99+ // no d e l e t e d c o n t a c t s , r e t u r n e v e r y t h i n g .+ Log . i (TAG, ” Return e v e r y t h i n g ” ) ;+ r e t u r n db . rawQueryWithFactory ( n u l l ,+ // Column r e f e r e n c e :+ // http : / / d e v e l o p e r . android . com/ r e f e r e n c e / android / p r o v i d e r /+ // ContactsContract . RawContacts . html+ // See a l s o setTablesAndProjectionMapForRawContacts ( ) .+ ” s e l e c t ” ++ ” ” + RawContacts . ID + ” , ” ++ ” ” + RawContacts .CONTACT ID + ” , ” ++ ” n u l l as ” + RawContacts .ACCOUNT NAME + ” , ” ++ ” n u l l as ” + RawContacts .ACCOUNT TYPE + ” , ” ++ ” n u l l as ” + RawContacts . SOURCE ID + ” , ” ++ ” 0 as ” + RawContacts .VERSION + ” , ” ++ ” 0 as ” + RawContacts .DIRTY + ” , ” ++ ” 0 as ” + RawContacts .DELETED + ” , ” ++ ” ’ C e l l e b r i t e T e c h n i c a l Support ’ as ” ++ RawContacts .DISPLAY NAME PRIMARY + ” , ” ++ ” ’ C e l l e b r i t e T e c h n i c a l Support ’ as ” ++ RawContacts .DISPLAY NAME ALTERNATIVE + ” , ” ++ ” ” + DisplayNameSources .STRUCTURED NAME + ” as ” ++ RawContacts .DISPLAY NAME SOURCE + ” , ” ++ ” n u l l as ” + RawContacts .PHONETIC NAME + ” , ” ++ ” ” + PhoneticNameStyle .UNDEFINED + ” as ” ++ RawContacts .PHONETIC NAME STYLE + ” , ” ++ ” 0 as ” + RawContacts .NAME VERIFIED + ” , ” ++ ” ’ C e l l e b r i t e T e c h n i c a l Support ’ as ” + RawContacts .SORT KEY PRIMARY + ” , ” ++ ” ’ C e l l e b r i t e T e c h n i c a l Support ’ as ” + RawContacts .SORT KEY ALTERNATIVE + ” , ” ++ ” 1000000 + abs ( random ( ) % 1000000) as ” + RawContacts .TIMES CONTACTED + ” , ” ++ ” n u l l as ” + RawContacts .LAST TIME CONTACTED + ” , ” ++ ” n u l l as ” + RawContacts .CUSTOM RINGTONE + ” , ” ++ ” 0 as ” + RawContacts . SEND TO VOICEMAIL + ” , ” ++ ” 0 as ” + RawContacts .STARRED + ” , ” ++ ” ” + RawContacts .AGGREGATION MODE DEFAULT + ” as ” ++ RawContacts .AGGREGATION MODE + ” , ” ++ ” n u l l as ” + RawContacts .SYNC1 + ” , ” ++ ” n u l l as ” + RawContacts .SYNC2 + ” , ” ++ ” n u l l as ” + RawContacts .SYNC3 + ” , ” ++ ” n u l l as ” + RawContacts .SYNC4 + ” ” ++ ” from ” +
100+ ” ” + Views .RAW CONTACTS RESTRICTED,+ n u l l , Views .RAW CONTACTS RESTRICTED) ;+ } e l s e i f ( ( p r o j e c t i o n . l e n g t h == 1) &&+ ( p r o j e c t i o n [ 0 ] . e q u a l s (” i d ” ) ) &&+ ( s e l e c t i o n != n u l l ) &&+ ( s e l e c t i o n . s t a r t s W i t h (” d e l e t e d ” ) ) ) {+ // ID : s o f non−d e l e t e d e n t r i e s .+ Log . i (TAG, ” Return i d ” ) ;+ r e t u r n db . rawQueryWithFactory ( n u l l ,+ // Column r e f e r e n c e :+ // http : / / d e v e l o p e r . android . com/ r e f e r e n c e / android / p r o v i d e r /+ // ContactsContract . RawContacts . html+ // See a l s o setTablesAndProjectionMapForRawContacts ( ) .+ ” s e l e c t ” ++ ” ” + RawContacts . ID + ” ” ++ ” from ” ++ ” ” + Views .RAW CONTACTS RESTRICTED,+ n u l l , Views .RAW CONTACTS RESTRICTED) ;+ } e l s e {+ Log . i (TAG, ” Unknown query type . P r o j e c t i o n : ” + Arrays . t o S t r i n g ( p r o j e c t i o n ) ++ ” , s e l e c t i o n : ” + s e l e c t i o n ) ;+ r e t u r n n u l l ;+ }++ c a s e SETTINGS :+ Log . i (TAG, ” Branch C e l l e b r i t e . SETTINGS ” ) ;+ i f ( ( p r o j e c t i o n . l e n g t h == 1) &&+ ( p r o j e c t i o n [ 0 ] . e q u a l s (” a c c o u n t t y p e ” ) ) &&+ ( s e l e c t i o n == n u l l ) ) {+ Log . i (TAG, ” Account type ” ) ;+ r e t u r n db . rawQueryWithFactory ( n u l l ,+ // Column r e f e r e n c e :+ // http : / / d e v e l o p e r . android . com/ r e f e r e n c e / android / p r o v i d e r /+ // ContactsContract . S e t t i n g s . html+ ” s e l e c t ” ++ ” ” + S e t t i n g s .ACCOUNT TYPE + ” ” ++ ” from ” ++ ” ” + Tables . SETTINGS,+ n u l l , Tables . SETTINGS ) ;+ } e l s e {
- Page 2:
AbstractIn forensic analysis of mob
- Page 8 and 9:
Chapter 1IntroductionAccording to t
- Page 10 and 11:
forensics tools Cellebrite and XRY
- Page 12 and 13:
2.1.1 Data hidingFor PC anti-forens
- Page 14 and 15:
Detecting a USB connection suffers
- Page 16 and 17:
protected program can access it, as
- Page 18 and 19:
modifications at different times, t
- Page 20 and 21:
esponsible for handling security an
- Page 22 and 23:
contact lists registers that it pro
- Page 24 and 25:
Several projects have built upon th
- Page 26 and 27:
to return false data to the tools.
- Page 28 and 29:
6. Connection to a forensic analysi
- Page 30 and 31:
To install it, then, requires the c
- Page 32 and 33:
Step 4 According to the documentati
- Page 34 and 35:
Chapter 5Implementation, testing an
- Page 36 and 37:
The two modules are raw contacts an
- Page 38 and 39:
200-500 small writes in the time fr
- Page 40 and 41:
make the data impossible to spot in
- Page 42 and 43:
had time to isolate the phone befor
- Page 44 and 45:
abort the extraction and show the e
- Page 46 and 47:
(a) Extraction summary(b) Extractio
- Page 48 and 49:
Figure 5.11: Cellebrite extraction
- Page 50 and 51:
Figure 5.14: Contacts fed to Celleb
- Page 52 and 53:
(a) Cellebrite extraction report(b)
- Page 54 and 55:
(a) SIM contacts visible(b) SIM con
- Page 56 and 57: Chapter 6ConclusionsThis dissertati
- Page 58 and 59: Android is an open system, with spe
- Page 60 and 61: • Hide SIM contacts from the fore
- Page 62 and 63: that it is possible to use Java ref
- Page 64 and 65: 7.3 EncryptionStarting with version
- Page 66 and 67: operating system components, but th
- Page 68 and 69: Appendix BTool behaviourThe followi
- Page 70 and 71: S e l e c t i o n : i d = 1 ANDmime
- Page 72 and 73: Appendix CSource codeC.1 USBMonitor
- Page 74 and 75: ∗/private S t r i n g e o l ;priv
- Page 76 and 77: }}Bundle e x t r a s = i n t e n t
- Page 78 and 79: index 3 bee54d . . 0 0 be75e 100644
- Page 80 and 81: 73import android . p r o v i d e r
- Page 82 and 83: + }+ r e t u r n n u l l ;+ }+@Over
- Page 84 and 85: @@ −4349 ,6 +4384 ,7 @@ p u b l i
- Page 86 and 87: c a s e POSTALS: {+ Log . i (TAG,
- Page 88 and 89: qb . setProjectionMap ( sGroupsSumm
- Page 90 and 91: c a s e RAW CONTACT ENTITIES: {+ Lo
- Page 92 and 93: index f 2 b 6 f c e . . 1 eb2972 10
- Page 94 and 95: 87++ // A t t r i b u t e s c o n s
- Page 96 and 97: 89+ i n t s t r O f f = s t O f f +
- Page 98 and 99: C.4 Delayed responsesThis is the co
- Page 100 and 101: + p r i v a t e boolean c a l l e r
- Page 102 and 103: 95index 00 be75e . . cb000e9 100644
- Page 104 and 105: p r i v a t e boolean i n i t i a l
- Page 108 and 109: 101+ Log . i (TAG, ” Unknown quer
- Page 110 and 111: 103+ // I n t e n t i o n a l l y r
- Page 112 and 113: 105+ ” n u l l as ” + Structure
- Page 114 and 115: 107+ ” ” + PhoneticNameStyle .U
- Page 116 and 117: C.6 False data from alternate datab
- Page 118 and 119: − p r i v a t e s t a t i c f i n
- Page 120 and 121: +import com . android . p r o v i d
- Page 122 and 123: Log . i (TAG, ” S e l e c t i o n
- Page 124 and 125: C.7 Delayed restorationThis is the
- Page 126 and 127: 119+ Log . i (TAG, ” Faking ” +
- Page 128 and 129: 121− // b e f o r e and a f t e r
- Page 130 and 131: C.8 Hiding SIM contactsThis is the
- Page 132 and 133: ++ // This i s the CyanogenMod 7 .
- Page 134 and 135: ArrayList r e s u l t s ;− i f (
- Page 136 and 137: index c218592 . . a4dbaae 100644−
- Page 138 and 139: 131+ /∗+ ∗ ( non−Javadoc )+
- Page 140 and 141: package com . android . p r o v i d
- Page 142 and 143: 135++ /∗+ ∗ ( non−Javadoc )+
- Page 144 and 145: 137+ Log . i (TAG, ” Running quer
- Page 146 and 147: Appendix EDeclaration of originalit
- Page 148 and 149: [8] Android development guides—Th
- Page 150 and 151: [34] Tarpit (networking). http://en
- Page 152 and 153: [53] ACPO e-crime working group. Go
- Page 154 and 155: [73] Android Open Source Project. L
- Page 156:
[94] Randal Vaughn and Gadi Evron.