitive data in memory card• Number of commercials and open source tools are available 13
  14. 14. Creating Image of Memory Card• Using Winhex 14
  15. 15. Creating Image of the Device• Android’s file systems• Importance of rooting• Rooting Samsung Galaxy device 15
  16. 16. Rooting Android DeviceStep 1: Download CF Rooted Karnal files and Odin3 Software 16
  17. 17. Rooting Android Device• Step 2: Keep handset on debugging mode 17
  18. 18. Rooting Android Device• Step 3: Run Odin3 18
  19. 19. Rooting Android Device• Step 4: Reboot the phone in download mode• Step 5: Connect to the PC 19
  20. 20. Rooting Android Device• Step 6: Select required file i.e: PDA, Phone, CSC files• Step 7: Click on Auto Reboot and F. Reset Time and hit Start button 20
  21. 21. Rooting Android Device• If your phone is Rooted... You will see PASS!! In Odin3 21
  22. 22. Creating Image of the Device• Taking backup with DD – low-level copying and conversion of raw data – Create bit by bit image of disk – Output Can be readable by any forensic tool – Typical Syntax : dd if=/dev/SDA of=/sdcard/SDA.dd – Interesting Locations • datadata • datasystem 22
  23. 23. Creating Image of the Device 23
  24. 24. Creating Image of the Device• Taking image with viaExtract tool 24
  25. 25. Recovering Data• Using WinHex 25
  26. 26. Analysing Image• Reading the Image• Looking for KEY data• Searching techniques (DT Search) 26
  27. 27. Analysing Image• Winhex• Manual Intelligence• viaExtract 27
  28. 28. Analyzing SQLite• SQLite stores most critical information• Interesting place for Investigators• Tools – Epilog – sqlite database browser – sqlite_analyzer 28
  29. 29. Analyzing SQLite• Epilog 29
  30. 30. Maintaining ‘Chain of Custody’• What is Chain of Custody?• CoC can have following information:  What is the evidence?  How did you get it?  When was it collected?  Who has handled it?  Why did that person handle it?  Where has it travelled, and where was it ultimately stored? 30
  31. 31. Indian Laws covering Digital Crimes • We can categorize Cyber crimes in two ways: – The Computer as a Target – The computer as a weapon • Indian Laws: – IT Act 2000 – IT(Amendment) Act, 2008 – Rules under section 6A, 43A and 79 • MIT site: http://mit.gov.in/content/cyber-laws 31
  32. 32. Manish Chasta manish.chasta@owasp.org chasta.manish@gmail.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×