“ANDROID ON THE LOOSE; Andrew Hoog unveils Google’s new mobile operation system, showings us exactly what’s important for forensic investigators.”
Digital Forensics Magazine | supporting the professional computer security industry.
There has been a lot of interest in Android Forensics and one important component is an open source framework to provide such an application. If sufficient interest and development is generated, it will be an extremely value tool to forensic investigators. Now, we just need some forensic geeks with Java experience to join. The project is hosted on Google Code.
A sign of things to come…Android is going to be significant. If you need tools and techniques for the forensic analysis of these phone, please visit our Android Forensics page which has links to training, out mailing list and information on how to subscribe to our AFWiki.
As of December 2009, the research firm's survey shows that 4% of all smartphone owners now use a phone running some version of the Android OS. That's an increase of 200% since the previous survey released in September.
The Nook from B&N runs Android. The folks over at nookDevs has taken the device apart, figured out how to get root (I wish it was that easy on Android phones!) and is deep into it now. We’ve long told folks that listen that Android is much more than a mobile phone OS. From a law enforcement/forensics standpoint, you can’t ignore that illegal information may exist on an Android book reader, set top box or whatever the next device will be. So you have to understand Android from the ground up. Oh, and as for the last sentence the in quote below, I might just fit the bill!
If you tear open a Nook (which the team has done) you’ll find that the Android operating system is contained on a microSD card (separate from the microSD expansion slot). From here, it’s a simple matter of using a card reader to mount this card on your computer and changing a single word in the init.rc file (the file that’s in charge of which services are begun at startup, similar to a Linux boot).
This single hack will let you plug the Nook into your computer (once you have reassembled it) and access the OS, using the freely available Google Android developers kit. Right now you’ll have to be a hardcore nerd to make much use of this…<snip>
via Nook Torn Open, Hacked, Rooted | Gadget Lab | Wired.com.
Made me smile to find the directory /data/dontpanic on Android phones.
I can image people reading much into this…could Google/Android be the ultimate guide to our universe? Since we already know The Answer to the Ultimate Question of Life, the Universe, and Everything, maybe it’s simply a place to store dumps from the system:
# Create dump dir and collect dumps.
# Do this before we mount cache so eventually we can use cache for
# storing dumps on platforms which do not have a dedicated dump partition.
mkdir /data/dontpanic
chown root log /data/dontpanic
chmod 0750 /data/dontpanic
# Collect apanic data, free resources and re-arm trigger
copy /proc/apanic_console /data/dontpanic/apanic_console
chown root log /data/dontpanic/apanic_console
chmod 0640 /data/dontpanic/apanic_console
copy /proc/apanic_threads /data/dontpanic/apanic_threads
chown root log /data/dontpanic/apanic_threads
chmod 0640 /data/dontpanic/apanic_threads
write /proc/apanic_console 1
# Collect ramconsole data
copy /proc/last_kmsg /data/dontpanic/last_kmsg
chown root log /data/dontpanic/last_kmsg
chmod 0640 /data/dontpanic/last_kmsg
I played around with Google Goggles today and was quite impressed. Like any good forensic geek, I wanted to understand better what happened behind the scenes. Below are some observations from the data the app persisted on the NAND:
Not quite a revealing as Google Maps Navigation (see my previous post) but still insightful. Oh, and it’s a really, really cool app. I’ll use it more and report back at some point.
lastimage.jpg

I was taking a look at the /data/data/ directory on the Droid and here are some interesting items:
Contact database
Motorola and passwords
Geolocation
Exchange attachments
Who else is tracking you…besides Google?
Bone-head security award goes to /data/data/com.android.email/databases/EmailProvider.db
User Dictionary
Device/User settings
If you made it this far, thanks for bearing with my brain stream. I didn’t have much time to spend on this right now so I just grabbed a few interesting ones. We’re developing techniques to do more structure analysis on the data, applications, etc. so stay tuned. You can sign up for updates on our Android Forensics page. Also, we offer training so drop us a line if interested.
I’m pleased to announce the release our of comprehensive Android Forensics training course which will fully prepare examiners for the Android platform. The course will provide participants with the tools, techniques and analysis methods needed to effectively investigate an Android device.
This training course is for law enforcement or government employees only. Participants must bring a laptop to the training and should have an expert level knowledge of forensics (no prior Android knowledge required). Register now as space is limited.
Also, our Android Forensics white paper is nearly complete. That and other updates (including magazine articles, interviews, mailing list archives, blog postings and more) will be updated soon on our Android Forensic page.
Hope to see you in St. Louis.
Late last week, Lee Whitfield (of Forensic 4Cast) and I spoke for a while about Android Forensics. The whole program is interesting…I believe my interview starts around 45:40. Check it out at Episode 25 – The Little iPhone Worm That Could.
While we continue our R&D on getting a full dd image from a Motorola Droid, I thought it would be interesting to do a quick write up on Google Maps Navigation artifacts. Since we don’t yet have full access to the system, this preliminary analysis focuses on the residual data left on the SD Card.
SD card info
After grabbing an image of the SD card, I took a quick look with mmls (TSK rocks) and saw that the first 4MB of the card are unallocated leaving the FAT32 partition to start at sector 8192:
ahoog@wintermute:/mnt/readonly-fs/google_maps_navigation/cache$ mmls ~/droid/sd/viaforensics/droid/item001-awh123/item001-awh123.dc3dd DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000008191 0000008192 Unallocated 02: 00:00 0000008192 0031326207 0031318016 Win95 FAT32 (0x0C)
Obviously there is various user and application data on the drive but that will be for later posts. The Navigation app stores data the directory google_maps_navigation on the root of the SD. Inside that directory, there are two more directories, cache and debug. I’ll have to figure out how to turn debug on but for now, no data was written to that directory.
.Wav files
The cache folder has 2 SQLite 3 databases, tilecache_ImageTileStore.db and tilecache_VectorTileStore.db. Also, there are hidden .wav files following this naming convention:
._speech_nav_N.wav
where N is an incrementing number starting at 0. There are some great things about these files for a forensic examiner:
Here’s what it looks like after I took a 25 mile trek back from a north Chicago suburb:
ahoog@wintermute:/mnt/readonly-fs/google_maps_navigation/cache$ ls -la total 1184 dr-xr-xr-x 2 root root 32768 2009-11-16 15:32 . dr-xr-xr-x 4 root root 32768 2009-11-16 13:31 .. -r-xr-xr-x 1 root root 66476 2009-11-16 15:20 ._speech_nav_0.wav -r-xr-xr-x 1 root root 142252 2009-11-16 15:19 ._speech_nav_1.wav -r-xr-xr-x 1 root root 142380 2009-11-16 15:18 ._speech_nav_2.wav -r-xr-xr-x 1 root root 73644 2009-11-16 15:15 ._speech_nav_3.wav -r-xr-xr-x 1 root root 60460 2009-11-16 15:15 ._speech_nav_4.wav -r-xr-xr-x 1 root root 107948 2009-11-16 15:15 ._speech_nav_5.wav -r-xr-xr-x 1 root root 96300 2009-11-16 15:20 ._speech_nav_6.wav -r-xr-xr-x 1 root root 6144 2009-11-16 13:31 tilecache_ImageTileStore.db -r-xr-xr-x 1 root root 281600 2009-11-16 15:32 tilecache_VectorTileStore.db
So for anyone wanting to follow my long drive back Skokie, IL, they could see the date, time and even hear the directions.
On a less positive note, the files from my drive *to* Skokie a few hours earlier are not there. So it seems each navigation overwrites the previous (will experiment and confirm later). That could be interesting if 1 trip about 30 directions and another only had 5. Also, I will have to see how many my trip really had so I can determine if the there is a fixed about of cached voice directions.
SQLite info
As mentioned earlier, there are two SQLite databases and but my tilecache_ImageTileStore.db is currently empty. So, on to tilecache_VectorTileStore.db which has plenty of data. Here’s the table schema:
sqlite> .schema CREATE TABLE android_metadata (locale TEXT); CREATE TABLE cache_table (key INTEGER NOT NULL PRIMARY KEY, data BLOB); CREATE TABLE last_use_table (key INTEGER NOT NULL PRIMARY KEY, last_use INTEGER NOT NULL); CREATE TABLE metadata (data_version INTEGER NOT NULL,schema_version INTEGER NOT NULL);
And the two tables with data are cache_table and last_use_table. The blob in the cache is likely a .PNG image cache from the application (like the iPhone) but I have to work on this further. The last_use_table has the same key (which seems to be a simple incrementing integer) and a date/time stamp in Unix epoch. Since both tables have exactly 81 records on my database, I suspect I will be able to correlate the exact date/time the phone was located at a particular GPS coordinate.
Conclusion
Android is going to be an exciting, every developing platform which is already widely in use. Since Android is predicted to overtake the iPhone by 2012, the forensics community needs to invest neurons into the platform. Like previous smart phones, the Android platform promises to deliver a wealth of data about its use. This is great news for the forensic analyst…but maybe few others.
If you are interested in Android Forensics, sign up for our forthcoming Android Forensics White Paper. We are currently testing the following products and techniques:
As with out iPhone Forensics white paper, we will test each product technique are report on the results. Also, we hope to publish a book in the near (or distant) future. If your organization is encountering Android phones or wants to prepare for the inevitable, drop us a line. On supported phones, the Hoog Method will allow for the full recovery of deleted files, data and more. Several training classes are in development and will be ready before the end of the year. If you are interested in an outline of the course or the details about the on-going access to our R&D you will receive, let me know. Exciting times…