dissertation

Recommendations

Info

7.3 EncryptionStarting with version 3.0 (also known as “Honeycomb”), Android implementsfull-disk encryption using the Linux standard “dm-crypt” system [28]. SinceAndroid series 3 was only available for tablets [14], encryption functionalitywas not available for smartphones until the release of Android 4.0 (“Ice CreamSandwich”) in October of 2011 [70]. No academic publications of the forensicsconsequences of this encryption have been found.According to the documentation for the encryption feature [12], encryptionrequires a boot-time password and a screen lock password, which haveto be identical. This password would probably be simple, since it needs tobe entered frequently on a device not intended for quick, accurate input oflong strings of characters. Since it is entered frequently, it might also bevulnerable to touch-screen attacks such as fingerprint smudge recognition[45].Using encryption may increase the viability of anti-forensic applications.If an analyst knows they will need a password to boot the phone, they maybe forced to leave it running instead of turning it off in order to removecomponents for separate analysis (such as the SIM card). This would increasethe relevance of anti-forensics for SIM contacts and SMS messages.7.4 UnrootingCurrent systems for rooting Android phones are permanent, in that theyallow unrestricted root access after they have been installed. However, thereis no technical reason why this has to be so. Since forensic tools can takeadvantage of root access to make logical or physical copies of the phone’smemory, removing this access would force these tools to use the contentprovider interfaces, which can have anti-forensic modifications.After modifying the operating system not to grant root access automatically,this root access can be made more or less difficult to recover, dependingon the user’s needs. More difficulty makes the device more safe from forensicexamination, but harder for the user to modify further.57
The standard UNIX utility su allows a user to change their user ID, andthus gain root access. It is available in the user’s search path 3 by default inCyanogenMod. If moved outside the standard search path, or renamed, itwould still be available to a user who knows where to find it (or a sufficientlythorough forensic analyst), but unavailable to automatic tools which expectit to be in the default location.Removing the su application completely still leaves the alternate recoveryimage. Using this, a complete new operating system can be installed on thedevice. Whether any user data survives this operation depends on the exactinstallation process. For example, using ClockworkMod to upgrade fromCyanogenMod 7.1 to CyanogenMod 7.2 preserves all user data. For antiforensicspurposes, it would be recommended to modify the recovery imageto require wiping all data before installing a new operating system.For maximum protection against forensic examination, the recovery imageshould be reverted to the standard Android one. There would then be nointentional ways to gain root access, which would place a forensic investigatorin the same position as a hacker with a newly released phone, trying to getan alternative operating system installed. However, to cater to the enthusiastmarket, many phone manufacturers began to include supported ways ofunlocking the bootloader in 2011 [72]. This means that the investigator caneasily install their own recovery image and use that to install an operatingsystem granting root access with minimum alterations to the data alreadypresent on the device. The question would remain of how acceptable such aprocedure would be to a court, since it involves substantial modification ofthe device.7.5 SEAndroidStandard Android uses just the traditional UNIX discretionary access controlmechanism, which allows the superuser (root) to override any restrictions.When the phone is rooted, the user is allowed to install modified versions of3 A list of directories where the system automatically looks for programs when the usergives the name of a program to execute.58
Page 2:
AbstractIn forensic analysis of mob
Page 8 and 9:
Chapter 1IntroductionAccording to t
Page 10 and 11:
forensics tools Cellebrite and XRY
Page 12 and 13:
2.1.1 Data hidingFor PC anti-forens
Page 14 and 15: Detecting a USB connection suffers
Page 16 and 17: protected program can access it, as
Page 18 and 19: modifications at different times, t
Page 20 and 21: esponsible for handling security an
Page 22 and 23: contact lists registers that it pro
Page 24 and 25: Several projects have built upon th
Page 26 and 27: to return false data to the tools.
Page 28 and 29: 6. Connection to a forensic analysi
Page 30 and 31: To install it, then, requires the c
Page 32 and 33: Step 4 According to the documentati
Page 34 and 35: Chapter 5Implementation, testing an
Page 36 and 37: The two modules are raw contacts an
Page 38 and 39: 200-500 small writes in the time fr
Page 40 and 41: make the data impossible to spot in
Page 42 and 43: had time to isolate the phone befor
Page 44 and 45: abort the extraction and show the e
Page 46 and 47: (a) Extraction summary(b) Extractio
Page 48 and 49: Figure 5.11: Cellebrite extraction
Page 50 and 51: Figure 5.14: Contacts fed to Celleb
Page 52 and 53: (a) Cellebrite extraction report(b)
Page 54 and 55: (a) SIM contacts visible(b) SIM con
Page 56 and 57: Chapter 6ConclusionsThis dissertati
Page 58 and 59: Android is an open system, with spe
Page 60 and 61: • Hide SIM contacts from the fore
Page 62 and 63: that it is possible to use Java ref
Page 66 and 67: operating system components, but th
Page 68 and 69: Appendix BTool behaviourThe followi
Page 70 and 71: S e l e c t i o n : i d = 1 ANDmime
Page 72 and 73: Appendix CSource codeC.1 USBMonitor
Page 74 and 75: ∗/private S t r i n g e o l ;priv
Page 76 and 77: }}Bundle e x t r a s = i n t e n t
Page 78 and 79: index 3 bee54d . . 0 0 be75e 100644
Page 80 and 81: 73import android . p r o v i d e r
Page 82 and 83: + }+ r e t u r n n u l l ;+ }+@Over
Page 84 and 85: @@ −4349 ,6 +4384 ,7 @@ p u b l i
Page 86 and 87: c a s e POSTALS: {+ Log . i (TAG,
Page 88 and 89: qb . setProjectionMap ( sGroupsSumm
Page 90 and 91: c a s e RAW CONTACT ENTITIES: {+ Lo
Page 92 and 93: index f 2 b 6 f c e . . 1 eb2972 10
Page 94 and 95: 87++ // A t t r i b u t e s c o n s
Page 96 and 97: 89+ i n t s t r O f f = s t O f f +
Page 98 and 99: C.4 Delayed responsesThis is the co
Page 100 and 101: + p r i v a t e boolean c a l l e r
Page 102 and 103: 95index 00 be75e . . cb000e9 100644
Page 104 and 105: p r i v a t e boolean i n i t i a l
Page 106 and 107: 99+ // no d e l e t e d c o n t a c
Page 108 and 109: 101+ Log . i (TAG, ” Unknown quer
Page 110 and 111: 103+ // I n t e n t i o n a l l y r
Page 112 and 113: 105+ ” n u l l as ” + Structure
Page 114 and 115:
107+ ” ” + PhoneticNameStyle .U
Page 116 and 117:
C.6 False data from alternate datab
Page 118 and 119:
− p r i v a t e s t a t i c f i n
Page 120 and 121:
+import com . android . p r o v i d
Page 122 and 123:
Log . i (TAG, ” S e l e c t i o n
Page 124 and 125:
C.7 Delayed restorationThis is the
Page 126 and 127:
119+ Log . i (TAG, ” Faking ” +
Page 128 and 129:
121− // b e f o r e and a f t e r
Page 130 and 131:
C.8 Hiding SIM contactsThis is the
Page 132 and 133:
++ // This i s the CyanogenMod 7 .
Page 134 and 135:
ArrayList r e s u l t s ;− i f (
Page 136 and 137:
index c218592 . . a4dbaae 100644−
Page 138 and 139:
131+ /∗+ ∗ ( non−Javadoc )+
Page 140 and 141:
package com . android . p r o v i d
Page 142 and 143:
135++ /∗+ ∗ ( non−Javadoc )+
Page 144 and 145:
137+ Log . i (TAG, ” Running quer
Page 146 and 147:
Appendix EDeclaration of originalit
Page 148 and 149:
[8] Android development guides—Th
Page 150 and 151:
[34] Tarpit (networking). http://en
Page 152 and 153:
[53] ACPO e-crime working group. Go
Page 154 and 155:
[73] Android Open Source Project. L
Page 156:
[94] Randal Vaughn and Gadi Evron.
show all

dissertation

Create successful ePaper yourself

Delete template?

Save as template?