Written
on
Android Forensics
From Belkasoft
Trying this free voucher from Belkasoft.
I tried to finish it WITHOUT using Belkasoft X which kinda defeats the purpose (ikr). They still need 1 day to approve and allow someone to download the tool and I was really eager to accomplish it. I guess I really do am impatient. Classic me!
Preparation
- Course is about how to:
- Acquire data in an Android phone.
- Analyze the data gathered and
- Familiarizing with the Android System Files
- Pre-requisites:
- Belkasoft X
- Recommended hardware
Guidelines for Successful Forensic Analysis (tl;dr)
- Guidelines for Successful Digital Forensics
- Always make sure that the evidence/s were legally obtained.
- Document every steps from acquisition to submission of the report.
- If possible, try to boot up the evidence (e.g. devices like smartphone, computers, laptops, etc.) within an isolated network.
- Do not interact directly with the evidence as much as possible.
- Gather as much data as you can in order to select a more appropriate way to analyze.
- If experimenting a new approach in data acquisition, try to start with a less invasive way. In case something goes hay-wire, data may still be salvage-able.
- Use multiple tools to get the data that might be needed in the investigation.
- When investigating, it is important to check the applications installed on the machine being investigated and the level of technical support your tool offers. Always document the version of the tools to ensure that the report still stands valid on the level of support for applications at the time of examining the evidence.
- Obtain extractions from external components of the mobile device. Remove UICC (SIM) cards after the extraction of the device and acquire them separately using your tool of choice.
Difficulties in Android Forensics
- Encryption
- Custom ROMs
- Hardware (Chipsets, etc)
- MediaTek-based (MTK)
- Qualcomm-based
- Spreadtrum-based
Standard Acquisition Methods
- Automated screen capturing
- File copy via Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP)
- SIM card acquisition
- ADB backup acquisition
- Agent-based acquisition (including SD card acquisition)
- Advanced ADB acquisition
- APK downgrade method
- Logical and physical acquisition of rooted Android devices
Android System Artifacts and Device Properties
Interesting bits when investigating
| Device Properties | ..\data\system\users%USERNUMBER%\settings_secure.xml |
|---|---|
| OS Version, Build codename, Build version | ..\data\system\usagestats%USERNUMBER%\version |
| IMEI | ..\data\system\usagestats%USERNUMBER%\version |
| Display name, ICCID, IMSI, Country (SIM card details) | ..\data\user_de%USERNUMBER%\com.android.providers.telephony\databases\telephony.db |
| Factory Reset Time (UTC) | ..\data\misc\bootstat\factory_reset |
| Last Boot Time (UTC) | ..\data\misc\bootstat\last_boot_time_utc |
| Others — External Connections | Android Debug Bridge (ADB): ..\data\misc\adb\adb_keys |
User accounts
Some artifacts about the device and where they are located
Mobile device account details
| Type of account, Account Description, Password, Authentication type | ..\data\system_ce%USERNUMBER%\accounts_ce.db |
|---|---|
| Last Logon | ..\data\system_de%USERNUMBER%\accounts_de.db |
Application usage statistics
| Hardware and software usage statistics | ..\data\user%USERNUMBER%\com.google.android.apps.turbo\shared_prefs\app_usage_stats.xml |
|---|
Application usage events
| Usage statistics with the device and time spent in various apps | ..\data\data\com.google.android.apps.wellbeing\databases\app_usage |
|---|---|
| ..\data\data\com.google.android.apps.wellbeing\databases\app_usage |
Application installations and updates
| Tracking installation and updates per app | ..\data\data\com.android.vending\databases\frosting.db |
|---|
Google Play Store
| Search queries | ..\data\data\com.android.vending\databases\suggestions.db |
|---|
Analysis on various messaging apps in Android
Stuff to look out when investigating messaging apps
| ..\data\data\com.WhatsApp\databases | Records calls, message texts, and other details | mgstore.db |
|---|---|---|
| Names of contacts, group chats, channel names, etc. | wa.db | |
| Info about devices linked to the account | companion_devices.db | |
| ..\data\data\com.WhatsApp\shared_prefs | File with account settings and timestamps of various application events. | com.whatsapp_preferences_light.xml |
| ..\data\data\com.WhatsApp\files | Backup encryption | ..\data\data\com.WhatsApp\files |
| ..\Android\media\com.whatsapp\WhatsApp\Media | Media files | ..\Android\media\com.whatsapp\WhatsApp\Media |
Telegram
- Telegram ID
- Contacts
- Message exchanges
- Voice calls
Viber
- /data/data/com.viber.voip/
- /files/preferences/ a. Activated_sim_serial b. Display_name c. reg_viber_phone_num
- /sdcard/viber/media/ a. /User Photos/ b. /Viber Images/ c. /Viber Videos/
- /databases/ a. viber_data b. viber_messages
Social Media
Analyzing artifacts related to IG
| /data/data/com.instagram.android | User account information and contact list | shared_prefs |
|---|---|---|
| Posts, uploaded photos | media | |
| Stories, sent messages containing videos and voice notes | files | |
| Video/voice calls, direct messages, and received messages containing photos, videos, and voice notes were located in direct.db | databases | |
| Sent messages containing photos | cache |
Note: Activities in Instagram like likes and comments were not being stored on the device.
Guess I really need the tool
