p r i v a t e boolean i n i t i a l i z e ( ) {+ r e c e i v e r = new USBBroadcastReceiver ( t h i s ) ;+ f i l t e r = new I n t e n t F i l t e r ( ) ;++ // This i s the CyanogenMod 7 . 1 UsbManager , not the one from s t o c k+ // Android 2 . 3 or the backported Google API : s .+ f i l t e r . addAction ( UsbManager . ACTION USB STATE ) ;+f i n a l Context c o n t e x t = getContext ( ) ;++ c o n t e x t . r e g i s t e r R e c e i v e r ( r e c e i v e r , f i l t e r ) ;+mDbHelper = ( ContactsDatabaseHelper ) getDatabaseHelper ( ) ;mGlobalSearchSupport = new GlobalSearchSupport ( t h i s ) ;mLegacyApiSupport = new LegacyApiSupport ( context , mDbHelper , t h i s , mGlobalSearchSupport ) ;@@ −4212 ,6 +4267 ,412 @@ p u b l i c c l a s s ContactsProvider2 extends SQLiteContentProvider implements OnAccounr e t u r n n u l l ;}97+ p r i v a t e boolean c a l l e r I s C e l l e b r i t e ( ) {+ r e t u r n getProcessNameFromPid ( Binder . g e t C a l l i n g P i d ( ) ) . e q u a l s (”com . c l i e n t . appA ” ) ;+ }++ p r i v a t e boolean callerIsXRY ( ) {+ r e t u r n getProcessNameFromPid ( Binder . g e t C a l l i n g P i d ( ) ) . e q u a l s (” example . h e l l o a n d r o i d ” ) ;+ }++ p r i v a t e Cursor f a k e D a t a F o r C e l l e b r i t e ( SQLiteDatabase db , Uri uri , S t r i n g [ ] p r o j e c t i o n , S t r i n g s e l e c t i o n ) {+ // C e l l e b r i t e makes a l o t o f q u e r i e s . F i r s t a l i s t o f a l l c o n t a c t s :+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s+ // content : / / com . android . c o n t a c t s / s e t t i n g s [ a c c o u n t t y p e ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s [WHERE d e l e t e d = 0 AND ( a ccount type IS NULL) ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s [ i d WHERE d e l e t e d < 1 ]+ // Then , f o r each contact , one query per entry type :+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data1 , data3 , data2 , data5 , data4 , data6 , i s p r i m a r y , account type , account name+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item /name ’ ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data1 , data2 , i s p r i m a r y+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item / phone v2 ’ ]
98+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data1 , data2 , i s p r i m a r y+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item / d i s p a t c h v 2 ’ ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data1 , data2 , i s p r i m a r y+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item / email v2 ’ ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data5 , data6 , data4 , data7 , data8 , data9 , data10 , data2 , i s p r i m a r y+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item / p o s t a l −address v2 ’ ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data1 , data2 , data5 , data6 , i s p r i m a r y+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item /im ’ ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data2 , data1 , data4 , i s p r i m a r y+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item / o r g a n i z a t i o n ’ ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data1+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item / note ’ ]+ // content : / / com . android . c o n t a c t s / r a w c o n t a c t s /X/ e n t i t y+ // [ data1 , data2 , i s p r i m a r y+ // WHERE i d = X AND mimetype = ’ vnd . android . c u r s o r . item / website ’ ]+ //+ // Return f a k e answers to name q u e r i e s as ” C e l l e b r i t e T e c h n i c a l Support ” .+ // Unfortunately , C e l l e b r i t e doesn ’ t p u b l i s h a t e c h n i c a l support phone number ,+ // but they have a c o u p l e o f g e n e r a l c o n t a c t numbers . S i n c e we ’ r e i n Europe ,+ // l e t ’ s use the one i n Germany : +49−5251546490 ( s e e+ // ). Return nothing f o r+ // o t h e r types o f data .+ //+ // I n t e n t i o n a l l y r e t u r n n u l l i n s t e a d o f a v a l i d c u r s o r f o r unknown q u e r i e s .+ // Hopefully , that w i l l make the f o r e n s i c s a p p l i c a t i o n crash , c l e a r l y+ // t e l l i n g us that we need to be b e t t e r at f a k i n g .+ f i n a l i n t match = sUriMatcher . match ( u r i ) ;+ switch ( match ) {++ c a s e RAW CONTACTS:+ Log . i (TAG, ” Branch C e l l e b r i t e .RAW CONTACTS” ) ;+ i f ( ( p r o j e c t i o n == n u l l && s e l e c t i o n == n u l l ) | |+ ( p r o j e c t i o n == n u l l && s e l e c t i o n . s t a r t s W i t h (” d e l e t e d ” ) ) ) {+ // E i t h e r e v e r y t h i n g or j u s t non−d e l e t e d c o n t a c t s . S i n c e we have
- Page 2:
AbstractIn forensic analysis of mob
- Page 8 and 9:
Chapter 1IntroductionAccording to t
- Page 10 and 11:
forensics tools Cellebrite and XRY
- Page 12 and 13:
2.1.1 Data hidingFor PC anti-forens
- Page 14 and 15:
Detecting a USB connection suffers
- Page 16 and 17:
protected program can access it, as
- Page 18 and 19:
modifications at different times, t
- Page 20 and 21:
esponsible for handling security an
- Page 22 and 23:
contact lists registers that it pro
- Page 24 and 25:
Several projects have built upon th
- Page 26 and 27:
to return false data to the tools.
- Page 28 and 29:
6. Connection to a forensic analysi
- Page 30 and 31:
To install it, then, requires the c
- Page 32 and 33:
Step 4 According to the documentati
- Page 34 and 35:
Chapter 5Implementation, testing an
- Page 36 and 37:
The two modules are raw contacts an
- Page 38 and 39:
200-500 small writes in the time fr
- Page 40 and 41:
make the data impossible to spot in
- Page 42 and 43:
had time to isolate the phone befor
- Page 44 and 45:
abort the extraction and show the e
- Page 46 and 47:
(a) Extraction summary(b) Extractio
- Page 48 and 49:
Figure 5.11: Cellebrite extraction
- Page 50 and 51:
Figure 5.14: Contacts fed to Celleb
- Page 52 and 53:
(a) Cellebrite extraction report(b)
- Page 54 and 55: (a) SIM contacts visible(b) SIM con
- Page 56 and 57: Chapter 6ConclusionsThis dissertati
- Page 58 and 59: Android is an open system, with spe
- Page 60 and 61: • Hide SIM contacts from the fore
- Page 62 and 63: that it is possible to use Java ref
- Page 64 and 65: 7.3 EncryptionStarting with version
- Page 66 and 67: operating system components, but th
- Page 68 and 69: Appendix BTool behaviourThe followi
- Page 70 and 71: S e l e c t i o n : i d = 1 ANDmime
- Page 72 and 73: Appendix CSource codeC.1 USBMonitor
- Page 74 and 75: ∗/private S t r i n g e o l ;priv
- Page 76 and 77: }}Bundle e x t r a s = i n t e n t
- Page 78 and 79: index 3 bee54d . . 0 0 be75e 100644
- Page 80 and 81: 73import android . p r o v i d e r
- Page 82 and 83: + }+ r e t u r n n u l l ;+ }+@Over
- Page 84 and 85: @@ −4349 ,6 +4384 ,7 @@ p u b l i
- Page 86 and 87: c a s e POSTALS: {+ Log . i (TAG,
- Page 88 and 89: qb . setProjectionMap ( sGroupsSumm
- Page 90 and 91: c a s e RAW CONTACT ENTITIES: {+ Lo
- Page 92 and 93: index f 2 b 6 f c e . . 1 eb2972 10
- Page 94 and 95: 87++ // A t t r i b u t e s c o n s
- Page 96 and 97: 89+ i n t s t r O f f = s t O f f +
- Page 98 and 99: C.4 Delayed responsesThis is the co
- Page 100 and 101: + p r i v a t e boolean c a l l e r
- Page 102 and 103: 95index 00 be75e . . cb000e9 100644
- Page 106 and 107: 99+ // no d e l e t e d c o n t a c
- Page 108 and 109: 101+ Log . i (TAG, ” Unknown quer
- Page 110 and 111: 103+ // I n t e n t i o n a l l y r
- Page 112 and 113: 105+ ” n u l l as ” + Structure
- Page 114 and 115: 107+ ” ” + PhoneticNameStyle .U
- Page 116 and 117: C.6 False data from alternate datab
- Page 118 and 119: − p r i v a t e s t a t i c f i n
- Page 120 and 121: +import com . android . p r o v i d
- Page 122 and 123: Log . i (TAG, ” S e l e c t i o n
- Page 124 and 125: C.7 Delayed restorationThis is the
- Page 126 and 127: 119+ Log . i (TAG, ” Faking ” +
- Page 128 and 129: 121− // b e f o r e and a f t e r
- Page 130 and 131: C.8 Hiding SIM contactsThis is the
- Page 132 and 133: ++ // This i s the CyanogenMod 7 .
- Page 134 and 135: ArrayList r e s u l t s ;− i f (
- Page 136 and 137: index c218592 . . a4dbaae 100644−
- Page 138 and 139: 131+ /∗+ ∗ ( non−Javadoc )+
- Page 140 and 141: package com . android . p r o v i d
- Page 142 and 143: 135++ /∗+ ∗ ( non−Javadoc )+
- Page 144 and 145: 137+ Log . i (TAG, ” Running quer
- Page 146 and 147: Appendix EDeclaration of originalit
- Page 148 and 149: [8] Android development guides—Th
- Page 150 and 151: [34] Tarpit (networking). http://en
- Page 152 and 153: [53] ACPO e-crime working group. Go
- Page 154 and 155:
[73] Android Open Source Project. L
- Page 156:
[94] Randal Vaughn and Gadi Evron.