Android Forensics Training - September 19, 2010 - HTCIA Conference (Atlanta, GA)

viaForensics has invested significant R&D into Android Forensics and is pleased to now offer a comprehensive training course to prepare examiners for the Android platform. After completing the course, you will have 6 separate techniques you can use to acquire data from an Android device including a full forensic copy on supported devices. You will also receive a one year subscription to our Android Forensics Wiki (AFWiki) which contains our latest R&D, techniques, binaries and full source code needed for the acquisition and analysis of Android devices. Questions? Contact us.

This training is associated with the International High Technology Crime Investigation Association (HTCIA) 2010 conference in Atlanta, GA.

Training Details

The course will provide you with the tools, techniques and analysis tools you need to effectively investigate an Android phone. Participants must bring a laptop for the training and have the ability to run a VMWare appliance/image. The full course outline is provided below.

Overview of Android

• History
• Technology
  • Linux
  • File system
  • C library (Bionic)
  • App environment (Dalvik VM)
• Phone/other devices
  • Currently available or planned
  • Hardware vendors
  • Service providers
• Overview of security model
• Forensic consideration and discussion about mobile forensics vs. traditional forensics

Software Development Kit

• Overview of SDK, setup, perhaps a test application
• Android emulator
  • Significance
  • Configure
  • Setup and test forensics techniques, use for R&D

File system overview

• Overview of Android file system (phone dependent but fairly consistent)
  • Mount points
  • Important directories
  • "Utility" file systems in use (rootfs, tmpfs, devpts, proc, sysfs, cramfs)
• SD Card - (FAT 32/vfat)
• YAFFS2
  • Detailed overview
    • OOB
    • MTD
    • Log-structure (versioning!)
  • How to compile support (Linux)
  • Pros/Cons

Forensics Techniques

• SD Card analysis
• Backup techniques
  • Nandroid
  • Apps
• Android Debug Bridge
  • Logical analysis without root
  • Logical analysis with root
• Commercial tools
  • Pros/Cons
  • Specific tools
    • Cellebrite
    • Paraben
    • Oxygen
    • XRY
    • Others?
  • "Hoog" method
    • Overview
    • Demonstration
    • MTD techniques: dd, cat, nanddump, etc.
    • Evolution

File system and application/data analysis

• Review important directories and files
• Review efficacy of traditional forensics techniques (i.e. file carving)
• Review YAFFS2 characteristics
• Review important applications and their data (SMS, phone, camera, video, GPS, web browsing, email, etc.)