Android

FOR IMMEDIATE RELEASE

Contact:
Andrew Hoog
Chief Investigative Officer
viaForensics
Phone: +1 312-283-0551
http://viaforensics.com/contact-us

viaForensics announces release of Open Source Android Forensics application

viaForensics has released a beta version of its Open Source Android Forensics application supporting all Android devices.

Chicago, Feb 25, 2010 – viaForensics, a computer and mobile forensics firm, has released a beta version of its Open Source Android Forensics application, which allows forensics examiners to export data from an Android device for use by law enforcement and forensic investigators.

The beta version of the application, developed under the direction of lead architect Derek Guardiola, can be downloaded to an Android device enabling examiners to then export data, including browser history, call logs, contact methods, organizations, people and short message service (text messages), to a CSV file on an SD Card.

The development of this application on an open source platform, viaForensics believes, will support the further development of an unparalleled Android Forensics application which can be used free of charge. Developers can easily create plug-ins which will extract additional data from Android devices. Developers interested in participating in the application can contact viaForensics. The project source code and apk files can be downloaded from Google Code: http://code.google.com/p/android-forensics/

As the foremost experts in Android Forensics, viaForensics has developed techniques and training programs preparing law enforcement and forensic providers with the resources to successfully investigate Android devices. viaForensics is also in development on a complimentary reporting application for the extracted data. For more information, visit the viaForensics web page on Android Forensics.

About viaForensics

viaForensics is an innovative computer/mobile forensic and e-discovery firm focusing on providing proactive services to corporations, law enforcement and law firms. Andrew Hoog is a computer scientist, computer/forensics researcher and Chief Investigative Officer at viaForensics.

###

FOR IMMEDIATE RELEASE

Contact:
Andrew Hoog
Chief Investigative Officer
viaForensics
Phone: +1 312-283-0551
http://viaforensics.com/contact-us

The CIO of viaForensics, Andrew Hoog, has been invited to speak at the International Conference on Cyber Security 2010 presented by the Federal Bureau of Investigation and Fordham University in New York City this August.

Chicago, Feb 24, 2010 –  viaForensics’ CIO Andrew Hoog will offer a training course on Android forensics at the upcoming Interational Conference on Cyber Security (ICCS 1020), held August 2-5, 2010, in New York City. The conference, hosted jointly by the Federal Bureau of Investigation and Fordham University, brings together law enforcement officials, industry professionals and academic experts to discuss emerging worldwide cyber threats.

In 2009, the conference hosted more than 500 professionals representing 40 counties. Attendees were an International mix of law enforcement agents and prosecutors, cyber-security researchers, members of academia and business and government leaders.

This year the conference will feature 50 lectures covering three broad areas: Emerging Technologies, Operations and Enforcement, and Real Life Experiences. In addition to the lectures, panel discussions, sponsors’ presentations, exhibitions and networking opportunities, ICCS will present two unique events – a Law Enforcement Workshop and the Cyber Security Tutorial – featuring experts presenting both technical and non-technical sessions.

viaForensics’ training, presented by CIO Andrew Hoog, provides examiners with six separate techniques to acquire data from an Android device. The course explains the techniques and analysis tools needed to effectively investigate an Android phone. The full course outline  is provided on the viaForensics website. The training will be offered on the first day of the conference, August 2nd.

Andrew Hoog has authored a groundbreaking white paper on iPhone forensics and is currently authoring a book on Android forensics. Hoog also maintains the Android Forensics Wiki (AFWiki).

About viaForensics

viaForensics is an innovative computer/mobile forensic and e-discovery firm focusing on providing proactive services to corporations, law enforcement and law firms. Andrew Hoog is a computer scientist, computer/forensics researcher and Chief Investigative Officer at viaForensics.

###

This will be a pivotal year for Windows Mobile…the trend is not on their side but with it still sitting at #4, as the article says, they have a footing.  Personally, I think the mindset of trying to adopt the desktop OS/GUI to a hand held phone put Microsoft at a disadvantage for so long it hard to imagine a successful recovery.

The smartphone data comes from Gartner, which measures actual sales to customers rather than to carriers or dealers. By that reckoning, Windows Mobile sales only declined by 1.47 million units to around 15 million units year over year. By comparison, iPhone OS sales more than doubled — to nearly 25 million units — with share rise to 14.4 percent from 8.2 percent year over year. Android made significant gains — and at the expense of other Linux-based smartphone operating systems, too — with share rising from 0.5 percent in 2008 to 3.9 percent in 2009 on 6.8 million units shipped. Android made its biggest gains of the year during fourth quarter.

via Android and iPhone smack down Windows Mobile | Betanews.

FOR IMMEDIATE RELEASE

Contact:
Andrew Hoog
Chief Investigative Officer
viaForensics
Phone: +1 312-283-0551
http://viaforensics.com/contact-us

CIO of viaForensics speaks on Android Forensics at DoD’s DC3 Conference

CIO of viaForensics, Andrew Hoog, spoke about digital forensics and the Android platform at the U.S. Department of Defense Cyber Crime Conference 2010.

Chicago, Feb 11, 2010 – The CIO of viaForensics, Andrew Hoog, gave a presentation titled “Android Forensics Techniques, File Systems and Analysis” to a group of attendees at the U.S. Department of Defense (DoD) Cyber Crime Conference on January 27, 2010. As the Android mobile device platform is poised to make significant inroads into the market, viaForensics’ presentation provides timely information on the Android platform, significant areas of focus for the forensic examiner and forensic techniques that examiners can use today.

While the release of Android’s open source platform is a welcome change, it presents unique challenges for digital forensics examiners, including its use of the YAFFS2 file system, the non-standard C library and the Dalvik virtual machine. viaForensics has put significant research and development efforts into Android Forensics. They have developed a comprehensive training course outlining six separate techniques used to acquire data from Android devices. viaForensics also maintains the Android Forensics Wiki with the latest information on the topic.

The DoD’s Cyber Crime Conference brings together forensic examiners, prosecutor, law enforcement personnel and Federal investigators to address issues related to cyber crime. The conference is sponsored by the DoD Cyber Crime Center (DC3), the Joint Take Force – Global Network Operations and the Defense Criminal Investigative Service. Historically, the conference draws over 800 participants each year. This year’s theme was “Cyber Professionals: Sentinels of U.S. Security.”

More information on this topic, including information about training sessions and upcoming events, can be found on viaForensics’ website: http://viaforensics.com/android and the Android Forensics Wiki at http://viaforensics.com/afwiki.

About viaForensics

viaForensics is an innovative computer/mobile forensic and e-discovery firm focusing on providing proactive services to corporations, law enforcement and law firms. Andrew Hoog is a computer scientist, computer/forensics researcher and Chief Investigative Officer at viaForensics.

###

“ANDROID ON THE LOOSE; Andrew Hoog unveils Google’s new mobile operation system, showings us exactly what’s important for forensic investigators.”

Digital Forensics Magazine | supporting the professional computer security industry.

A sign of things to come…Android is going to be significant.  If you need tools and techniques for the forensic analysis of these phone, please visit our Android Forensics page which has links to training, out mailing list and information on how to subscribe to our AFWiki.

As of December 2009, the research firm's survey shows that 4% of all smartphone owners now use a phone running some version of the Android OS. That's an increase of 200% since the previous survey released in September.

via Android Usage Increased 200% Over Past 3 Months.

Gizmodo’s John Herrman has an interesting write up on the reasons behind fragmentation in Android version.  I thought the parallel to the iPhone model was insightful and certainly the concern is there.  Perhaps the Nexus One is Google’s response to the fragmentation.

The problem is in the model. Android updates seed out through carriers, over the air or with special installers. This is because the updates are their responsibility: once handset manufacturers (and carriers, through handset manufacturers) have built their own version of Android, they’ve effectively taken it out of the development stream. Updating it is their responsibility, which they have to choose to uphold. Or not! Who cares? The phones are already sold. And there's very little to motivate a carrier or handset manufacturer to update their Android phones, because the consequences tend to fall on Google: If Android fragments, the App Market doesn't work. The public sours. Android starts to suck. This is where the Nexus One comes in.

via How Carriers and Phone Makers Are Strangling Android (And How Google Could Save It) – google phone – Gizmodo.

Made me smile to find the directory /data/dontpanic on Android phones.

I can image people reading much into this…could Google/Android be the ultimate guide to our universe?  Since we already know The Answer to the Ultimate Question of Life, the Universe, and Everything, maybe it’s simply a place to store dumps from the system:

    # Create dump dir and collect dumps.
    # Do this before we mount cache so eventually we can use cache for
    # storing dumps on platforms which do not have a dedicated dump partition.

    mkdir /data/dontpanic
    chown root log /data/dontpanic
    chmod 0750 /data/dontpanic

    # Collect apanic data, free resources and re-arm trigger
    copy /proc/apanic_console /data/dontpanic/apanic_console
    chown root log /data/dontpanic/apanic_console
    chmod 0640 /data/dontpanic/apanic_console

    copy /proc/apanic_threads /data/dontpanic/apanic_threads
    chown root log /data/dontpanic/apanic_threads
    chmod 0640 /data/dontpanic/apanic_threads

    write /proc/apanic_console 1

    # Collect ramconsole data
    copy /proc/last_kmsg /data/dontpanic/last_kmsg
    chown root log /data/dontpanic/last_kmsg
    chmod 0640 /data/dontpanic/last_kmsg

I played around with Google Goggles today and was quite impressed.  Like any good forensic geek, I wanted to understand better what happened behind the scenes.  Below are some observations from the data the app persisted on the NAND:

• Application data is stored in /data/data/com.google.android.apps.unveil
• Following directories exist: cache, databases, files, lib, shared_prefs
• Last picture I took was stored in ./files/lastimage.jpeg (see bottom of post for the image…which found Barbara’s Books site immediately)
  • I have not had time to see if I could carve or otherwise extract previous images from the YAFFS2 data partition
• ./cache/webviewCache contained 2 files (referenced in the webviewCache.db database); one was a jpg (122eefe1) and the other a png (f0277abc).  The jpg contained a logo from a previous Goggle search I did so there was some residual data there
• ./databases contained 2 databases, webviewCache.db and webview.db
  • webviewCache.db contained references to the 2 cached files mentioned above.  It at least tells us the order (although file system date/time can do the same).  It also tells you when the content expires so you could probably calculate a decent time from that through testing…or at least get the general idea.
  • webview.db looked more like the android browser database but was unpopulated except for a cookie entry for .google.com

Not quite a revealing as Google Maps Navigation (see my previous post) but still insightful.  Oh, and it’s a really, really cool app.  I’ll use it more and report back at some point.

lastimage.jpg

I was taking a look at the /data/data/ directory on the Droid and here are some interesting items:

Contact database

• /data/data/com.android.providers.contacts/database/contacts2.db (thank goodness it’s not contacts1.db)
  • Combines data from Google, Exchange, Facebook and more
  • table status_updates has date/time and status update from contacts in your Contact list and Facebook
  • table raw_contacts has info about source of contact and other items
  • Is a fairly normalized database *until* you look at table data which has columns data1 – data15!
  • Call logs are stored in Calls table

Motorola and passwords

• Kudos to Motorola for being one of the few companies that do not seem to store passwords in plain text.  Example is /data/data/com.motorola.calendar/databases/motosync.db which has account info but Exchange password in not in plain text (maybe just a by product of the ActiveSync protocol?)

Geolocation

• Table /data/data/com.android.browser/app_geolocation/CachedPosition.db does just what you think it does (if the user gives permission).  Provides latitude, longitude, altitude, accuracy, altitudeAccuracy, heading, speed and time stamp (gotcha).  the altitude, speed and heading were not populated.
  • I was going to post the longitude/latitude but then I checked it and, wow, was it accurate.  So, you’ll just have to wonder where I (i mean my phone) was last night at 1260500133.
  • Oddly enough, the time stamp has 3 extra digits form the standard Unix Epoch…have to figure out why.
  • Only 1 records was allocated in the database so apparently it only holds on the the last one.  I’ll have to check the database for deleted records.

Exchange attachments

• Attachments from Exchange seem to be stored internally vs. the SD Card.  Found mine at /data/data/com.android.email/databases/1.db_att as numbered files.  I had 3, a PDF, vCard and a .wav file.

Who else is tracking you…besides Google?

• I’m now seeing a database in several applications (not to pick on the apps because they are really good but they are NewsRob and Twidroid) called google_analytics.db.  The database contains what I suspect it the application providers Google Analytics ID.  I don’t know how I feel about this…Google gets enough about me but I wonder what they or the app provider are tracking…maybe it’s all generic.  Below are the columns in the database so you can see the information stored is pretty detailed:
  • CREATE TABLE events ( ‘event_id’ INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, ‘user_id’ INTEGER NOT NULL, ‘account_id’ CHAR(256) NOT NULL, ‘random_val’ INTEGER NOT NULL, ‘timestamp_first’ INTEGER NOT NULL, ‘timestamp_previous’ INTEGER NOT NULL, ‘timestamp_current’ INTEGER NOT NULL, ‘visits’ INTEGER NOT NULL, ‘category’ CHAR(256) NOT NULL, ‘action’ CHAR(256) NOT NULL, ‘label’ CHAR(256),  ‘value’ INTEGER, ’screen_width’ INTEGER, ’screen_height’ INTEGER);

Bone-head security award goes to /data/data/com.android.email/databases/EmailProvider.db

• OK, now I’m really ANNOYED.  So, /data/data/com.android.email/databases/EmailProvider.db has your Exchange password in plain text.  Nice.  Lots of other email content in there (and that’s fine),  But. really, plain text guys?

User Dictionary

• User dictionary stored at /data/data/com.android.providers.userdictionary/databases/user_dict.db and could be useful in some investigation.

Device/User settings

• Lots of user/devices settings in /data/data/com.android.providers.settings/databases/settings.db

If you made it this far, thanks for bearing with my brain stream.  I didn’t have much time to spend on this right now so I just grabbed a few interesting ones.  We’re developing techniques to do more structure analysis on the data, applications, etc. so stay tuned.  You can sign up for updates on our Android Forensics page.  Also, we offer training so drop us a line if interested.