Skip to content

Android forensics study group

0xACAB edited this page Apr 6, 2020 · 17 revisions

WikiActivities and eventsAndroid forensics study group

Dec 3 2016

  • We read some of the documents shared in the wiki here
  • Clarifying scope:
    • How to tell if data has been extracted from a cell phone?
    • How to tell if malware/surveillance software has been added to a cell phone?
    • Prevention of these things, security?
  • How to tell if data has been extracted from a phone
    • Phones use flash memory.

      • Police use "write-blocking" to protect themselves from accussations of tampering
      • Write blocking is not usually possible on phones because hashes of files change even in read-mode (?)
      • If hashes of phone was available before seizure, then could possibly tell if data was extracted
      • A tool that is kinda like a dead man's switch? It hashes data daily and notifies as hashes change.
        • If your phone is off at a protest, and then seized by police, and they say that they didn't touch it, then the hash should be the same for the whole time it is in their custody
    • Some tools, like Cellebrite, apparently leave traces of their use (http://www.alexanderricks.com/mobile-device-forensics-pulling-back-the-digital-curtain/)

      • What traces? It seems like it would be hard for us to know without access to those tools?

      • On devices that don't have a mechanism to upload a bootloader, Cellebrite needs to install a rooting client that "can leave a footprint in the user data partition, notably the potential for writing to small, unallocated areas of the storage medium" (http://www.cellebrite.com/pages/explaining-cellebrite-ufed-data-extraction-processes)

    • Are there open-source versions of these tools? Could we use/examine them to learn how they work to see what traces might be left behind?

    • Cellebrite especially seems to have "advanced" capability that is probably not present in open source tools

  • How to tell if malware/surveillance software has been added to a cell phone?
    • Android has secure boot to prevent root kits, so if you have a version after kitkat, you should be able to completely wipe your phone if you're worried about malware, and be safe?

    • What are examples of malware that could be used for surveillance?

    • Possibly could grep for recently modified files?

      • A scenario:

        • Phone gets seized

        • 3 months pass

        • You get your phone back and don't have it turned on yet

        • Question: Can you examine the state of the filesystem while the phone is off?

    • Apparently not :(

    • Asking bc if phone is on, then it may be automatically updating apps, which would change the timestamp...

    • Even if phone is on at protest, phone is going to run out of battery before 3 months is up. :) So there's definitely a window of time during which no changes should happen.

    • find /target_directory -type f -mtime -2

Clone this wiki locally