Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
44 Montgomery Street, Suite 700 San Francisco, CA 94104 415.524.7320
Combining technical and legal expertise
to deliver in...
continued on next page
GALAXY, continued
whether the acquisition of the camera was similar or
different from the same proc...
GALAXY, continued
continued on next page
access to AFLogical Law Enforcement software has a
possibility of extracting more...
GALAXY, continued
continued on next page
Cellebrite UFED Physicasl Pro.
Cellebrite’s UFED Physical Pro is a well-known mob...
GALAXY, continued
continued on next page
Once the imaging process was complete, hashing
and verification was done using th...
GALAXY, continued
continued on next page
Figure 10.
	 That string converted to March 4, 2013 at 6:16:33
PM, which is the t...
GALAXY, continued
continued on next page
Chrome.
Along with social media and email applications,
probably one the largest ...
GALAXY, continued
continued on next page
The 1 in the deleted column also indicates that these
contacts have been deleted....
GALAXY, continued
continued on next page
Appendix A states that five pictures were downloaded
from the internet on March 1...
GALAXY, continued
continued on next page
Figure 25.
Dropbox.
From the moment the camera was received, a Dropbox
account wa...
GALAXY, continued
continued on next page
not found, there are entries with zeros in them that may
indicate messages were d...
GALAXY, continued
continued on next page
of the project. Photos were automatically uploaded to
Dropbox once they were take...
GALAXY, continued
continued on next page
sending what, when emails were sent or received, or
what emails were deleted (Fig...
GALAXY, continued
continued on next page
artifacts found. Data for Google Voice gets stored in 
datadatacom.google.android...
GALAXY, continued
continued on next page
Figure 41.
Figure 42.
Remote View Finder.
Probably the most noteworthy feature of...
GALAXY, continued
continued on next page
Figure 47.
*Please note: The content highlighted in green in Figure 46 is
incorre...
GALAXY, continued
continued on next page
Figure 49.
Twitter.
The second largest social media site, next to Facebook,
is Tw...
GALAXY, continued
continued on next page
Figure 53.
the folder Share via Wifi (datamedia). By looking at
this picture in t...
GALAXY, continued
continued on next page
7:18 PM Google Voice – Received text from Chloe
“Sammy my boy”
7:23 PM Google Voi...
GALAXY, continued
continued on next page
6:09 PM Bluetooth – Galaxy camera and Droid Bionic
are paired
6:10 PM Bluetooth –...
GALAXY, continued
continued on next page
3:12 PM Remote View Finder – take picture of Alex’s
research paper, take a pictur...
GALAXY, continued
kivuconsulting.com
info@kivuconsulting.com
415.524.7320
Kivu Consulting, combines technical and
legal ex...
Upcoming SlideShare
Loading in …5
×

SamsungGalaxyCamera_CStamm

393 views

Published on

  • Be the first to comment

  • Be the first to like this

SamsungGalaxyCamera_CStamm

  1. 1. 44 Montgomery Street, Suite 700 San Francisco, CA 94104 415.524.7320 Combining technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide. Introduction. The Samsung Galaxy camera was released on November 16, 2012. This device has the potential to replace mobile phones, as it has the same functionality of a smartphone, with the additional perk of a high quality camera. This creates an attractive incentive to buy the camera, which could lead to the possibility of it becoming more popular. As the camera’s popularity rises in the market, and more users purchase the device, the risk of the camera being used in an illicit manner rises as well. As the Samsung Galaxy camera is now a part of an investigator’s scope, understanding where any evidence can be retrieved is crucial. Using several different forensic tools, any data that could be of evidentiary value is detailed in this paper. By providing a guide to finding crucial data from the Samsung Galaxy camera, examiners analyzing this device in the future will be saving valuable time. Samsung Galaxy Camera. As aforementioned, the camera was released on November 16, only two months before it was received for this project. The specifications of the camera are provided in Table 1. A more detailed chart can be found on gsmarena. com. When this project first started, no SIM card or data plan was provided, although the camera does have these options available. The camera is meant to be used as a camera with networking capabilities and is not built to be a mobile phone. Since the camera mostly functions off WiFi, applications can be downloaded to allow the camera to act as a cell phone. Abstract Samsung Galaxy Camera Forensics The purpose of this project was to determine whether or not forensics on the Samsung Galaxy camera was possible. Although the camera runs an Android operating system, there was still a chance that no data could be extracted, as forensics on this device had never been done before. To begin the process of this project, as much data as possible had to be created on the camera by utilizing all of the applications and features that were offered. The next step was to find a forensic tool(s) capable of providing data that would constitute as forensic artifacts. The major goal of this project was to find any artifacts and determine their locations on the camera, in case the device is ever a part of an investigation. By explor- ing the way data is stored on the Samsung Galaxy camera, computer forensic examiners now have an idea of what tools will work and what information can be extracted. continued on next page Table 1. Goals. The goal for this project was to develop an informational guide for the Samsung Galaxy camera. Due to the novelty of the product, it was crucial fora preliminary source to be created in order to aid forensic examiners in working with this device. In order to develop a forensic guide, the Samsung Galaxy camera had to be used as a normal user would. All user data artifactshad to be found in a forensic manner in order to simulate a case in reality. The findings from this device make up the content of this paper, and are placed in order for investigators to navigate both the guide and the camera with ease. The locations of possible evidence are all available and easily referenced for any professional analyzing the camera in search of data. Additionally, even with its well-known, Android operating system, therewas possibility of the camera storing information differently than other devices. A secondary goal was to discover April 11, 2013SAMSUNG GALAXY Operating System: Android 4.1 (Jellybean) Network:2G, 3G or 4G (LTE) GSM, HSPA+ Processor:1.4 GHz Quad Core Memory:microSD, 4GB on board, 1GB RAM Connectivity: WiFI 802.11a/b/g/n, WiFi hotspot Bluetooth:Yes GPS:Yes Operating System: Android 4.1 (Jellybean) Network:2G, 3G or 4G (LTE) GSM, HSPA+ Processor:1.4 GHz Quad Core Memory:microSD, 4GB on board, 1GB RAM Connectivity: WiFI 802.11a/b/g/n, WiFi hotspot Bluetooth:Yes GPS:Yes
  2. 2. continued on next page GALAXY, continued whether the acquisition of the camera was similar or different from the same process on other Android devices. Methodology. The Samsung Galaxy camera was received on January 31, 2013 for the means of facilitating this project. In order to get the most accurate results possible, an average user identity needed to be created. Use of the camera had to be simulated as though an everyday person had purchased it and constantly utilized it. The name Sammy Sung was given to the camera and this avatar acted as a normal Galaxy camera user who frequently visited Facebook, Twitter, Gmail, Google Voice, and various other applications that came with the camera. Once Sammy’s identity was created, six accounts were associated with this name; Facebook, Samsung, Google, Twitter, Dropbox and Chaton. A full timeline of all the data created and deleted can be found in Appendix A. After the accounts were created and synced with the camera, the next step was to begin using the applications. Twenty applications and features were used and will be discussed more extensively further on in this paper. Allapplications were used a multitude of times in order to generate enough data. Once enough was created, portions of data were deleted to understand where the Galaxy camera stored information and to determine if data could be recovered. Having a plentiful amount of data from social media networks, emails, text messages, pictures, and other applications, the next step was acquiring the camera. Considering that the Samsung Galaxy camera was new and no forensics had been done on it yet, deciding on a starting point for acquisition was a point of difficulty. At first, an attempt was made to image the device using FTK Imager and EnCase 6.19, to decide if it was possible. As expected, the camera was not recognized by either software and was showing in Windows Explorer as a portable media device. The next step was Oxygen Forensic Suite 2012. This software has a good track record of imaging mobile devices and it seemed like the best tool to use for the project as it is available at the Leahy Center for Digital Investigation (LCDI). Unfortunately, Oxygen1 did not recognize the camera. The Linux forensic platform Santoku was then used in a virtual machine to test whether or not it would detect the camera. Android is an operating system based on Linux, so there was a high possibility Santoku would recognize the camera as something more than just a media device. 1. As research continued, it was found that Oxygen Forensic Suite 2013 could acquire the camera The findings were the same as those provided by EnCase 7 and are not discussed in this paper. It is just another option for examiners to use if Oxygen is their tool of preference. Santoku. Santoku worked successfully and once the camera was connected to the guest machine, AFLogical was used. AFLogical is a tool provided by viaForensics 8(viaForensics) and comes built into Santoku. This tool is open source and is used for mobile phones; it extracts call logs, contacts, SMS, and MMS. Although the camera is not considered a mobile phone, it runs Android, which provided a chance that some data could be pulled. Before extracting any data, AFLogical needed to be put onto the camera. To install AFLogical, Santoku tutorials were referenced (Kswartz). The command “adb devices”2 was first used to ensure the camera showed up in Santoku. Next, “adb install AFLogical-OSE_1.5.2.apk” was used to push the AFLogical software to the camera. This resulted in the creation of an AFLogical application on the camera itself. Upon clicking it via the camera, the “Extract All” option was selected. Within Santoku, a new directory was made for any output that was extracted from the camera. To pull data from the camera, the command “adb pull /sdcard/forensics” was executed (Figure 1). Figure 1. Once the extraction was complete, any files that were pulled were found in the aforementioned directory. In this case, only one picture was extracted. This picture was attempted to be sent to a contact via the Messaging application preinstalled on the camera. Since a data plan was not present, the picture was pending and never sent. No other data was pulled from the camera.Different results may occur depending on where data is stored on the camera by the user. Also, for any examiner who has 2. Commands are executed without quotations. The commands mentioned throughout this paper are in quotations fordistinguishability.
  3. 3. GALAXY, continued continued on next page access to AFLogical Law Enforcement software has a possibility of extracting more data. Concluding AFLogical was not the correct tool to use for this project, the next step was to see what other options Santoku offered. Santoku comes preinstalled with Android SDK. Android SDK is a software developer kit that comes with various tools for debugging and developing Android applications (Developer). Within this developer kit is Android Debug Bridge (ADB). This is a command line tool that enables a user to communicate with a connected Android device via computer (Developer). Using ADB allows for data to be pushed or pulled to or from an Android device. With the right ADB commands, information from logged data, system data, and port connectionscan be outputted. For the purpose of this project, the command ‘dumpsys’ was used. “Dumpsys provides information on services, memory, and other system details...” (Hoog 119). Running applications, process IDs and current system activities are just some of the types of data that can be displayed. This command was executed using “adb shell dumpsys dump.txt” Dump.txt is where the data from dumpsys was output to for an easier viewing. Once the dump was complete, pages worth of information were presented, but two important pieces of data provided by dumpsys were “accounts” and “last known locations”. “Accounts” revealed the number of accounts associated with the device, as well as the usernames they were connected to (Figure 2). Here the 7 accounts on the Samsung Galaxy camera that were originally created are displayed. Figure 2. “Last known locations” showed the last time, date, and location the camera connected to a cell tower (Figure 3). This could be extremely useful to know during an investigation, as timestamps are crucial and could determine a suspect’s whereabouts at a given time. In this case, Provider=network time showed the string 1364420491146. By converting that to a human readable time using a Unix timestamp converter, the number turned into March 27, 2013 at 5:41:31 PM. Figure 3. Below the Unix timestamp was the latitude (44.4609067) and the longitude (-73.2159816) of the device on March 27 at 5:41 PM. Putting the two numbers into a plotter (Figure 4) showed that the camera was located at the LCDI during the given date and time. Figure 4. Although Santoku provided interesting and useful data, much more about the Samsung Galaxy camera needed to be explored. The next option to entertain was using the Cellebrite UFED Physical Pro located at the LCDI.
  4. 4. GALAXY, continued continued on next page Cellebrite UFED Physicasl Pro. Cellebrite’s UFED Physical Pro is a well-known mobile forensics tool. It supports thousands of different cell phones (Cellebrite) running different operating systems and allows for logical and physical extractions, as well as SIM card and password extraction. This was the next tool used in an attempt to get the acquisition process moving forward. The Galaxy camera was plugged into the Cellebrite UFED and a physical extraction was attempted. Physical Extraction. A physical extraction means all data from a device, even deleted data found in unallocated space, is pulled. During a physical extraction, a physical image is created. This is an exact, full copy of a device and typically provides an abundance of data. It is ideal to do this type of extraction because it outputs all of the zeros and ones contained on a system. The first time the Cellebrite UFED was used, there was no Samsung Galaxy camera option. Out of curiosity to determine if physical data could be pulled anyway, the Samsung Galaxy Appeal mobile phone option was selected instead. Unfortunately, a physical extraction was not possible after multiple attempts were made. File System Dump. Thinking that a physical extraction was unsuccessful because the camera was not rooted, a logical acquisition was then attempted. A file system dump is a logical extraction of a device and does not typically grab as much data as a physical extraction would. Again, at this point there was no option for the Galaxy Camera, so the Galaxy Appeal was used once more. This process worked and after about 5 hours, a file system dump of the camera was provided. The results seemed accurate when looked at with Cellebrite’s Physical Analyzer software, but it was impossible to tell just how accurate they really were. There was no way to ensure the Galaxy Appeal option extracted all of the camera’s logical data, or if it bypassed certain parts because the Appeal may not be set up in the same way the camera is. Although they are both Android and Samsung devices, there was no forensically sound way to determine the data extracted was complete. Because of this, the data found from the extraction was only looked at for learning purposes and will not be discussed in this report. The next step was to root the camera, as it was the last option in getting other forensic tools to fully acquire the device. This process can be found in Appendix B. Once the camera was rooted successfully, the Cellebrite UFED was used again just to see if the file system dump was any different from the first one. While scrolling through the list of Samsung mobile phones, the option for the Samsung Galaxy Camera appeared. Cellebrite had updated their software to support the camera after the initial file system dump. A physical extraction was attempted, this time using the Samsung Galaxy camera option, but it did not provide any data at all when it was complete. Knowing the file system dump worked the first time, this option was then exercised. The data provided by this dump will be discussed later in the Results section. Encase 7.04. With over 35,000 copies of EnCase Forensic software sold (SC Magazine) to clients all over the world, it is undeniable that EnCase is amongst the most commonly used forensic tools in the industry. Because of its notoriety, it is the go-to tool and makes perfect sense that the newest version of EnCase comes equipped with an acquire smartphone feature. Although the camera is not considered a smartphone, it still runs a smartphone operating system; attempting to acquire the camera using EnCase 7 was the last reliable option left. Acquire Smartphone Feature. With the camera plugged into the workstation, EnCase 7 immediately recognized it as a Google Android device. The “Perform Physical Acquisition” box was checked and an output path was created (Figure 5). This was the first time throughout the project that there was a successful way to physically extract data from the camera. Figure 5.
  5. 5. GALAXY, continued continued on next page Once the imaging process was complete, hashing and verification was done using the Process Evidence function. This was to ensure the data didn’t change during imaging. Since both MD5 hashes matched, it was finally time to start analysis. At the end of analysis, the image was hashed and verified again to determine nothing changed by the end of the project. The hashes matched again, ensuring the data was not contaminated in any way (Figure 6). Figure 6. Results. The applications discussed in this section were chosen based on the amount of data created and found. Only the results of applications that were thought to be of most evidentiary value are presented. Please note that in a real investigation, it is advised to look at all evidence provided. Bluetooth. According to the timeline in Appendix A, the Samsung Galaxy camera was paired with an Android Bionic mobile phone on March 4, 2013 at 6:09 PM. This can be proved by navigating to the directory datamisc bluetooth and looking at the incomingconnection.conf file (Figure 7). The timestamp 1362438593661 was given, which converted to March 4, 2013 6:09:53 PM. A picture was sent with the name 20130304_173931. jpg from the camera to the Droid Bionic. There was no indication of what data was sent from the Samsung Galaxy camera. Only artifacts of received Bluetooth media could be found in the path datadatacom. droid.bluetoothdatabasesbtopp.db. Figure 7. Taking a closer look at the database file btopp.db, using the software SQLite Spy3 , the Bluetooth MAC address of the Droid Bionic is 40:98:4E:CC:84:4C. In Figure 8, the Droid Bionic’s MAC address can be found under “destination”. This means the Droid Bionic was sending a word document and a picture to the camera. The document named GSR.docx was sent to the camera on March 4, 2013 at 6:16 PM, which is what the number under ‘timestamp’ (1362438992767) converted to. Although the file GSR.docx was deleted on March 14 from the camera, it still appeared in the database file. Figure 8. Bluetooth artifacts are also found in the external. db database, located in datadatacom.android. providers.mediadatabases. When the document GSR. docx was deleted from the camera, the date modified of an entry called /storage/sdcard0/Bluetooth (Figure 9) was updated in external.db. The timestamp 1363297819 converts to March 14, 2013 at 5:50 PM. According to Appendix A, that was the time the GSR.docx document was deleted. There is no indication, though, in external.db that this timestamp is associated to GSR.docx, so it could be anything. To better determine what was being modified the database’s hex needed to be examined. Figure 9. Before beginning a search, the timestamp of ‘date modified’ had to be converted into hexadecimal. 1363297819 converted to hex 5142461B. That string of hex was then searched for within external.db. It is highlighted in red (Figure 10). Above that entry, is GSR. docx (highlighted in yellow). In blue, the hex 51352b51 is found. 3 SQLite Spy is a SQlite database browser. It takes the contents of a .db file and presents it in organized tables. This tool was used to preview all SQlite databases mentioned in this report.
  6. 6. GALAXY, continued continued on next page Figure 10. That string converted to March 4, 2013 at 6:16:33 PM, which is the time and dates the document GSR.docx was sent to the camera. While that is a longer method of figuring out timestamps, it works and proves to be another option if for some reason the database btopp.db is inaccessible. Clipboard. An interesting feature to the newer Android devices is Clipboard. The option to copy pictures and paste them later in another application is quite useful. In computers, clipboard data is considered volatile, which means it is lost once a system is powered down. For the camera, though, clipboard data is stored directly onto the device. Every time pictures or text were copied, they were written to the dataclipboard directory. Even all screenshots were found in this directory, although the camera stores those in a separate location as well. It was ensured the screenshots found in the Clipboard directory were the same as those in the Screenshot directory (datamedia PicturesScreenshots) by comparing the hashes (Figure 11 and 12). All of the hashes matched and it was noted that the last written times for the screenshots found in the Screenshot directory were a tenth of second sooner than the last written times in the clipboard directory. Because of this, it has been concluded that when a screenshot is taken, it is first stored to the Screenshot directory and then held in the camera’s clipboard less than a second later, most likely for easy sharing purposes. The picture 20130228_192931.JPG (Figure 13) was copied to the clipboard and then the original picture was Figure 11: Screenshots from Clipboard directory Figure 12: Screenshots from Screenshots directory deleted. This picture was not pasted anywhere and then the camera was shut off. The picture was still found in the clipboard directory in full tact. Figure 13.
  7. 7. GALAXY, continued continued on next page Chrome. Along with social media and email applications, probably one the largest used mobile features is the internet. The Samsung Galaxy camera comes equipped with both Chrome and its own default internet browser. To get the full effect of what a user can do with Chrome, numerous Google searches were conducted, bookmarks were made, and incognito windows were used. At 10:08 AM, a new incognito tab was open in Google Chrome and a search was made for “best hiding places”. The URL www.wikihow.com/Find-Good-Hiding- Spots was clicked on. Five minutes later, a search was made for “parks in Burlington”. Upon doing a keyword search in EnCase for “hiding places” and “parks in Burlington”, nothing significant was found. The only data associated with these two searches was found in xT9CdbData.dat, which is located in datadatacom. sec.android.inputmethodapp_xT9DB. Within the .dat file was a list of words typed by the user (Figure 14) in various applications. Some words correspond to Tweets, Facebook statuses, emails, Google Searches and calendar events. Although the words “hiding places” and “parks in Burlington” were found in this location, there is no evidence linking these words to a Google Chrome incognito page. No other data pertaining to incognito windows was found on the camera. Figure 14. As for data created in a normal Chrome window, Google searches and bookmarks were found in the path data/data/com.android.chrome/app_chrome/ Default/Favicons-journal. Although the history had been cleared on the camera, Google searches for “champlain. edu”, “dogs”, “how many people are in the world”, “jobs in Burlington”, “long island rail road”, and “heady topper” were all found. Even the deleted bookmark for “jobs in Burlington” was present in the file (Figure 15). Unfortunately, this journal file can only be viewed within EnCase and is not very pretty to look at. Figure 15. Contacts. Although the Samsung Galaxy camera is not meant to be a phone, there is still a built in option for contacts. This feature is mostly for storing Facebook, Twitter and email contacts. Contacts from other applications like Talkatone or Google Voice can also be stored here. A full list of all contacts on the camera was found in contacts2. db located under datadatacom.android.providers. contactsdatabases. When this file was opened in a database viewer, the list of contacts was found under View Raw Contacts. Two contacts, Sarah and Chloe, were deleted from the camera but their names still showed up in the database (Figure 16). Figure 16.
  8. 8. GALAXY, continued continued on next page The 1 in the deleted column also indicates that these contacts have been deleted. Default Browser. Since the Samsung Galaxy camera comes with two different web browsers, it was pertinent to analyze both, as different users will have different web browser preferences. Like the artifacts found with Google Chrome, the default browser stores a lot of data in its own database file called browser2.db. This file was found at datadatacom.android.browserdatabases. While looking through the database file, bookmarks from both Google Chrome and the default browser were found along with their created timestamps. Although the database showed bookmarks from Google Chrome, it only showed deleted bookmarks coming from the default browser (Figure 17 highlighted) and not the deleted ones coming from Chrome. Figure 17. Referring again to Appendix A, there were Google searches made for “dinner recipes”, “tattoo Burlington”, “how big is the earth”, “New York Islanders”, “what movies are playing”, “android phones”, “teddy bear” and “Barack Obama”. The URL “baseball.com” was also typed into the default browser. After those words were searched for and links were clicked for them, the default browser’s history and cache was cleared. Much like the database file found for Chrome, browser2.db did not show the complete web history in a database browser. Instead, taking a look at browser2. db-wal provided all internet searches (Figure 18). Incognito pages were used in this browser as well. The only incognito Google search that was found was “fish tank”. This piece of data was found in the directory datadatacom.google.android. googlequicksearchboxcachehttp. The file name for this search is c0f4d2b80c1a2e84bfc574014997b7d9.0 (Figure 19). While the file does not directly state it’s from an incognito page, the URL “google.com/proxy” may suggest that it is. The Google search for “how long do fish live” was not found anywhere relating to Google. It was only found in the previously mentioned Figure 18. Figure 19. xT9CdbData dat file. Downloads. Data downloaded to the downloads application was found in the sisodownloads.db file located at data datacom.sec.android.providers.downloadsdatabases.
  9. 9. GALAXY, continued continued on next page Appendix A states that five pictures were downloaded from the internet on March 14, 2013. They were of a white android phone, an android phone chart, two bears together, a bear with a heart, and the bear from Ted. In Figure 20, the names of three downloads can be found. Figure 20. To determine what these pictures actually are, a search in EnCase was conducted (Figure 21). Only three downloads were found because the other two were deleted. The picture of Ted (Figure 22) was eventually found in datamediaAndroiddatacom.sec.android. gallery3dcachenearby_cache, but the picture of the white android phone was nowhere in EnCase. Figure 21. Figure 22. Since the deleted Ted picture was found, it was likely that the picture of the white android phone was somewhere on the device. Because EnCase did not seem to find it, the file system dump done with the Cellebrite UFED Pro was analyzed to understand where the deleted file was stored. While scrolling through the pictures Cellebrite found, the white phone was present. Its file name is .thumbdata3—1967290299_embedded_105.jpg. The full path to the deleted picture is shown in Figure 23. Figure 23. The path was followed within EnCase and the file name was found. The only problem was the picture itself did not show up in EnCase’s picture viewer because it was embedded. That means the file has more than one image stored in it. The file was copied out of EnCase and then edited with the software Hex Workshop in order to restore the picture back to its original structure. This was done by finding the hex header, FF D8 and hex trailer, FF D9. All JPEG images have these same hex headers and trailers. By copying the contents within these hex values and saving them as their own file, the image can be recreated. This was done so successfully and the image of the deleted white android phone was officially found. While analyzing the contents of the file system dump from Cellebrite, the directory “tdata” (Figure 24) was spotted. This directory did not show up in EnCase and in it were hundreds of embedded pictures separated into three folders: imgcache.0.EMBEDDED, imgcacheMicro.0.EMBEDDED, and imgcacheMini.0.EMBEDDED. Both the picture of Ted and the picture of the white android phone were found in the folder imgcacheMicro.0.EMBEDDED (Figure 25). Figure 24.
  10. 10. GALAXY, continued continued on next page Figure 25. Dropbox. From the moment the camera was received, a Dropbox account was created and was set to sync every time a picture was taken. Dropbox artifacts are found in the directory datadatacom.dropbox.android and a database file called, db.db has a list of all uploaded pictures and documents. Nothing was really done with the Dropbox application. No data associated with Dropbox was deleted, so there was not much to find. Email. On February 21, a Hotmail account was made using the camera’s Email application. An email was created from the camera with the subject “Hi” and the body “look at this!”. Attached to the email was the picture, 20130201_130354_resized.jpg. The email failed to send and the email account was then removed from the camera. Although the Hotmail account created was removed, the data from the failed email was found in several locations. A notification of the failed email is found in the file SendingFailNotification.xml, located in the path datadatacom.android.emailshared_prefs (Figure 26). Figure 26. Unfortunately, the notification does not detail who the email was being sent to or what the body of the email consisted of. Green plating the parent directory, com. android.email, in EnCase allows all the files within that directory to be previewed. By doing this the file 20130201_130354_resized.jpg was found (Figure 27). The last piece of evidence that connects the picture and failed email notification to a Hotmail account is found in the emailprovider.db file, which is in datadatacom.android.emaildatabases. When this database was exported, it showed up empty in the database browser. Viewing it in EnCase provided Figure 27. more information. The receiver’s email address, the email’s timestamp, the email’s body and subject text were all found there (Figure 28). The timestamp found, 1361460813811, converted to February 21, 2013 at 10:33 AM which was when the email attempted to send. While the picture in Figure 27 is found in this document, it is not directly linked to any email account. Since it is in the email database, it can be assumed that this picture was sent or received as an attachment, but there is no way to definitively know. Figure 28. Facebook. Facebook is the number one social networking site in the world (AlexaRank). With over one billion users, it is at the top of list for retrieving data. Artifacts from Facebook are stored in datadatacom.facebook.katana. Over 1,000 files were found in this directory. Of these files, the database users_db2 is where to find all Facebook friends, even the deleted ones (Figure 29). Figure 29 The names highlighted in yellow are the users that were deleted. In the threads_db2 database, Facebook chats and messages were found. While deleted chats were
  11. 11. GALAXY, continued continued on next page not found, there are entries with zeros in them that may indicate messages were deleted Figure 29. Figure 30. Within datadatacom.facebook.katanafiles, two images starting with the file name temp-compose-photo were found. These two images were the only images sent via Facebook Messenger. While there is nothing associating these pictures with a Facebook user or with any timestamps, they are still found in a Facebook directory. It is odd that the only two pictures sent through Facebook chat are the only two pictures found in that directory (Figure 31). That indicated that files stored in the com.facebook.katanafiles directory came from Facebook chats, as all other pictures uploaded to Facebook by the camera were not found there. As for deleted status’, there were no artifacts found within EnCase or Cellebrite. Figure 31. Gallery. Since the Samsung Galaxy camera is firstly a camera, it is crucial to examine any and all picture data provided. The camera comes with impressive WiFi sharing features, so determining where a picture came from is key to an investigation. When pictures are taken on the camera they are stored under numerous folders within the Gallery. These folders are created according to use. If an Instagram account is created, photos uploaded to Instagram are found in the Instagram folder in the Gallery. For this project, the folders on the camera are Camera, Download, Bluetooth, Instagram, Paper Pictures, Photo Wizard, Screenshots, Share via WiFi, Facebook Mobile Uploads and Facebook Profile Pictures. EnCase successfully found all of the pictures that were currently present on the camera, but did not find any pictures that were deleted. False positives were found, as the camera was synced with Dropbox from the beginning
  12. 12. GALAXY, continued continued on next page of the project. Photos were automatically uploaded to Dropbox once they were taken and were stored there. When pictures were deleted from the Gallery, they were still found by EnCase in the Camera Uploads folder for Dropbox. Manually navigating through the photos on the camera with EnCase, three pictures were found in datamedia DCIM.thumbnails. The pictures were taken on January 1, 2012 before the camera was received for this project. It was later found out that these pictures came from a user who had the camera first and then reset it for this project. Aside from those three pictures, no other deleted pictures taken by the camera were found in the thumbnails folder. Delving back into the file system dump provided by Cellebrite, the previously mentioned directory “tdata” (Figure 32) was looked into more thoroughly. That was the location of the deleted downloaded picture of the bear Ted, so it was the next logical place to look. Figure 32. The file within this directory that was most prominent in finding deleted pictures was imgcacheMicro.0. It was here that all pictures ever taken with the camera were found. This included deleted pictures, S Memo notes, screenshots, downloaded pictures and pictures shared over WiFi. The imgcacheMicro.0 folder was embedded, so numerous pictures were found in one file. To have a better viewing of all the pictures in this location, the imgcaceMicro.0 folder was exported from Cellebrite’s Physical Analyzer and was saved to an external drive. The folder imgcacheMirco.0.EMBEDDED was created and the pictures were easily accessible. By looking through the contents of the imgcacheMicro.0.EMBEEDED folder, the deleted pictures mentioned in Appendix A were available for viewing (Figure 33). Figure 33. Gmail. Like most Android devices, the camera comes with two email applications; Email and Gmail. It is crucial to investigate artifacts from both applications, as it is typical for people to have more than one email address. Navigating to the path datadatacom.google.android. gmdatabases resulted in finding of the database mailstore.sammysung131@gmail.com.db. By exporting and viewing this file in SQLite Spy, only one deleted email was found (Figure 34). Looking at the database’s contents within EnCase provided the rest of the deleted emails. The only problem with that was there was no indication of who was
  13. 13. GALAXY, continued continued on next page sending what, when emails were sent or received, or what emails were deleted (Figure 35). Figure 34. Figure 35. Google Search Bar using Voice. The Google search bar installed on the camera automatically uses the Chrome browser and there is no option to use the default browser. The voice feature was looked into to see if any artifacts left from the voice commands could be found. It was clear from the analysis of Chrome that Google searches in general could be retrieved, but evidence coming from voice searches was an unknown. Referring back to Appendix A, a Google search using the search bar and voice feature was made on March 14 at 5:28 PM for “turtles”. Other searches were made that day for “windex”, “North Babylon High School”, and “Toyota Prius”. The search for “windex” was not found anywhere on the camera. This was the only voice search that a link wasn’t clicked on afterward. Even so, the Google search itself should have been present. The searches for “turtles” and “North Babylon High School” were found through the path datadatacom. google.android.googlequicksearchboxshared_prefs SearchSettings.xml (Figure 36). Figure 36. That information was not too useful at all, as no timestamps were provided for the individual searches and the rest of the searches made were not found in the XML file. In fact, the other searches weren’t found anywhere in the com.google.android.googlequicksearchbox directory at all. The search for “Toyota Prius” was found in Chrome’s Favicons-journal file, which was also where Chrome’s internet history was located (Figure 37). The search for “turtles” was found there too, but as aforementioned, there was no indication that these came from Google searches and no timestamps were associated with them. In short, the data found here is useless from an investigators point of view. Figure 37. Google Voice. Since this camera in particular did not come with a SIM card or data plan, the only way to make calls or send text messages was to use WiFi. Because of that, the applications enabling call and text options needed to be closely looked at. Google Voice is a great application that provides a user with their own phone number and the ability to make calls, send text messages, and receive voicemails. In this case, the camera’s phone number was 802-448-0816. Multiple text messages were sent and received using Google Voice. While no conversations were deleted from the application, there were no
  14. 14. GALAXY, continued continued on next page artifacts found. Data for Google Voice gets stored in datadatacom.google.android.apps.googlevoice. In this directory, a number of different databases are found. The SMS outbox database is empty, along with conversationsDatabase and model.db. It is unknown as to why data wasn’t present in the com.google.android.apps. googlevoice directory. A keyword search in EnCase was done for known sent text message content, but the search resulted in nothing. Talkatone. Talkatone is an application with the same functionality as Google Voice, except it does not provide the user with a phone number. Unlike Google Voice, artifacts from conversations created on the camera were found. The conversations are stored as .map files, which get recognized by EnCase as picture files. These files were found in data/data/com.talkatone.androidfilessms- messages. The .map files are categorized by phone number (Figure 38). By looking at the files in EnCase’s Transcript viewer, the contents of the conversations currently on the camera were found in plaintext (Figure 39). Figure 38. Highlighted in blue is number of the person who sent the text message “I’m gonna catfish you” to the camera. Figure 40 shows the response “Do it” coming from the camera. Unfortunately, the Last Written times for the .map files are not accurate (only the dates are) and there was no other way of telling when these text messages were sent. Furthermore, the deleted conversation from the user “Alyse” was not found. Figure 39. Figure 40. In the History folder in the directory data/data/com. talkatone.androidfiles, all phone calls with accurate timestamps were present. None of the calls were deleted from the logs, but since no deleted text messages were found it was likely that deleted call logs would not have been found either. Maps/Navigation. Multiple searches were made using Google Maps and the built in navigation application. Nothing from these applications was deleted, but search queries, along with accurate timestamps, were found in two database files located in datadatacom.google.androidappsmaps: search_history.db (Figure 41) and da_destination_history. db (Figure 42). Search_history provides data coming from Google Map searches, while da_destination_history contains data about any directions given by the built in navigation system.
  15. 15. GALAXY, continued continued on next page Figure 41. Figure 42. Remote View Finder. Probably the most noteworthy feature of the Samsung Galaxy camera is Remote View Finder (RVF). It is used when the camera is in camera mode and the Share button is pressed. One of the options provided is Remote View Finder. This allows another device running RVF to connect with the camera via WiFi. The camera can then be taken outside, down the hall, or elsewhere in a building using the same WiFi network. The device running RVF (in this case the Droid Bionic) can see what the camera sees and can control the camera’s functionality (Figures 43 and 44). Once a picture is taken by the camera via another device, the picture gets stored on both devices. Pictures taken using this feature were not deleted. Figure 43: Viewfrom Samsung Galaxy camera Figure 44: View from Droid Bionic The primary concern surrounding this feature was finding anything that connects the camera to the other device taking the pictures. This information was discovered in the directory datamiscdhcp. The file dnsmasq.leases (Figure 45) provides a timestamp of the last time RVF was connected to WiFi (highlighted in blue), the MAC address of the device it connects to (highlighted in yellow), and the IP address of the network being used. Figure 45. The timestamp converted to March 16, 2013 at 3:12 PM which, according to Appendix A, is when numerous pictures were taken using Remote View Finder. Doing a temporal analysis on any pictures at that time resulted in finding all of the pictures taken with Remote View Finder on March 16 at 3:12 PM (Figure 46* and 47). Figure 46.
  16. 16. GALAXY, continued continued on next page Figure 47. *Please note: The content highlighted in green in Figure 46 is incorrect. The filename 20130316_151235.jpg should be highlighted and not dnsmasq.leases S Planner. The calendar application for Samsung devices is known as S Planner. Events stored in the calendar can sometimes provide crucial information during an investigation. A person’s future or even past whereabouts can be found on the S Planner application and could possibly validate or dispute someone’s alibi. Data stored for S Planner was found in the database file calendar.db, located in datadatacom.android. providers.calendardatabases. The contents of the file were viewed with SQLiteSpy and three deleted events were found (highlighted). Accurate timestamps for each of the created events were also present (Figure 48). The 1 in the “deleted” column indicates the event is actually deleted. Figure 48. S Voice. The application S Voice is similar to the iPhone feature, Siri. S Voice allows a user to communicate with their device with the press of a button. S Voice will look up directions, conduct internet searches, browse contacts, or even post a social network update. Various artifacts coming from S Voice are found in the directories data datacom.android.chromeapp_chromeDefault Favicons and DefaultHistory 2013-03 (Figure 49). Unfortunately, these searches are only found because S Voice accessed Google in order to conduct them. There is no evidence to indicate that these found searches did in fact come directly from S Voice. The searches do show the title Google Custom Search, which is what S Voice uses, but that still does not allow for a positive conclusion to be made.
  17. 17. GALAXY, continued continued on next page Figure 49. Twitter. The second largest social media site, next to Facebook, is Twitter (AlexaRank). A ton of unnecessary and unrelated data was found in Twitter’s database. All of “Sammy Sung’s” followers, along with their followers and updates, were provided. Even popular searches conducted by users unassociated with Sammy Sung were present in the database file. This very large chunk of data was found in the database 1138036112.db, located in the directory datadatacom.twitter.androiddatabases. The number title (1138036112) for the database file may change according to dates and devices, but that has not been tested. The number was converted, as it seemed like a timestamp, but it converted to January 23, 2006 at 12:08 PM, which had nothing to do with this project. Aside from a lot of unimportant data within the database file, the deleted direct message from the Twitter account Cat_Stamm to sammysung131 was found with Cellebrite (Figure 50). What’s interesting is that other direct messages were sent between the two users, but they were not found anywhere within EnCase or Cellebrite. Figure 50. Figure 51. This database also contained deleted Tweets coming from the Samsung Galaxy camera (Figure 51), but the data was not presented as concisely as the direct messages. WiFi Direct. The other appealing feature built into the camera is WiFi Direct. This allows two Android devices installed with WiFi Drect to connect over the same WiFi network and share pictures, applications, music, and other media. Unfortunately, this feature was only tested once, as only one other person at the LCDI had an Android phone that was equipped with WiFi Direct. The device used for testing was a Samsung Galaxy Note III and four files were sent to the camera: mylife.mp3, thriftshop.mp3, vavavoom.mp3 and 2013130_154630.jpg. The file mylife.mp3 was then deleted from the camera. The other two music files and the image were located in the external.db database, found in the directory datadatacom.android.providers.mediadatabases (Figure 52). Highlighted in yellow is a potential artifact of the deleted file, mylife.mp3. The timestamp under date modified converts to March 14, 2013 at 5:15 PM. According to Appendix A, that was the time mylife.mp3 was deleted. While it makes sense that this entry would update its modified timestamp once the file was deleted, there is no real evidence that determines the entry is associated with the file mylife.mp3. Figure 52. Since media can so easily be transferred to surrounding devices using WiFi Direct, it was decided that analysis of the picture being sent to the camera was needed. The picture 2013130_154630.jpg was sent to the camera on February 2, 2013 at 9:43 AM and was found in
  18. 18. GALAXY, continued continued on next page Figure 53. the folder Share via Wifi (datamedia). By looking at this picture in the Transcript viewer, data known as EXIF data can be seen (Figure 53). EXIF data is essentially metadata, or data about data. EXIF data is stored in most digital pictures and provides information about the camera which did the picture taking. For example, the camera’s make and model, what time the picture was taken, exposure time, and even possibly a GPS location can all be found within EXIF data. Highlighted in green is the make of the device sending the picture and in yellow is the model number. Knowing that the model number of the Samsung Galaxy camera is EK-GC100, it can be concluded that the picture 20130130_154630.jpg was not originally taken with the Galaxy camera. Conclusion. By the end of this project, it has been undoubtedly concluded that the Samsung Galaxy camera can be forensically acquired. Even with minimal support available for this new device from some of the industry’s leading forensic tools, data extraction is still 100% possible. Following the successful acquisition of the Samsung Galaxy camera, this paper was able to outline a forensics guide for future investigators and be considered a preliminary source when forensics on this device is necessary during a case. Due to simulation of an average user throughout the project, the forensics breakdown of the data is realistic and is able to be compared and utilized in field work. All information about the data found is organized so investigators may find their work on the Galaxy camera easier and more productive. Based on the results of this project, it did not seem that the camera stored data any differently than other Android devices. Due to this, some of the same Android forensic techniques can be used to analyze the camera. This discovery will help investigators decide on a starting place and will hopefully ease their process, as Android forensics is solidly researched. In conclusion, forensically examining the Samsung Galaxy camera proved to be successful and will be useful, as well as applicable, to future forensic investigations for this device. Appendix A. Timeline January 31, 2013 4:25 PM Create Gmail and Samsung accounts (sammysung131@gmail.com) 4:30 PM Create Facebook (used sammysung131@gmail. com) 4:50 PM post “hello everyone!” on Facebook 4:54 PM Email sent from catstamm60@gmail.com to Sammy Sung with attachment of a boy on cell phone (sammysung.jpg) Picture was downloaded 4:57 PM Change profile picture to Sammy Sung 5:05 PM Create Twitter (@sammysung131) 5:06 PM Twitter - post “please follow me i am lonely” 5:15 PM Download Talkatone 5:18 PM Talkatone – Sammy calls 631-291-XXXX for 3 seconds 5:24 PM Talkatone – Sammy calls 631-291-XXXX for 8 seconds 5:20 PM Created Google Voice account (802-448-XXXX) 5:22 PM Received voicemail from Google Voice 5:26 PM Google Voice – received text message from the application Talkatone 5:42 PM Facebook - tagged by cat stamm 6:30 PM Google Voice – received text from Caitlin “it’s Caitlin stamm” 6:32 PM Google Voice – Sammy responds to Caitlin “thanks for helping me out!” 6:35 PM Google Voice – Caitlin replies “if you need any help let me know!” 6:36 PM Facebook – post I’m getting so many friends 6:42 PM Facebook - Pagina posts “wanna be in a relationship” 6:56 PM Facebook - post picture of Alyse and Laura sitting on the couch with the caption “Alyse doesn’t look happy” 7:02 PM Facebook - post from Christine “did you get the camera today” 7:02 PM Facebook – Message Alex “be my friend”
  19. 19. GALAXY, continued continued on next page 7:18 PM Google Voice – Received text from Chloe “Sammy my boy” 7:23 PM Google Voice – Sammy replies to Chloe “haha hey whats up” 7:33 PM Google Voice – Chloe responds “can you get texts off a phone after theyre deleted?” 7:35 PM Google Voice - Sammy texts Chloe “yup usually” 8:08 PM Google Voice – Receive voicemail from Dad “this is mr spam (stamm) from Babylon, give me a call please” 8:21 PM Google Voice – Received text from Sarah “whats up it’s your favorite ginger” 8:38 PM Facebook - post from Alyse “any chance you’re Japanese” 8:43 PM Facebook - post from Alex a picture of a rabbit 9:22 PM Facebook – post from Alyse “look at this girl she might be crazy” picture of Cat making a phone call with the camera 9:56 PM Twitter - post “@catstamm hello~” February 1, 2013 8:59 AM: Google Voice – text from Alyse “hope you and your blazer get on tv today” 9:00 AM: Google Voice – respond to Alyse “thank you!” 9:03 AM Facebook – post status “cat stamm just got 48 GB on dropbox for free” 10:24 AM Twitter – post picture of Kyle cleaning his iPhone 1:03 PM Camera – picture of the Irish flag was taken 1:04 PM Camera – picture of Chobi yogurt was taken 8:15 PM Facebook – post from Trevin “3 sammysung!!!!” February 2, 2013 7:52 PM Camera – Picture of Julie sitting on the couch with a pink blanket is taken 8:03 PM Twitter – post “girl you trippin” 8:21 PM Facebook – “hahahah I can’t be imaged!!” February 5, 2013 1:43 PM Facebook – post from Cat Stamm “whattup brah” February 6, 2013 9:41 AM Facebook – post from Kyle “article on Samsung galaxy camera” February 7, 2013 9:40 AM Twitter – retweet Joe Stamm “blink 182 pandora is on point” 9:49 AM Twitter – post “me so Sammy Sammy” 9:54 AM Twitter – post “my uncle came to visit today!” with picture of Galaxy Camera box 10:05 PM Google Voice – Text Alyse “have fun at the gym” 10:06 AM Google Voice – Text Mommy sung “Sammy sung here.. I see you” 10:07 AM Google Voice – Text from Mommy Sung “do you really see me?” 10:16 AM Facebook – post status “don’t hate me cause I’m beautiful” 10:18 AM Facebook – post picture of text message with Mommy Sung 10:26 AM Maps – search for Japanese restaurant, select koto steak house and get directions 10:31 AM Google Voice – Receive text from Alyse “thanks Sammy” February 10, 2013 4:53 PM Facebook – post from Alyse “happy birthday old man” 4:58 PM Facebook – post from Laura “happy birthday! See you tonight to celebrate?” 5:00 PM Facebook – post from Julie “ahh Sammy sung happy birthday old man!!” 10:37 PM Facebook – post from Pagina “you’ll get your birthday present on valentines day” February 11, 2013 9:42 AM Facebook – post status “thanks for all the birthday wishes!” 9:48 AM Camera – Take picture of TrueCrypt icon 10:39 AM S Planner – Created event “Valentine’s Day” 10:40 AM S Planner – Created event “California” February 14, 2013 10:58 AM Facebook – Change profile picture to Samsung Galaxy Camera February 21, 2013 9:52 AM Default Browser – Search for dinner recipes, click 2nd Google page, click 30 minute dinner recipes – recipes and cooking, foodnetwork.com – upon clicking you get a screen for chrome or internet – CHOSE INTERNET 9:58 AM Default Browser – Type in URL bar “tattoo Burlington” – click Vermont custom tattoo and piercing – click website – bookmark – options to save in sammsung131@gmail.com, Samsung account, or my device – chose my device 10:01 AM Default Browser – Type in URL bar “how big is the earth” – click first link (space.com) – add bookmark – choose sammysung131 10:04 AM Default Browser – Search “New York Islanders” – click first link islanders.nhl.com - bookmark – choose Samsung account 10:12 AM Default Browser – Search “what movies are playing” – click moviefone.com – bookmark to my device – long hold – delete bookmark March 4, 2013
  20. 20. GALAXY, continued continued on next page 6:09 PM Bluetooth – Galaxy camera and Droid Bionic are paired 6:10 PM Bluetooth – Sent picture of Alex waving to Bionic (20130304_173931.jpg) 6:16 PM Bluetooth – Sent GSR.docx paper from Bionic to Samsung camera 6:18 PM Clipboard - Took a picture of the San Fran hotel and copied it to the clipboard. Didn’t put it anywhere, deleted the picture from the gallery, and shut off the camera March 5, 2013 2:14 PM Camera – take picture of a pepsi cup 2:16 PM Camera – take picture of a laptop with a peace sign on it March 6, 2013 2:37 PM Twitter – post “Logs are awesome!!” March 13, 2013 8:33 PM Facebook – tagged by cat stamm “Sammy sung will always remember his facebook friends!” March 14, 2013 1:01 PM Gallery – Delete pictures of truecrypt icon, pepsi cup, Julie on the couch, the irish flag, and Chobi yogurt 1:03 PM Facebook – Post status “It’s almost time to go back in the box :(” 1:04 PM Facebook – Delete mobile upload picture of Alyse and Laura on the couch 1:04 PM Facebook – Delete status “thanks for all the birthday wishes!” 1:05 PM Facebook – Delete message to Alex “be my friend” 1:06 PM Facebook – Message Cat Stamm “Hey!” 1:06 PM Facebook – Receive message from Cat Stamm “hey Sammy what’s up” 1:06 PM Facebook – Respond to Cat “nothing really just working” 1:07 PM Facebook – Cat sends “well that’s cool. Hows your project going” 1:07 PM Facebook – Sammy replies “it’s fine! I’m really close to finishing” 1:10 PM Facebook – Cat Stamm replies “well good luck!” 1:11 PM Facebook – Delete 3 Facebook friends: Sara, Kody and Toni 1:13 PM Facebook – Sammy messages Cat Stamm a picture of Leonardo’s pizza box and then deletes it 1:13 PM Facebook – Cat Stamm responds “that looks good” 1:13 PM Facebook – Sammy replies back “It was!” 1:15 PM Facebook – Message Alex a picture of lay’s chips 1:18 PM Facebook – Alex responds “why?” 1:19 PM Delete voicemail from Google Voice 1:20 PM Delete Google Voice conversation with Alex 1:30 PM Delete email from Groupon “76% off earbuds” 1:30 PM Delete email from Facebook “christine wants to be your friend” 1:31 PM Delete email from talkatone “welcome” 1:31 PM Delete email to jjs2 “Hi Dad” 1:40 PM Delete Talkatone conversation with Alyse 1:41 PM Delete contacts Sarah and Chloe 1:45 PM Maps – Search for North Babylon and click directions, use the navigator 3:50 PM Default Browser – Google search android phones, click images, and download pictures of a white android phone and an android phone comparison chart 3:51 PM Default Browser - Google search teddy bear, click images, download 2 bears together, download 1 bear that says I love you with a heart, and download a picture of Ted 4:20 PM Twitter – post a picture of Alex’s laptop 5:01 PM S Planner – Created event “Kip Moore” 5:01 PM S Planner – Created event “Graduation” 5:01 PM S Planner – Created event “Last day of class” 5:02 PM S Planner – Deleted events “Kip Moore” “Graduation” and “Last day of class” 5:15 PM – Music delete mylife.mp3 5:17 PM Twitter – post “@cat_stamm what am I doing?” 5:20 PM Twitter – Direct message from sammysung131 to cat_stamm “im hungry” sent 5:28 Google Search Bar with Voice – search for turtles click on Wikipedia page 5:29 PM Google Search Bar with Voice – search for windex, click on no links 5:30 PM Google search Bar with voice – search north Babylon high school, click link 5:30 PM Google Search bar with Voice – search Toyota prius and click Toyota.com 5:40 PM Default Browser – Google search Barack Obama – click barackobama.com – click menu, save for offline reading and click back arrow 5:41 PM Default Browser – Click Wikipedia page on Barack Obama, save it for offline reading 5:43 PM Default Browser – Type in URL “baseball.com” and click back arrow 5:43 PM Default Browser – Start a new Incognito page, type in “fish tank” and click petsmart.com 5:45 PM Default Brower – In incognito page: search for “how long do fish live” click on no links Clear all history and cache for Default Browser March 16, 2013
  21. 21. GALAXY, continued continued on next page 3:12 PM Remote View Finder – take picture of Alex’s research paper, take a picture of the LCDI board and of the black expo pen March 20, 2013 3:14 PM Twitter – Direct message from cat_stamm to sammysung131 “hey buddy!” was sent 3:16 PM Twitter – Direct message from sammysung131 to Cat_stamm “hello” was sent 3:17 PM Twitter – Direct message from cat_stamm to sammysung131 “hows it going” sent 3:18 PM Twitter – Delete direct message “hey buddy!” Appendix B. Root As previously mentioned, the Samsung Galaxy camera was rooted. When trying to figure out how to root the camera, an article was found by XDA developer, Adam Outler (McGee). He recently came up with a method to root the camera using Odin3 and CF-Auto- Root. Rooting Android devices allows a user to obtain full access to the operating system. This is typically necessary for forensic examiners, as most mobile forensic tools require root access in order to function. To root the camera, Odin3 and CF-Auto-Root must be downloaded. Once the necessary packages were downloaded, the Volume Down, Camera, and Power buttons were pressed simultaneously (Figure 1). Figure 1. The camera then went into download mode (Figure 2) and the rooting process continued. The next step to gaining full access to the camera was to plug the device into a computer and open Odin3. The ID:COM section needed to turn yellow before beginning root, as it indicated the software had recognized the camera. Once that section was yellow, the PDA section (Figure 3) had to be filled with the path to CF-Auto-Root. The rooting process began once start was pressed and then in a matter of minutes the camera rebooted and started as normal. To validate that the camera was rooted, an application called SuperSU was found on the camera itself. Figure 2. Figure 3.
  22. 22. GALAXY, continued kivuconsulting.com info@kivuconsulting.com 415.524.7320 Kivu Consulting, combines technical and legal expertise to deliver investigative, dis- covery and forensic solutions worldwide. Kivu’s digital forensics professionals are experts in collecting, analyzing and processing computer data. Organizations are storing information on ever-increasing numbers of devices, operating systems and shared platforms. These range from mobile devices to distributed “cloud networks.” The result has been an explosion in vulnerabil- ity to data theft and the potential cost of e-discovery. Kivu is unique in understanding the legal implications and advising on the technical and practical challenges of digital forensics in the modern workplace. Our in-house team has testified as experts and worked on almost every conceivable type of computer media, configuration, and email application. Our expertise and years of experience allow us to avoid the icebergs and offer practical solutions to reduce costs. About the Author Catherine Stamm is a Digital Forensic Analyst at Kivu Consulting. Catherine has worked on cases involving theft of trade secrets, Internet harassment, and workplace investigations. Catherine has extensive experience in the forensic analysis of PC and Mac OS systems, mobile forensics, digital image forensics and RAM analysis. Previously, she was a forensics researcher at the Senator Patrick Leahy Center for Digital Investigation (LCDI). Catherine has also served as a certified Crisis Worker in Vermont. Catherine can be reached by email at cstamm@kivuconsulting.com. Works Cited. “Android ADB.” Developer. Android Developer, n.d. Web. 10 Apr. 2013. http://developer.android.com/tools/help/adb. “Android Forensics Tool: AFLogical.” ViaForensics. ViaForensics, n.d. Web. 8 Apr. 2013. https://viaforensics.com/resources/tools/android-forensics-tool/. “Android SDK.” Developer. Android Developer, n.d. Web. 10 Apr. 2013. http://developer.android.com/ sdk. “Best Computer Forensics Tool.” SC Magazine. SC Magazine, 15 Feb. 2011. Web. 8 Apr. 2013. http://www.scmagazine.com/best-computer-forensics-tool/article/195999/. “Samsung Galaxy Camera GC100 Specs.” Full Phone Specifications. GSM Arena, n.d. Web. 9 Apr. 2013. http://www.gsmarena.com/samsung_galaxy_camera_gc100-4961.php. “Top Sites.” Alexa Top 500 Global Sites. Alexa Rank, n.d. Web. 10 Apr. 2013. http://www.alexa.com/topsites. “UFED Touch Ultimate.” Cellebrite: Mobile Forensics. Cellebrite, n.d. Web. 10 Apr. 2013. http://www.cellebrite.com/mobile-forensic-products/ufed-touch-ultimate.html. Hoog, Andrew. Android Forensics: Investigation, Analysis, and Mobile Security for Google Android. Waltham, MA: Syngress, 2011. 119. Print. McGee. “Hacking The Samsung Galaxy Camera.” XDA-Developers. XDA-Developers, 9 Jan. 2013. Web. 3 Feb. 2013. http://www.xda-developers.com/android/hacking-the- samsung-galaxy-camera-xda-developer-tv/. Kswartz. “Blog.” HOW TO: Forensically Examine an Android Device with AFLogical OSE on Santoku Linux. Santoku-Linux, n.d. Web. 3 Feb. 2013. https://santoku- linux.com/howto/mobile-forensics/howto-forensically-examine-android-aflogical-santoku.

×