Nowadays, android smartphones are becoming more popular and the greatest platform for mobile devices which has capability to run millions of mobile phones in about more than 200 countries. It may bring not only convenience for people but also crimes or security issues. Some people are committed the crimes by using the technology and mobile devices. So, android forensics is very important and necessary in cyber-crime investigation. With no doubt, this proposed process flow and framework will definitely support for android forensics in developing countries’ cyber-crime investigation. Because it provides to solve the crimes with applicable guidelines and includes Open Source Tools, Linux command-line utility, Android Debug Bridge (ADB) commands, Freeware tools and Proposed tools. Although forensics tools are non-commercial in this framework, they can cover and support for android forensics process.
Android is an extensively used mobile platform and with evolution it has also witnessed an increased influx of malicious applications in its market place. The availability of multiple sources for downloading applications has also contributed to users falling prey to malicious applications. A major hindrance in blocking the entry of malicious applications into the Android market place is scarcity of effective mechanisms to identify malicious applications. This paper presents AndroInspector, a system for comprehensive analysis of an Android application using both static and dynamic analysis techniques. And roInspector derives, extracts and analyses crucial features of Android applications using static analysis and subsequently classifies the application using machine learning techniques. Dynamic analysis includes automated execution of Android application to identify a set of pre-defined malicious actions performed by application at run-time.
On the Availability of Anti-Forensic Tools for SmartphonesCSCJournals
The existence of anti-forensic tools in the context of computing systems is one of the main challenges for forensics investigators in achieving reliable evidence recovery and consequently uncovering crime facts. This is in particular more challenging in emerging smartphone technologies, since data is of highly mobile and volatile nature. In the current paper, we present a brief study of several anti-forensic applications available for smartphones. The applications are ready to use, most of them free, and require no expert technical knowledge. Moreover, these have been proved to be very effective when tested with two commercial forensic tools.
SOK:An overview of data extraction techniques from mobile phonesAshish Sutar
The article gives an overview of data extraction techniques from Mobile phones. This will help to new forensic investigators as well as forensic analysts to learn these techniques in detail subsequently.
Taint analysis is the trending approach of analysing software for security purposes. By using the taint analysis technique, tainted tags are added to the data entering from the sensitive sources into the applications, then the propagations of the tainted data are monitored carefully. Taint analysis can be done in two ways including static taint analysis where analysis is conducted without executing the program, and dynamic taint analysis where the tainted data is monitored during the program execution. This paper reviews the taint analysis technique, with a focus on dynamic taint analysis. In addition, some of the existing taint analysis tools and their application areas are reviewed. In the end, the paper summarises the defects associated with each of the tools and presents some of them.
Improvement of Software Maintenance and Reliability using Data Mining Techniquesijdmtaiir
Software is ubiquitous in our daily life. It brings us
great convenience and a big headache about software reliability
as well: Software is never bug-free, and software bugs keep
incurring monetary loss of even catastrophes. In the pursuit of
better reliability, software engineering researchers found that
huge amount of data in various forms can be collected from
software systems, and these data, when properly analyzed, can
help improve software reliability. Unfortunately, the huge
volume of complex data renders the analysis of simple
techniques incompetent; consequently, studies have been
resorting to data mining for more effective analysis. In the past
few years, we have witnessed many studies on mining for
software reliability reported in data mining as well as software
engineering forums. These studies either develop new or apply
existing data mining techniques to tackle reliability problems
from different angles. In order to keep data mining researchers
abreast of the latest development in this growing research area,
we propose this paper on data mining for software reliability.
In this paper, we will present a comprehensive overview of this
area, examine representative studies, and lay out challenges to
data mining researchers
New research directions in the area ofIJCNCJournal
The proliferation of smart mobile phones with diverse features makes it possible to increase their use in
criminal activities. The fast technological evolution and presence of different smart phones and their
proprietary operating systems pose great difficulties for investigators and law enforcement officials to
choose the best tool for forensics examination, accurate recovery and speedy analysis of data present on
smart phones. This paper presents a literature review on smart phone forensic techniques for different
platform. As a result of comprehensive analysis of these techniques, it has been found that there is no
generic forensic technique or tool available which can perform the forensic analysis of all currently
available different smart phones. Further, there is a need to develop a generic technique for forensic
analysis of a variety of different smart phones. This generic technique should perform the forensic of
currently available different smart phones on the crime scene without need to attach the smart phone with
computer. Further, it will help the investigators to do their jobs easily and more efficiently. The proposed
technique need to be implemented and tested on different smart phones to validate its performance and
accuracy.
Android is an extensively used mobile platform and with evolution it has also witnessed an increased influx of malicious applications in its market place. The availability of multiple sources for downloading applications has also contributed to users falling prey to malicious applications. A major hindrance in blocking the entry of malicious applications into the Android market place is scarcity of effective mechanisms to identify malicious applications. This paper presents AndroInspector, a system for comprehensive analysis of an Android application using both static and dynamic analysis techniques. And roInspector derives, extracts and analyses crucial features of Android applications using static analysis and subsequently classifies the application using machine learning techniques. Dynamic analysis includes automated execution of Android application to identify a set of pre-defined malicious actions performed by application at run-time.
On the Availability of Anti-Forensic Tools for SmartphonesCSCJournals
The existence of anti-forensic tools in the context of computing systems is one of the main challenges for forensics investigators in achieving reliable evidence recovery and consequently uncovering crime facts. This is in particular more challenging in emerging smartphone technologies, since data is of highly mobile and volatile nature. In the current paper, we present a brief study of several anti-forensic applications available for smartphones. The applications are ready to use, most of them free, and require no expert technical knowledge. Moreover, these have been proved to be very effective when tested with two commercial forensic tools.
SOK:An overview of data extraction techniques from mobile phonesAshish Sutar
The article gives an overview of data extraction techniques from Mobile phones. This will help to new forensic investigators as well as forensic analysts to learn these techniques in detail subsequently.
Taint analysis is the trending approach of analysing software for security purposes. By using the taint analysis technique, tainted tags are added to the data entering from the sensitive sources into the applications, then the propagations of the tainted data are monitored carefully. Taint analysis can be done in two ways including static taint analysis where analysis is conducted without executing the program, and dynamic taint analysis where the tainted data is monitored during the program execution. This paper reviews the taint analysis technique, with a focus on dynamic taint analysis. In addition, some of the existing taint analysis tools and their application areas are reviewed. In the end, the paper summarises the defects associated with each of the tools and presents some of them.
Improvement of Software Maintenance and Reliability using Data Mining Techniquesijdmtaiir
Software is ubiquitous in our daily life. It brings us
great convenience and a big headache about software reliability
as well: Software is never bug-free, and software bugs keep
incurring monetary loss of even catastrophes. In the pursuit of
better reliability, software engineering researchers found that
huge amount of data in various forms can be collected from
software systems, and these data, when properly analyzed, can
help improve software reliability. Unfortunately, the huge
volume of complex data renders the analysis of simple
techniques incompetent; consequently, studies have been
resorting to data mining for more effective analysis. In the past
few years, we have witnessed many studies on mining for
software reliability reported in data mining as well as software
engineering forums. These studies either develop new or apply
existing data mining techniques to tackle reliability problems
from different angles. In order to keep data mining researchers
abreast of the latest development in this growing research area,
we propose this paper on data mining for software reliability.
In this paper, we will present a comprehensive overview of this
area, examine representative studies, and lay out challenges to
data mining researchers
New research directions in the area ofIJCNCJournal
The proliferation of smart mobile phones with diverse features makes it possible to increase their use in
criminal activities. The fast technological evolution and presence of different smart phones and their
proprietary operating systems pose great difficulties for investigators and law enforcement officials to
choose the best tool for forensics examination, accurate recovery and speedy analysis of data present on
smart phones. This paper presents a literature review on smart phone forensic techniques for different
platform. As a result of comprehensive analysis of these techniques, it has been found that there is no
generic forensic technique or tool available which can perform the forensic analysis of all currently
available different smart phones. Further, there is a need to develop a generic technique for forensic
analysis of a variety of different smart phones. This generic technique should perform the forensic of
currently available different smart phones on the crime scene without need to attach the smart phone with
computer. Further, it will help the investigators to do their jobs easily and more efficiently. The proposed
technique need to be implemented and tested on different smart phones to validate its performance and
accuracy.
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingCellebrite
The Cellebrite UFED is among the best known and most used mobile forensic extraction and analysis tools in the digital forensics industry. However, its complex technical processes are not as well understood outside of training. The following information is presented in an effort to help U.S.-based attorneys prepare themselves and their witnesses for Daubert, Frye, or related challenges to the admissibility of UFED-extracted mobile device evidence.
Project Report on Intrusion Detection SystemVishal Polley
This project is aimed to design an intelligent intrusion detection system that will be able to recognize and identify any person and give prompt alerts if the face is not recognised.
Android Malware Detection in Official and Third Party Application StoresEswar Publications
Android is one of the most popular operating system for mobile devices and tablets. The growing number of Android users and open source nature of this platform has also attracted attackers to target Android devices. This paper presents the static and dynamic analysis of the Android applications in order to detect malware. In this work, we have performed permission based and behavioural based filtering of Android applications with the help of malware analysis tools. Our results revel that 80% of the applications request for dangerous permissions.
13% applications consist of malicious activities. Most of the applications are interested in the device data like contact lists, IMEI, IMSI, SMS etc. These results clearly indicate the need for better security measures for Android apps.
Comparative Study on Intrusion Detection Systems for Smartphonesiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM ijwmn
Communication networks are essential and it will create many crucial issues today. Nowadays, we
consider that the firewalls are the first line of defense but that policies cannot meet the particular
requirements of needed process to achieve security. Most of the research has been done in this area but
we are lagging to achieve security needs. Already many models such as ADAM, DHP, LERAD and
ENTROPHY are proposed to resolve security problems but we need an efficient model to detect new types
of various intrusions within the entire network. In this paper, we proposed to design a modernized
intrusion detection system which consist of two methods such as anomaly and misuse detection. Both are
integrated and also used to detect novel attacks. Our system proposed to discover temporal pattern of
attacker behaviors, which is profiled using an algorithm EAA (Enhanced Apriori Algorithm). This is
experimented with a simple interface to display the behaviors of attacks effectively
AndRadar: Fast Discovery of Android Applications in Alternative MarketsFACE
Compared to traditional desktop software, Android applica- tions are delivered through software repositories, commonly known as application markets. Other mobile platforms, such as Apple iOS and BlackBerry OS also use the marketplace model, but what is unique to Android is the existence of a plethora of alternative application markets. This complicates the task of detecting and tracking Android malware. Identifying a malicious application in one particular market is simply not enough, as many instances of this application may exist in other markets. To quantify this phenomenon, we exhaustively crawled 8 markets between June and November 2013. Our findings indicate that alternative markets host a large number of ad-aggressive apps, a non-negligible amount of mal- ware, and some markets even allow authors to publish known malicious apps without prompt action.
Motivated by these findings, we present AndRadar, a framework for dis- covering multiple instances of a malicious Android application in a set of alternative application markets. AndRadar scans a set of markets in parallel to discover similar applications. Each lookup takes no more than a few seconds, regardless of the size of the marketplace. Moreover, it is modular, and new markets can be transparently added once the search and download URLs are known.
Using AndRadar we are able to achieve three goals. First, we can discover malicious applications in alternative markets, second, we can expose app distribution strategies used by malware developers, and third, we can moni- tor how different markets react to new malware. During a three-month eval- uation period, AndRadar tracked over 20,000 apps and recorded more than 1,500 app deletions in 16 markets. Nearly 8% of those deletions were related to apps that were hopping from market to market. The most established markets were able to react and delete new malware within tens of days from the malicious app publication date while other markets did not react at all.
Features for Detecting Malware on Computing EnvironmentsIJEACS
Malware is the main threat for all computing environments. It also acts as launching platform for many other cyber threats. Traditional malware detection system is not able to detect “modern”, “unknown” and “zero-day” malware. Recent developments in computing hardware and machine learning techniques have emerged as alternative solution for malware detection. The efficiency of any machine learning algorithm depends on the features extracted from the dataset. Various types of features are extracted and being researched with machine learning approach to detect malware that are targeted towards computing environments. In this work we have organized and summarized different feature types used to detect malware. This work will direct future researchers and industry to make decision on feature type selection regarding chosen computing environment for building an accurate malware classifier.
Keyloggers are a invasive software often used to harvest secret information. One of the main reasons for
this fast growth is the possibility for unprivileged programs running in the user space to secretly steal and record all the
keystrokes typed by the users on a system. The ability to run in unprivileged mode makes possible their implementation
and distribution. but, at the same time, allows one to understand and imitate their behavior in detail.
CRIMINAL IDENTIFICATION FOR LOW RESOLUTION SURVEILLANCEvivatechijri
Criminal Identification System allows the user to identify a certain criminal based on their biometrics. With advancements in security technology, CCTV cameras have been installed in many public and private areas to provide surveillance activities. The CCTV footage becomes crucial for understanding of the criminal activities that take place and to detect suspects. Additionallywhen a criminal is found it is difficult to locate and track him with just his image if he is on the run. Currently this procedure consists of finding such people in CCTV surveillance footage manually which is time consuming. It is also a tedious process as the resolution for such CCTV cameras is quite low. As a solution to these issues, the proposed system is developed to go through real time surveillance footage, detect and recognize the criminals based on reference datasets of criminals. The use of facial recognition for identifying criminals proves to bebeneficial. Once the best match is found the real time cropped image of the recognized criminal is saved which can be accessed by authorized officials for locating and tracking criminals or for further investigative use.
Data validation using CDR (Call Detail Records) and real cell tower coverageNicola Chemello
digital forensics acquisition is one of the most important part of any investigation. Granting the results comparing the obtained data with third party information is something the investigator should consider. Fake SMS, wrong parsing of the data, and other issues can be prevented if multiple sources are analysed. In this briefly presentation the results of a correlation with SecurCube Phonelog for the CDR analysis and SecurCube BTS tracker for the real cell towers coverage are highlighted.
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...csandit
Android being a widely used mobile platform has witnessed an increase in the number of malicious samples on its market place. The availability of multiple sources for downloading
applications has also contributed to users falling prey to malicious applications. Classification of an Android application as malicious or benign remains a challenge as malicious applications maneuver to pose themselves as benign. This paper presents an approach which extracts various features from Android Application Package file (APK) using static analysis and subsequently classifies using machine learning techniques. The contribution of this work includes deriving, extracting and analyzing crucial features of Android applications that aid in efficient classification. The analysis is carried out using various machine learning algorithms
with both weighted and non-weighted approaches. It was observed that weighted approach depicts higher detection rates using fewer features. Random Forest algorithm exhibited high detection rate and shows the least false positive rate.
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingCellebrite
The Cellebrite UFED is among the best known and most used mobile forensic extraction and analysis tools in the digital forensics industry. However, its complex technical processes are not as well understood outside of training. The following information is presented in an effort to help U.S.-based attorneys prepare themselves and their witnesses for Daubert, Frye, or related challenges to the admissibility of UFED-extracted mobile device evidence.
Project Report on Intrusion Detection SystemVishal Polley
This project is aimed to design an intelligent intrusion detection system that will be able to recognize and identify any person and give prompt alerts if the face is not recognised.
Android Malware Detection in Official and Third Party Application StoresEswar Publications
Android is one of the most popular operating system for mobile devices and tablets. The growing number of Android users and open source nature of this platform has also attracted attackers to target Android devices. This paper presents the static and dynamic analysis of the Android applications in order to detect malware. In this work, we have performed permission based and behavioural based filtering of Android applications with the help of malware analysis tools. Our results revel that 80% of the applications request for dangerous permissions.
13% applications consist of malicious activities. Most of the applications are interested in the device data like contact lists, IMEI, IMSI, SMS etc. These results clearly indicate the need for better security measures for Android apps.
Comparative Study on Intrusion Detection Systems for Smartphonesiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM ijwmn
Communication networks are essential and it will create many crucial issues today. Nowadays, we
consider that the firewalls are the first line of defense but that policies cannot meet the particular
requirements of needed process to achieve security. Most of the research has been done in this area but
we are lagging to achieve security needs. Already many models such as ADAM, DHP, LERAD and
ENTROPHY are proposed to resolve security problems but we need an efficient model to detect new types
of various intrusions within the entire network. In this paper, we proposed to design a modernized
intrusion detection system which consist of two methods such as anomaly and misuse detection. Both are
integrated and also used to detect novel attacks. Our system proposed to discover temporal pattern of
attacker behaviors, which is profiled using an algorithm EAA (Enhanced Apriori Algorithm). This is
experimented with a simple interface to display the behaviors of attacks effectively
AndRadar: Fast Discovery of Android Applications in Alternative MarketsFACE
Compared to traditional desktop software, Android applica- tions are delivered through software repositories, commonly known as application markets. Other mobile platforms, such as Apple iOS and BlackBerry OS also use the marketplace model, but what is unique to Android is the existence of a plethora of alternative application markets. This complicates the task of detecting and tracking Android malware. Identifying a malicious application in one particular market is simply not enough, as many instances of this application may exist in other markets. To quantify this phenomenon, we exhaustively crawled 8 markets between June and November 2013. Our findings indicate that alternative markets host a large number of ad-aggressive apps, a non-negligible amount of mal- ware, and some markets even allow authors to publish known malicious apps without prompt action.
Motivated by these findings, we present AndRadar, a framework for dis- covering multiple instances of a malicious Android application in a set of alternative application markets. AndRadar scans a set of markets in parallel to discover similar applications. Each lookup takes no more than a few seconds, regardless of the size of the marketplace. Moreover, it is modular, and new markets can be transparently added once the search and download URLs are known.
Using AndRadar we are able to achieve three goals. First, we can discover malicious applications in alternative markets, second, we can expose app distribution strategies used by malware developers, and third, we can moni- tor how different markets react to new malware. During a three-month eval- uation period, AndRadar tracked over 20,000 apps and recorded more than 1,500 app deletions in 16 markets. Nearly 8% of those deletions were related to apps that were hopping from market to market. The most established markets were able to react and delete new malware within tens of days from the malicious app publication date while other markets did not react at all.
Features for Detecting Malware on Computing EnvironmentsIJEACS
Malware is the main threat for all computing environments. It also acts as launching platform for many other cyber threats. Traditional malware detection system is not able to detect “modern”, “unknown” and “zero-day” malware. Recent developments in computing hardware and machine learning techniques have emerged as alternative solution for malware detection. The efficiency of any machine learning algorithm depends on the features extracted from the dataset. Various types of features are extracted and being researched with machine learning approach to detect malware that are targeted towards computing environments. In this work we have organized and summarized different feature types used to detect malware. This work will direct future researchers and industry to make decision on feature type selection regarding chosen computing environment for building an accurate malware classifier.
Keyloggers are a invasive software often used to harvest secret information. One of the main reasons for
this fast growth is the possibility for unprivileged programs running in the user space to secretly steal and record all the
keystrokes typed by the users on a system. The ability to run in unprivileged mode makes possible their implementation
and distribution. but, at the same time, allows one to understand and imitate their behavior in detail.
CRIMINAL IDENTIFICATION FOR LOW RESOLUTION SURVEILLANCEvivatechijri
Criminal Identification System allows the user to identify a certain criminal based on their biometrics. With advancements in security technology, CCTV cameras have been installed in many public and private areas to provide surveillance activities. The CCTV footage becomes crucial for understanding of the criminal activities that take place and to detect suspects. Additionallywhen a criminal is found it is difficult to locate and track him with just his image if he is on the run. Currently this procedure consists of finding such people in CCTV surveillance footage manually which is time consuming. It is also a tedious process as the resolution for such CCTV cameras is quite low. As a solution to these issues, the proposed system is developed to go through real time surveillance footage, detect and recognize the criminals based on reference datasets of criminals. The use of facial recognition for identifying criminals proves to bebeneficial. Once the best match is found the real time cropped image of the recognized criminal is saved which can be accessed by authorized officials for locating and tracking criminals or for further investigative use.
Data validation using CDR (Call Detail Records) and real cell tower coverageNicola Chemello
digital forensics acquisition is one of the most important part of any investigation. Granting the results comparing the obtained data with third party information is something the investigator should consider. Fake SMS, wrong parsing of the data, and other issues can be prevented if multiple sources are analysed. In this briefly presentation the results of a correlation with SecurCube Phonelog for the CDR analysis and SecurCube BTS tracker for the real cell towers coverage are highlighted.
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...csandit
Android being a widely used mobile platform has witnessed an increase in the number of malicious samples on its market place. The availability of multiple sources for downloading
applications has also contributed to users falling prey to malicious applications. Classification of an Android application as malicious or benign remains a challenge as malicious applications maneuver to pose themselves as benign. This paper presents an approach which extracts various features from Android Application Package file (APK) using static analysis and subsequently classifies using machine learning techniques. The contribution of this work includes deriving, extracting and analyzing crucial features of Android applications that aid in efficient classification. The analysis is carried out using various machine learning algorithms
with both weighted and non-weighted approaches. It was observed that weighted approach depicts higher detection rates using fewer features. Random Forest algorithm exhibited high detection rate and shows the least false positive rate.
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemCSCJournals
A comparison study of the Android forensic field in terms of Android forensic process for acquiring and analysing an Android disk image is presented. The challenges of Android forensics, including the complexity of the Android application, different procedures and tools for obtaining data, difficulties with hardware set up, using expensive commercial tools for acquiring logical data that fail to retrieve physical data acquisition are described in this paper. To solve these challenges and achieve high accuracy and integrity in Android forensic processes, a new open source technique is investigated. Manual, Logical and physical acquisition techniques are used to acquire data from an Android mobile device (Samsung Android 4.2.2). The mobile phone is identified by taking photos of the device and its individual components, including the memory expansion card, and labelling them with identifying information. Following the manual acquisition, logical acquisition is conducted using the AFLogical application in the ViaExtract tool (by Now secure) installed on a Santoku Linux Virtual Machine. The image file is then created using the AccessData FTK imager tool for physical acquisition. Four tools are utilized to analyse recovered data: one using ViaExtract on a Santoku Linux Virtual Machine, two using the AccessData FTK Imager, and one using file carving in Autopsy on a Kali Linux Virtual Machine. The results of the analysis demonstrate that the technique can retrieve Contacts, photos, Videos, Call Logs, and SMSs. Also, the EaseUS Data Recovery Wizard Free tool is used for the recovery of files from the LOST.DIRon external memory.
Technology has reshaped the way we interact with the world and access information
with the advent of smartphones. Accordingly, the needs we have and the solutions for our
needs have also changed along with the evolving technology. One of the most affected
matters from technology is communication. With the various options and capabilities,
instant messaging applications have been started to use for communication purpose
which is one of the biggest needs of human being. We can send text messages, video
messages, voice recordings and share locations using these applications. Even further,
we no longer need cell phone calls by GSM operators, and instead prefer these
applications for instant calls, as well as sharing private information with these
applications, not only for personal daily life, also for business need. On the other hand,
these applications bring risks with many benefits. One of them is privacy. We do not want
that these applications can store our personal data as its user. How do our best practices
keep our data? Do they give the necessary attention for privacy? Another fact is that these
applications can be used by criminals to communicate and execute a secret plan. If a
criminal gets caught, what can be obtained as evidence from these messaging
applications? This time we need to know what can be extracted from the mobile device.
This research focuses on forensics analysis of the instant messaging applications on the
Android platform
IJWMN -Malware Detection in IoT Systems using Machine Learning Techniquesijwmn
Malware detection in IoT environments necessitates robust methodologies. This study introduces a CNN-LSTM hybrid model for IoT malware identification and evaluates its performance against established methods. Leveraging K-fold cross-validation, the proposed approach achieved 95.5% accuracy, surpassing existing methods. The CNN algorithm enabled superior learning model construction, and the LSTM classifier exhibited heightened accuracy in classification. Comparative analysis against prevalent techniques demonstrated the efficacy of the proposed model, highlighting its potential for enhancing IoT security. The study advocates for future exploration of SVMs as alternatives, emphasizes the need for distributed detection strategies, and underscores the importance of predictive analyses for a more powerful IOT security. This research serves as a platform for developing more resilient security measures in IoT ecosystems.
MALWARE DETECTION IN IOT SYSTEMS USING MACHINE LEARNING TECHNIQUESijwmn
Malware detection in IoT environments necessitates robust methodologies. This study introduces
a CNN-LSTM hybrid model for IoT malware identification and evaluates its performance against
established methods. Leveraging K-fold cross-validation, the proposed approach achieved 95.5%
accuracy, surpassing existing methods. The CNN algorithm enabled superior learning model
construction, and the LSTM classifier exhibited heightened accuracy in classification.
Comparative analysis against prevalent techniques demonstrated the efficacy of the proposed
model, highlighting its potential for enhancing IoT security. The study advocates for future
exploration of SVMs as alternatives, emphasizes the need for distributed detection strategies, and
underscores the importance of predictive analyses for a more powerful IOT security. This
research serves as a platform for developing more resilient security measures in IoT ecosystems.
ANDROINSPECTOR: A SYSTEM FOR COMPREHENSIVE ANALYSIS OF ANDROID APPLICATIONSIJNSA Journal
Android is an extensively used mobile platform and with evolution it has also witnessed an increased influx of malicious applications in its market place. The availability of multiple sources for downloading applications has also contributed to users falling prey to malicious applications. A major hindrance in blocking the entry of malicious applications into the Android market place is scarcity of effective mechanisms to identify malicious applications. This paper presents AndroInspector, a system for comprehensive analysis of an Android application using both static and dynamic analysis techniques. AndroInspector derives, extracts and analyses crucial features of Android applications using static analysis and subsequently classifies the application using machine learning techniques. Dynamic analysis includes automated execution of Android application to identify a set of pre-defined malicious actions performed by application at run-time.
BEHAVIOR-BASED SECURITY FOR MOBILE DEVICES USING MACHINE LEARNING TECHNIQUESijaia
The goal of this research project is to design and implement a mobile application and machine learning techniques to solve problems related to the security of mobile devices. We introduce in this paper a behavior-based approach that can be applied in a mobile environment to capture and learn the behavior of
mobile users. The proposed system was tested using Android OS and the initial experimental results show that the proposed technique is promising, and it can be used effectively to solve the problem of anomaly detection in mobile devices.
Android is a Linux based operating system used for smart phone devices. Since 2008, Android devices gained huge market share due to its open architecture and popularity. Increased popularity of the Android devices and associated primary benefits attracted the malware developers. Rate of Android malware applications increased between 2008 and 2016. In this paper, we proposed dynamic malware detection approach for Android applications. In dynamic analysis, system calls are recorded to calculate the density of the system calls. For density calculation, we used two different lengths of system calls that are 3 gram and 5 gram. Furthermore, Naive Bayes algorithm is applied to classify applications as benign or malicious. The proposed algorithm detects malware using 100 real world samples of benign and malware applications. We observe that proposed method gives effective and accurate results. The 3 gram Naive Bayes algorithm detects 84 malware application correctly and 14 benign application incorrectly. The 5 gram Naive Bayes algorithm detects 88 malware application correctly and 10 benign application incorrectly. Mr. Tushar Patil | Prof. Bharti Dhote "Malware Detection in Android Applications" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26449.pdfPaper URL: https://www.ijtsrd.com/engineering/computer-engineering/26449/malware-detection-in-android-applications/mr-tushar-patil
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
Online aptitude test management system project report.pdfKamal Acharya
The purpose of on-line aptitude test system is to take online test in an efficient manner and no time wasting for checking the paper. The main objective of on-line aptitude test system is to efficiently evaluate the candidate thoroughly through a fully automated system that not only saves lot of time but also gives fast results. For students they give papers according to their convenience and time and there is no need of using extra thing like paper, pen etc. This can be used in educational institutions as well as in corporate world. Can be used anywhere any time as it is a web based application (user Location doesn’t matter). No restriction that examiner has to be present when the candidate takes the test.
Every time when lecturers/professors need to conduct examinations they have to sit down think about the questions and then create a whole new set of questions for each and every exam. In some cases the professor may want to give an open book online exam that is the student can take the exam any time anywhere, but the student might have to answer the questions in a limited time period. The professor may want to change the sequence of questions for every student. The problem that a student has is whenever a date for the exam is declared the student has to take it and there is no way he can take it at some other time. This project will create an interface for the examiner to create and store questions in a repository. It will also create an interface for the student to take examinations at his convenience and the questions and/or exams may be timed. Thereby creating an application which can be used by examiners and examinee’s simultaneously.
Examination System is very useful for Teachers/Professors. As in the teaching profession, you are responsible for writing question papers. In the conventional method, you write the question paper on paper, keep question papers separate from answers and all this information you have to keep in a locker to avoid unauthorized access. Using the Examination System you can create a question paper and everything will be written to a single exam file in encrypted format. You can set the General and Administrator password to avoid unauthorized access to your question paper. Every time you start the examination, the program shuffles all the questions and selects them randomly from the database, which reduces the chances of memorizing the questions.
Proposed Workable Process Flow with Analysis Framework for Android Forensics in Cyber-Crime Investigation
1. The International Journal Of Engineering And Science (IJES)
|| Volume || 6 || Issue || 1 || Pages || PP 82-92|| 2017 ||
ISSN (e): 2319 – 1813 ISSN (p): 2319 – 1805
www.theijes.com The IJES Page 82
Proposed Workable Process Flow with Analysis Framework for
Android Forensics in Cyber-Crime Investigation
Naing Linn Htun1
, Mie Mie Su Thwin2
1
Cyber Security Lab, University of Computer Studies, Yangon, Myanmar
2
Associate Professor, University of Computer Studies, Yangon, Myanmar
--------------------------------------------------------ABSTRACT-----------------------------------------------------------
Nowadays, android smartphones are becoming more popular and the greatest platform for mobile devices
which has capability to run millions of mobile phones in about more than 200 countries. It may bring not only
convenience for people but also crimes or security issues. Some people are committed the crimes by using the
technology and mobile devices. So, android forensics is very important and necessary in cyber-crime
investigation. With no doubt, this proposed process flow and framework will definitely support for android
forensics in developing countries’ cyber-crime investigation. Because it provides to solve the crimes with
applicable guidelines and includes Open Source Tools, Linux command-line utility, Android Debug Bridge
(ADB) commands, Freeware tools and Proposed tools. Although forensics tools are non-commercial in this
framework, they can cover and support for android forensics process.
Keywords: Android Live Forensics, Static Forensics, Evidences Data Collection, Linux Command-Line Utility,
Forensics Process Flow.
------------------------------------------------------------------------------------------------------------------------------------------
Date of Submission: 10 January 2017 Date of Accepted: 26 January 2017
------------------------------------------------------------------------------------------------------------------------------------------
I. INTRODUCTION
Android smartphones are rapidly developed than any other consumer technology in the world. They involve
confidential and differences of data; from normal to professional life. Most people use the smartphones for their
business or personalities but some people use for their profits by illegally. So, some researchers and forensic
organizations have been searching the different ways to solve the crimes and they proposed the guidelines and
frameworks for android forensics in cyber-crime investigation.
In 2006, National Institute Standards and Technology (NIST) pointed out that its proposed Forensic guidelines
and procedures should be consistent with the organizations policies and all applicable laws. Organizations
should include investigators, technical experts and legal advisors in the development of guidelines and
procedures as a quality assurance measure [1]. In 2014, NIST provides basic information on mobile forensics
tools and five stages for investigation process that are preservation, acquisition, examination, analysis, and
reporting [2]. And then most of the researchers proposed only process flow or framework for android forensics.
This proposed process flow with framework based on standard forensics guidelines and procedures. In this
process flow, it has seven stages and framework will performing to Examination and Analysis stage. Preparation,
Examination and Analysis, Review – These three stages are working in forensics lab. Determine Scope of Crime
Scene and Secure Evidence Devices Collection – These two stages are working in crime location. Presentation
stage is for court and Documentation and Preservation stage is need from start to end. In this framework, it
divided two sections are Live and Static forensics which include bypass lock screen, evidence data collection
(volatile and non-volatile) and data acquisition.
This proposed work aimed to develop the android investigation processes for forensic organizations in
developing countries. Some of the developing countries cannot afford the expensive tools for android
investigation. In this framework, it used Linux command-line utility, ADB commands, Open Source Tools and
Proposed tools. So, it is very sensible for forensics organizations in developing countries. And it is very
extensible and they can improve it with their new tools or new processes.
II. BACKGROUND
Android is a mobile operating system that is based on a modified version of Linux. The main components of
Android are Linux kernel, Android Libraries, Application framework and Applications. Linux kernel contains all
the low-level device drivers for the various hardware components of an Android device. Android Libraries
contain all the code that provides the main features of an Android OS. Android runtime provides a set of core
libraries that it includes Dalvik virtual machine or ART Android Runtime [3].
2. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 83
Fig 1 Android Software Stack
Android flash storage is split into several partitions, such as /system for the operating system itself, and /data for
user data and application installations [4]. It need to know about following partitions for android investigation.
Fig 2 Android partition details
III. RELATED WORK
For our proposed work, Forensics process flow and framework developed in each digital forensics field are
learned through the following research papers.
In [6], they proposed smartphone forensics model for window mobile device. It includes twelve stages and
compare with some investigation models. But they emphasize on the specific information flow associated with
the forensic investigation of Windows mobile devices. In ANDROPHSY forensic framework system [7], the first
step is to create a case for the incident. Every user is assigned a role. The user roles defined in the framework are
analyst, investigator and administrator. The system considered the forensics investigation process like as NIST.
It includes Data Collection, Examination, Analysis and Reporting. It used low level Linux and Android built-in
forensic functionalities such as dd and adb commands. ANDROPHSY compared evaluation result with other
tools.
ISAK MRKAIĆ [5] presents open source-free tools and to illustrate how to forensically recover data from
Android based devices. In this paper, demonstrate the Andriller tool for unlock pattern, NowSecure Forensics
tool for logical acquisition of data and some tools for other processes. In [8], they purposed to demonstrate the
process of digitally investigating on android mobile devices and then build up a digital forensic framework for
investigating Android smartphones. In this framework, it includes nine steps of evidence extraction process for
mobile forensics. And this paper recommends the ADB tool for forensics case and the Lowmanio Foreman tool
for other management case. In [9], they showed the rooting process with SRS tool on Samsung S3 phone. And
then they created an image of phone partition with .dd file. Finally, they extracted the messages for Viber on trial
version of UFED Physical analyzer.
3. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 84
In [10], they proposed evidence collection and analysis methodology for android devices. In this paper, the
major contribution is an in-depth evidence collection and analysis methodology for forensic practitioners.
Proposed methodology based on four phases of Cloud Forensic Framework (Martini & Choo 2012). The first
phase is Identification and Preservation. Second phase is setup Bootloader for Live OS and setup Live OS in
Memory to collect physical image of device partitions. Third phase is Examination and Analysis, it examines
App files in private and external storage, App databases, Account data and analyze App. The last phase is
Reporting and Presentation.
Andri P. Heriyanto [11] revealed the proper procedure for acquiring the volatile memory in the Android
smartphone. This paper describes briefly workflow of L.Simao et al., 2011 and discusses the use of Linux
Memory Extraction (LiME) for dumping the volatile memory. It also discusses the analysis process of the
memory image with Volatility 2.3.
IV. PROPOSED WORKABLE PROCESS FLOW FOR ANDROID FORENSICS
INVESTIGATION
In cyber-crime investigation, many process flows or models already proposed for digital forensics and analysis.
But anyone has not proposed process flow with framework for android forensics investigation yet. This process
flow based on standard forensics process models and their main four stages are Collection, Examination,
Analysis and Reporting. But this process flow has seven stages and update action and it can trace or loop to
completed. Although this process flow emphasizes the android forensics investigation, it may be flexible for
other digital forensics investigation.
Preparation: In the first Stage, it need to prepare Techniques and Tools, Knowledge, Plans and etc. before
going to crime scenes. Knowledge that is understanding and knowing the nature of crimes and activities. And
android mobile technology is rapidly changing and growing every year with various mobile device models,
firmware versions, features, accessories and so on. So, forensics team will train to their members based on
previous crime reviews, sharing experiences and new technologies with discussion seminars. And then they will
be planning to minimize the risk for future investigation. And they also need to prepare tools that not only
forensics hardware/software tools but also packing materials for evidence devices.
Determine Scope of Crime Scene: This stage is preventing the unauthorize person to access of the crime scene.
If anyone can pass in crime scene, the evidence things can be lost or destroyed. And mobile devices are more
easy to take and hide because they are very portable and smaller than other digital devices. Otherwise, anyone
can make at least switch off power or factory rest. It may be lost evidences data on mobile devices.
Secure Evidence Devices Collection: This stages is especially to get volatile data when investigator collects the
evidence devices. Because volatile data easy to lose and difficult to keep. If mobile devices power is on, (i)
Check the battery percentage and if it is very low, recharging the evidence devices. (ii) If mobile device is
connected with computer, check the any process is running and kill/close all it (or) wait to finish. And then
remove the USB cable. (iii) Criminal can control the evidence devices via Phone Call, Message, Bluetooth,
Wireless or Mobile Data Network. So, it need to prevent any external control to the evidence devices (eg.
Faraday Bag). Otherwise, Airplane Mode can disconnect the devices from any communications.
Documentation and Preservation: This stage is recording all stages and labelling all evidence devices to
transfer to forensics workshop. For recording, all of investigation activities are recorded from crime scene to
done. It includes photos, circumstances surrounding the incident, locations and crime scene mapping, existing
states of evidence devices, people lists and etc. After collecting the evidence devices, it can be identification and
labeling to them. And then need to check again each evidence devices for safety in packing and transportation to
forensics department.
4. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 85
PreparationPreparation
Determine Scope of
Crime Scene
Determine Scope of
Crime Scene
Secure Evidence
Devices Collection
Secure Evidence
Devices Collection
Documentation and
Preservation
Documentation and
Preservation
Examination and
Analysis
Examination and
Analysis
PresentationPresentation
ReviewReview
Update
Trace
(or)
Loop
Fig 3 Proposed workable process flow for android forensics investigation
Examination and Analysis: This stage is extract the data on evidence devices, and then separate data types and
levels of data such as volatile data, active data, recovery data, hidden data, data with password, mobile profile
data, non-ASCII and etc. And then analyzing the all of data types and identifying relationships between their
types.
Presentation: This stage is reporting and presenting to court of law. So, it needs to build a chain of custody
documents after the whole analysis. It includes all of evidences data, photos, materials and etc. to present in
court.
Review: In the last stage is completely review on entire forensics process such as all of activities, stages and etc.
And this review will be useful and support for preparation of future investigations. Forensics Team can be
tracing, studying, preparing, training, discussing and etc.
V. PROPOSED ANALYSIS FRAMEWORK FOR ANDROID FORENSICS INVESTIGATION
This framework is performing the Examine and Analysis stage in proposed process flow. And update of
Preparation stage is one of the process to support for proposed framework. This framework involves Live
forensics and Static forensics as digital forensics nature. But it needs to consider the Lock Screen Mode for
android forensics investigation. Criminals may be locked by pattern or pin code or password their android
smartphone. So, investigator needs to get fully access to investigate on evidence devices. After examination and
analysis, their result data can be supported to build chain of custody and reported to court for prosecute.
5. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 86
Start
Power
On / Off
Live
Forensics
Device Information
(SD imaging &
SIM Card analysis)
On Off
Locked?
USB
debugging?
RSA key
Access?
Root
Access?
Yes Yes
No
Yes
No
Unlock with
ADB or Tool
Root
Access?
No No
Current Status,
Process and
backup
Extract Volatile
Data on Memory
Phone Imaging
(include SD card)
Power On Locked? Recovery
or fastboot
Mode
USB
debugging?
RSA key
Access?
Root
Access?
Unlock with
ADB or Tool
ADB
Root
(Airplane off )
Examine and Analysis
End
Yes
Yes
No
No
Yes
Yes
Yes
No
Yes
Static
Forensics
Current
Status
(Airplane mode)
Phone Imaging
(Airplane off)
Examine and
AnalysisCurrent Status,
Process and
backup
Yes
No
Rooting
Related
Application
Current
Status
Root
Access?
CWM
Recovery
Unlock Zip
and Root
No
Rooting
No
No
Yes
Fig 4 Proposed analysis framework for android forensics investigation
Lock Screen Mode on Live Forensics: It has three challenges to unlock the evidence devices on Live
Forensics. They are (i) USB Debugging Mode (ii) Authentication Access with RSA key (iii) Root Access.
USB Debugging Mode – If this mode is enabled, it can run ADB commands and detect the android devices.
ADB is a command line software interface between an android device and a host computer. If this mode is
disabled, it may be difficult to continue next step.
Authentication Access with RSA key - In the jelly bean (v4.2.2) update, designers introduced the new security
policy on ADB called “secure USB debugging”. So, even if USB debugging mode is enabled, it need
authentication access to run ADB command. When the device is connected to a host, the device sends a 20-byte
random message to the host. The host encrypts the message’s SHA1 with RSA signature using its private key
and sends this encrypted signature back. If investigator will get related laptop/PC that not only already
accepted RSA key of evidence device but also didn’t revoke, it can run next step for root check.
Root Access – It is a very important thing in forensics workflow because some process of android forensics need
root access. But android restricts the user levels and modify system processes. If evidence devices are not
already rooted, it may be difficult to unlock the evidence devices on Live Forensics. Because most of the
techniques of rooting process need to reboot the device and it will be lost volatile data on memory. In proposed
framework, it collected the different safe root tools to provide for rooting process depend on each device.
Lock Screen Mode on Static Forensics: In static process, it has more chance than live process to unlock the
evidence devices. Because it doesn’t need to keep volatile data. So, it can install custom recovery via fastboot
mode or downloading mode depend on device brands. And then unlock script file update on custom recovery
mode for unlock evidence devices.
6. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 87
Extract volatile data on Android Device: It needs to check and record current process and status before
memory imaging. (i) Notification Bar – if airplane mode is on, back off in communication shield and make a
note which services is on or off. They are Mobile Data, Wireless, Bluetooth, GPS, Alarm and etc. Otherwise, it
can check after memory imaging. (ii) Instant Message – social media application (online) and mobile SMS
(offline) (iii) Recent Applications and Files (example. Long press Home Key).
Memory imaging is very important process of Live Forensics. Memory stores and keeps a lot of raw volatile
data. In Dalvik Virtual Machine, [12] Eclipse (Memory Analyzer Tool) and [13] Android Studio tool (Memory
Monitoring) can capture memory process on each application with HPROF binary heap dumps file. Many
researchers already proposed [14] LiME (Linux Memory Extractor) and [15] Volatility tool for memory
imaging. In this proposed framework, it used these freeware or open source tools for extract volatile data on
memory, besides Linux command-line. Example, “cat /dev/mem > /storage/sdcard0/mem.txt” – it produces a lot
of raw data from memory to sdcard with text file. Additionally, “cat /dev/log/ “__””, “cat /dev/kmsg”, adb
logcat, adb shell dumpsys are also produce a lot of information.
Android Storage Imaging: Android has two types of partition that are Physical partition and Logical partition.
Android forensics need to investigate both partitions and ext-sd card partition. Physical partition imaging, it
creates entire copy of internal memory and it includes unallocated space. Logical partition has various types of
file system partitions. They are boot, system, recovery, data, cache, misc and etc. This framework used “dd”
command for android storage imaging. This command is a Linux command-line utility and it can create bit-by-
bit images both of Physical and Logical partition. Otherwise, android internal storage divided various block
types and dd command can create an image of each block.
VI. EXPERIMENTAL RESULTS
In this paper, we already tested on two android versions Jelly Bean 4.1.1 (no RSA key feature) and KitKat 4.4.2.
Samsung and Huawei are very popular in smartphone market of developing countries. Therefore, Samsung and
Huawei were chosen as the test case and profile detail shown in Table 1.
Table 1. Test devices profile
Property Samsung Huawei
Name Galaxy Tab 4 Ascend
Model SM-T231 G510-0200
Android Version 4.4.2 4.1.1
Build Number KOT49H.T231 XXU0AOL2 G510-0200V100R 001 C00B173
In this framework, we have tested various tools and commands on 64-bits OS based Ubuntu 16.04 LTS and
Window 10. The following are some practical processes on the android devices with power on state and lock
screen mode (already root):
Testing 1: Why need to disconnect the communication of Android smartphone?
Criminals may be installed some application to control the device. For example, Power off Root Req_v1.0
application can restart or power off to the device via phone SMS. So, volatile data can be lost when investigator
collects the evidence devices. So, it need to airplane mode ON before backup and data collection.
Fig 5 Remote control application
7. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 88
Testing 2: Check USB debugging mode, RSA key authentication and Root access for unlock process.
Fig 6 Fully access state (USB debugging, RSA key and Root)
If investigator got fully access to evidence device as Fig 6, ADB commands can remove or copy/paste key of
screen lock for unlock the device. For examples, adb pull, adb push, adb remove to key directory: (/data/system/
gesture.key for pattern lock and /data/system/password.key for pin or password. But KitKat to latest versions
have challenges to get RSA authentication access on android devices. It may be losing live forensics process to
unlock evidence devices.
Fig 7 TWRP Custom recovery on Samsung Galaxy Tab 4
If investigator cannot get fully access to evidence devices, it is needed to install custom recovery for unlock.
Custom recovery has useful features and it can unlock or root process evidence devices by update zip files as Fig
7. But it is also needed to reboot and downloading mode during installation process and it may be losing volatile
data.
Testing 3: It can be recorded manually or adb commands for current process and status. And then it also needs
to backup by adb command without root access. For example, backup command is adb backup -apk -shared -all
-f /backup/backup.ab and restore command is adb restore /backup/backup.ab.
Testing 4: In extract volatile data on memory, it can use Eclipse, Android Studio, LiME and dd commands.
Additionally, following some adb commands are already tested for extract volatile data and logs: cat /dev/mem >
/storage/sdcard0/ mem.txt, adb dumpsys and adb dumpsys meminfo, adb logcat. These commands can get rich
amount of raw volatile data.
8. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 89
Fig 8 Raw data in output text file (adb command - cat)
Fig 9 Memory information (dumpsys meminfo)
Testing 5: To investigate the related application, it need to extract the data of application. Directory is
/data/data/”app_name” and most of the evidences data are stored in shared_prefs, cache and databases files.
9. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 90
Fig 10 Data directories of Applications
Testing 6: Imaging the storage devices, dd command can create an image of partitions and blocks. Example of
dd command: “dd if=/dev/block/ mmcblk0 of=/sdcard/blk0.img bs=4096” (if: the directory of input file, of: the
directory of output file, bs: block size, defaults to 512 bytes). Additionally, netcat command (nc) can create an
image to hosted computer without SD card. And then mount to dd image file: sudo mount blk0.img /mnt (or)
[15] FTK imager tool.
Fig 11 Detail blocks for storage imaging
Testing 7: Examination and Analysis, it contains device profiles, installed app, current process, contacts,
message and etc. The getprop command is useful for that. And this framework already tested some freeware
tools are [16] AFLogical OSE [17] Hex Editor tool, [18] SQLite DB Browser and Proposed tool for decode and
analysis. Proposed tool in framework, it provides to decode the pattern lock for unlock devices. This tool is very
easy to use and understand.
10. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 91
Fig 12 Device properties (getprop command)
Fig 13 Proposed tool (decode the pattern lock)
VII.CONCLUSION
Forensics organizations in developing countries, they always need to improve their process, framework and
tools. Especially, our country (Myanmar) is very new experience for android forensics in cyber-crime
investigation. This proposed work is application for Myanmar that process flow provides applicable guidelines
and analysis framework can extensible when a new tool or module develops in it. And it could be plugged in to
the framework easily for forensics organizations. But this proposed framework cannot analyze some specific
fields as Malware Analysis. However, we are preparing to deeply analysis for some android forensics fields
based on proposed framework for future work:
Anti-forensics
Steganography
Ransomware
Social Media Application
Now above specific fields are very hot topics in research fields. And more tools are going to develop for further
forensics analysis. So, our research work is definitely applicable in cyber-crime investigation.
REFERENCES
[1]. Karen Kent, Suzanne Chevalier, Tim Grance and Hung Dang, Guide to integrating forensic techniques into incident response, (NIST
Special Publication 800-86, August 2006).
[2]. Rick Ayers, Sam Brothers and Wayne Jansen, Guidelines on mobile device forensics, (NIST Special Publication 800-101, May 2014).
[3]. 2016 Android Operating System [online] Available: https://en.wikipedia.org/wiki/Android_(operating_system)#Software_stack.
[4]. Haroon Q Raja, Android Partitions Explained: boot, system, recovery, data, cache & misc,
http://www.addictivetips.com/mobile/androidpartitions-explained-boot-system-recovery-data-cache-misc/, May 19, 2011.
[5]. ISAK MRKAIĆ, Android forensic using some open source tools, The Eighth International Conference on Business Information
Security (BISEC-2016), Belgrade, Serbia, , 15th October 2016.
[6]. Archit Goel, Anurag Tyagi and Ankit Agarwal, Smartphone Forensic Investigation Process Model, International Journal of Computer
Science & Security (IJCSS), (Northern India Engineering College, 2012).
11. Proposed Workable Process Flow With Analysis Framework For Android Forensics In…
www.theijes.com The IJES Page 92
[7]. Indeewari U. Akarawita, Amila B. Perera and Ajantha Atukorale, ANDROPHSY – Forensic Framework for Android, International
Conference on Advances in ICT for Emerging Regions (ICTer): 250-258, (University of Colombo School of Computing, Sri Lanka,
August 2015).
[8]. Abdalazim Abdallah Mohammed Alamin and Dr. Amin Babiker A/Nabi Mustafa, Implementing Digital Forensic Framework for
Android Smart Phones, International Journal of Engineering, Applied and Management Sciences Paradigms, Vol. 21, Issue 01, Al-
Neelain University, Sudan, February 2015.
[9]. Muhammad Faheem, N.-A. Le-Khac and Tahar Kechadi, Smartphone Forensic Analysis: A Case Study for Obtaining Root Access of
an Android Samsung S3 Device and Analyse the Image without an Expensive Commercial Tool, Journal of Information Security, 5,
83-90, University College Dublin, Dublin, Ireland, July 2015.
[10]. Ben Martini, Quang Do and Kim-Kwang Raymond Choo, Conceptual Evidence Collection and Analysis Methodology for Android
Devices, http://dx.doi.org/10.1016/B978-0-12-801595-7.00014-8, Information Assurance Research Group, (University of South
Australia, 2015, pp. 285-307, Syngress, an Imprint of Elsevier).
[11]. Andri P. Heriyanto, Procedures and Tools For Acquisition And Analysis Of Volatile Memory On Android Smartphones, Australian
Digital Forensics Conference, (Edith Cowan University, December 2013.)
[12]. http://www.eclipse.org/mat/
[13]. https://developer.android.com/studio/profile/am-memory.html
[14]. http://www.volatilityfoundation.org/
[15]. https://accessdata.com/product-download/digital-forensics/ftk-imager-version-3.2.0
[16]. https://github.com/nowsecure/android-forensics/ downloads
[17]. http://www.hhdsoftware.com/Downloads/free-he x-editor
[18]. http://sqlitebrowser.org/
Biographies and Photographs
Name – Mr. Naing Linn Htun
Age – 30
Material Status - Single
Graduated – M.I.Sc, Computer University, Maubin
Current Education –
Ph.D. Research Candidate (10th
Batch), Cyber Security Research Lab, University of
Computer Studies, Yangon (UCSY)
Nationality – Myanmar
Working Experiences
– Mobile Services Technician, Lucky Century Company Limited (IT services and shop) (2 years and 6 months)
- IT specialist (Computer, Mobile, Hotel Management Software (Optima), HP Graphic Solution Printer), Lucky
Bird Group of Companies (IT services and shop) (2 years)
Name – Dr. Mie Mie Su Thwin
Age – 45
Material Status – Single
Graduated – Ph.D Computer Science, University of Computer Studies, Yangon
Working Experiences – Associate Professor (20 years), mmCERT (6 years)