Felix Jeyareuben Chandrakumar Supervisor: Dr Kim-Kwang Raymond Choo Associate Supervisor: Ben Martini.

AN EVIDENCE-BASED ANDROID CACHE FORENSICS MODELFelix Jeyareuben Chandrakumar

Supervisor: Dr Kim-Kwang Raymond Choo

Associate Supervisor: Ben Martini

INTRODUCTION

ANDROID

Most popular and widely used mobile operating system with more than 1.2 million Android Apps (AppBrain 2014).

Android caches understudied research topic – focus of thesis.

Research questions:

1. What is the process or methodology that must be followed to forensically analyze Android caches?

2. How can we make use of a forensically sound process to build new tools and utilities to analyze unknown and undocumented cache file formats?

LITERATURE REVIEW

ANDROID ARCHITECTURE

Android Architecture (Adapted from Gandhewar and Sheikh 2011)

ANDROID PARTITIONS

/boot - which enables the mobile to boot

/system - which contains the Android Operating System

/recovery - for the purpose of recovery console

/data - which contains the user data

/cache - where frequently used data and app components are stored and

/misc - where miscellaneous system settings are stored

FORENSIC MODELS – POLLITT’S MODEL Acquisition

Identification

Evaluation and

Admission as evidence

It is one of the earliest digital forensic models

FORENSIC MODELS - MCKEMMISH

Model of Forensic Computing (Adapted from McKemmish 1999)

FORENSIC MODELS – PALMER

Palmer's Model (Adapted from Palmer 2001)

FORENSIC MODELS – BARYAMUREEBA & TUSHABE’S MODEL

Enhanced Digital Investigation Process (Adapted from Baryamureeba & Tushabe 2004)

LITERATURE GAPS

Cache Diversity. E.g,. Volley, Android Cache Library, Ignition, FileCache, Picasso, etc.

Undocumented Caches.

Lack of Analysis Tools

Rapid Changes. Roughly every 4 months, the Android API level increases

CONCEPTUAL ANDROID CACHE FORENSIC PROCESS

PROPOSED ANDROID CACHE TAXONOMY

CONCEPTUAL ANDROID CACHE FORENSIC PROCESS

Extending Mckemmish’s (1999) Model

WHY EXTEND MCKEMMISH MODEL? Most of the gaps we have noted are technical barriers.

McKemmish’s model continues to be broadly applicable to Android cache forensics but the technologies used in various elements varies greatly.

This causes an imbalance in the four elements of McKemmish model from an effort and volume of that element as a result of technological advancement.

A CASE STUDY

The Experiment

EXPERIMENT

Applications that are widely used i.e. which has at least 1 million downloads or if the application is from a significant brand or company, are considered.

Nearly 100 apps were identified and analyzed for caches. Out of these 100 apps, 11 apps are selected and studied in detail based on the usage of caches that are common across other apps.

LIST OF APPS STUDIED IN DETAIL

App Name

Different caches used by the same App

Web View Cache

SQLite DB Cache

Volley Serialized Java Objects

Network File Caches

Custom Cache

Adobe Reader Yes Yes

Amazon Kindle Yes

Carsales Yes Yes

Domain Real Estate Yes Yes - JSON Cache

eBay Yes Yes Yes - Image Cache, Gzipped XML Cache

Facebook Yes Yes - Image, Audio and Upload Caches

LinkedIn Yes

NAB Yes

Realestate.com.au Yes Yes Yes - JSON Cache

Skype Yes Yes

YouTube Yes

ASSUMPTIONS

Android mobile phone is rooted

Developer mode enabled

USB debugging is enabled

Internal storage is not encrypted

HARDWARE USED

Mobile: Samsung Galaxy Note N7000

Android Version: 4.1.2 Jelly Bean

Chipset: Exynos

CPU: Dual-core 1.4 GHz ARM Cortex-A9

GPU: Mali-400

Memory Internal: 16 GB storage, 1 GB RAM

Memory Card: microSD, up to 64 GB, 2 GB included

ACQUISITION USING DD

Connect the Android device to the computer using ADB (Android Debugging Bridge)

D:\ADT\sdk\platform-tools>adb devices

* daemon not running. starting it now on port 5037 *

* daemon started successfully *

List of devices attached

xxxxxxxxxxxxxx device

ACQUISITION USING DD

Go to super-user mode

shell@Android:/ $ su

su

root@Android:/ #

ACQUISITION USING DD

List the mounted partitions

root@Android:/ # mount

mount

rootfs / rootfs ro,relatime 0 0

:

/dev/block/mmcblk0p7 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered 0 0

/dev/block/mmcblk0p10 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered,noauto_da_alloc,discard 0 0

:

ACQUISITION USING DD

Unmount the partitions

root@Android:/ # umount /cache

umount /cache

root@Android:/ # umount /data

umount /data

failed: Device or resource busy

Note: “Device or resource busy”, does not cause any drawback in our process because, live acquisition in forensics is always done on an unmounted partition which is a standard procedure

ACQUISITION USING DD

Take image of the partitions

root@Android:/ # dd if=/dev/block/mmcblk0p7 bs=64K | gzip -c > /sdcard/cache.img.gz

4K | gzip -c > /sdcard/cache.img.gz <

3276800+0 records in

3276800+0 records out

209715200 bytes transferred in 60.809 secs (3448752 bytes/sec)

root@Android:/ # dd if=/dev/block/mmcblk0p10 bs=64K | gzip -c > /sdcard/data.img.gz

64K | gzip -c > /sdcard/data.img.gz <

33554432+0 records in

33554432+0 records out

2147483648 bytes transferred in 821.632 secs (2613680 bytes/sec)

FINDINGS – CACHE ANALYSIS Several cache structures decoded.

cache_r.0 cache_bd.0 WebView Component Caches SQLite DB Caches Image Caches Android Gallery Caches YouTube Caches Least Recently Used Disk Cache Etc.

EXAMPLE – YOUTUBE CACHE

In the above example, 0x000001442571F983 corresponds to

Wed, 12 Feb 2014 09:33:50 GMT.

EXAMPLE – ANDROID GALLERY

Length Offset Example Description4 0   Magic number: 0xB32730304 4   Max number of hash entries per

region.4 8   Max number of data bytes per

region (including header).4 12   The active growing region: 0 or 1.4 16   The number of hash entries used in

the active region.4 20   The number of data bytes used in

the active region.4 24   Version number.4 28   Checksum of bytes from 0 to 28.u = (12 * Maximum Entries bytes).

32   Hash entries for region 0. The size is u

v = (12 * Maximum Entries bytes).

32+u   Hash entries for region 1. The size is also u.

Index file of Android Gallery

EXAMPLE – ANDROID GALLERY (CONT..)

Data file of Android Gallery

Length Offset Example Description4 0   Magic number (Header:

0xBD248510Data (Data is present as a blob and concatenated)8 0   Key4 8   Chksum4 12   Offset4, u=length 16   LengthU (value of offset 16)

20   Actual Data (or) Blob

ANDROID CACHE VIEWER PROTOTYPE Built using C# and requires Microsoft .Net 4.0

Supports Generic Cache (cache_r.0, cache_bd.0) WebViewComponent Cache SQLite DB cache Image gallery cache Serialized Object cache and DiskLruCache format

It runs and been tested on Windows XP, Vista/7 and Windows 8/8.1.

SCREENSHOTS - CACHE_R.0

SCREENSHOTS - CACHE_R.0 DATA

SCREENSHOTS - WEBVIEW CACHE INDEX

SCREENSHOTS - WEBVIEW CACHE DATA

SCREENSHOTS - WEBVIEW CACHE EXTERNAL DATA

SCREENSHOTS - YOUTUBE CACHE

SCREENSHOTS - ANDROID IMAGE GALLERY

SCREENSHOTS - SQLITE DB CACHE

SCREENSHOTS - UNKNOWN CACHE

OPEN SOURCE

The source code for Android Cache Viewer is uploaded to GitHub (https://github.com/fcidau/Android-Cache-Viewer)

Released under MIT License

CONCLUSION & FUTURE WORK

CONCLUSION

In the thesis, we identified literature gaps and limitations in using existing forensic models when examining Android caches.

To assist forensic researchers and practitioners in examining the wide range of caches used by various Android Apps, a taxonomy for Android caches and the conceptual Android Cache Forensics Model were proposed

More than 100 popular apps tested. 11 apps appear to be using some form of cache and they were studied in detail.

Previously unknown cache formats were decoded and several undocumented cache formats used commonly by Android apps were documented

Based on the findings, Android Cache Viewer, an open source prototype tool was developed, to decode Android cache formats.

FUTURE WORK

Much work in this area remains to be done. Potential extensions of this thesis are as follows:

Adding additional plugins for other undocumented cache file structures

Adding new cache formats as new formats are introduced.

Making each plugin as independently loadable modules.

REFERENCE LIST

Gandhewar, N & Sheikh, R 2011, 'Google Android: An Emerging Software Platform For Mobile Devices', International Journal on Computer Science & Engineering.

Pollitt, M 1995, 'Computer forensics: An approach to evidence in cyberspace', Proceedings of the National Information Systems Security Conference, pp. 487-491.

McKemmish, R 1999, What is forensic computing?, Australian Institute of Criminology,

Palmer, G 2001, 'A road map for digital forensic research', First Digital Forensic Research Workshop, Utica, New York, pp. 27-30.

Baryamureeba, V & Tushabe, F 2004, 'The enhanced digital investigation process model', Proceedings of the Fourth Digital Forensic Research Workshop, Citeseer.

REFERENCE LIST (CONT..)

AppBrain 2014, Number of Android applications, appbrain.com, viewed 16-May-2014, <http://www.appbrain.com/stats/number-of-android-apps>.

QUESTIONS & ANSWERS