Android Phone Forensic Analysis – Unleash Hidden Evidence

转载地址：http://www.dataforensics.org/android-phone-forensics-analysis/

ANDROID FILE SYSTEMS

There is no singularly defined file system for Android. Android is developed on Linux kernel and Linux supports many file systems. Each file system are the implementation of VFS (Virtual File System). VFS is the abstract layer of Kernel through which an application’s file and directory operations flows. Each of the file system has separate Kernel module that supports operations. Hence adding a new file system means adding a new kernel module. This implies that Kernel configuration file defines which all file systems should be compiled and hence files systems that are supported by Android varies with devices.
The Android File Systems that are supported by Android Phones can be classified as flash memory file systems and media based file systems. Let’s proceed with Android Phone Forensics:

FLASH MEMORY ANDROID FILE SYSTEMS:

1. YAFFS2 (Yet Another Flash File System V2)
   It was the default AOSP (Android Open Source Project) flash file system for kernel version 2.6.32. This file system is not supported in the newer kernel versions. But mobile vendors continues support for this file system.
2. JFFS2 (The Journal Flash File System V2)
   Since Ice Cream Sandwich it is the default flash file system for the AOSP kernels.
3. F2FS (Flash-Friendly File System)
   An Open Source file Linux system introduced by Samsung
4. exFAT (extended File Allocation Table)
   It’s the proprietary file system of Microsoft for flash memories. It is not a part of standard Linux Kernel due to licensing requirements.

MEDIA-BASED ANDROID FILE SYSTEMS:

1. EXT2 / EXT3 / EXT4 (Extended File System)
   It is the standard Linux File system. It is often used as internal memory file system instead of YAFFS2 & JFFS2.
2. MSDOS
   The FAT12, FAT16 & FAT32 file systems
3. VFAT
   It is not actually a file system, which are extensions to FAT12, FAT16 & FAT32

ROOTING ANDROID DEVICE

Rooting is the process of attain privileged control of an android devices. It gives yourself the root permission on your device. Rooting Android device helps to overcome the limitations of the devices put by the manufacturers. With a rooted phone we can run apps that require certain system access, flash custom ROMs which adds more features. Rooting can be done through command prompt development interface ADB or using special rooting applications. We can’t access the system files and database files of an un-rooted device as they are encrypted. So analysis of Android systems files are possible only if the device is rooted.

ANDROID FILE SYSTEM STRUCTURE: PARTITIONS

Android uses more than one file system and multiple partitions to organize files and folders in the device. In the file system partitions are represented by directories. There are mainly six partitions used by android devices. They are boot, system, recovery, data, cache, misc. Each of these partitions has its own functionalities. There may be other partitions which differ in each model such as sdcard, sd-ext.

We can check which all partitions are available in a device along with its total, used and free size using adb command in the below image.

1. /boot
   It is the boot partition of the android device which includes the android kernel and ramdisk. The device cannot boot without this partition. If we wipe this partition we need to install new ROM which includes /boot partition to boot the system again.
2. /system
   This partition contain the entire OS including Android GUI and pre-installed system applications. We can enter the recovery or boot loader mode even if we wipe this partition.
3. /recovery
   This partition is specially designed for backup purpose. It is considered as an alternative boot partition that lets the device to boot in a recovery console.
4. /data
   This partition is to store user data. It contain all the user data like sms, contacts, settings and all data related to installed applications. When you are doing a factory reset, it actually wipe out data partition.
5. /cache
   Cache partition stores frequently accessed application and data components. Even if we wipe this partition, it gets automatically rebuilt as you continue using the device.
6. /misc
   This partition contains miscellaneous system settings. It includes hard ware settings, USB configuration etc. If we wipe this partition, device’s features will not function normally.
7. /sdcard
   This partition is for the SD card, not for the internal memory. It is used to store any type of data such as media, documents, ROM etc. The SD card can be internal or external SD card depending on the device.
8. /sd-ext
   This partition is commonly used by custom ROMs and not a standard Android partition. It is an additional partition on SD card that act as data partition in some custom ROMs that have the features like app2sd to get additional storage for installing their apps.

ANDROID LOGS : File Location & Related Artifact Forensic Analysis

The default location of Android log file can be find at /dev/log. We can see the logs if we execute logcat command from terminal inside Android. The logcat command executed using ADB.exe and dumped into text file are shown below. The command to export logs into PC using adb.exe:

adb logcat -v time > E:\log.txt

ANDROID COMMON APPLICATION ANALYSIS

Few of most commonly using android applications selected here for analysis are:

1. Google Chrome
2. Whatsapp
3. Android Contacts
4. Telephony
5. Bluetooth
6. WiFi

GOOGLE CHROME

Location: \data\com.android.chrome\app_chrome\Default

DB FILE: COOKIES

1. Table: cookies – Contains cookies

DB FILE: HISTORY

1. Table: keyword_search_terms – Contains keyword searched
   
2. Table: urls – Contains URLs of visited pages
   

DB FILE: TOP SITES

1. Table: thumbnails – Contains URLs of websites which are directly entered in tab
   WHATSAPP
   Location: \data\com.whatsapp\databases

DB FILE: AXOLOTL.DB

1. Table: identities – Contains the contacts (phone number) to which the chat is done
   

DB FILE: MSGSTORE.DB

1. Table: messages – Contains all messages (both group and individual)
   • The status column indicates message status values (applicable if there atleast single contact in a group satisfies these):
     1. 0 – received message
     2. 13 – sent message seen (blue tick)
     3. 5 – sent message unseen (double tick but not blue tick)
     4. 4 – sent message to Whatsapp server, but not received in recipient Whatsapp app(single tick)
     5. 6 – sent/received calls (key_from_me column specifies whether sent or received call)
   • key_from_me column has values 0 or 1:
     • Value 0 – Not from me (contact’s)
     • Value 1- From me (WhatsApp current user)
   • recipient_count column has 2 kind of values : value 0 for individual chats or shows group member count if it is message in a group
   • read_device_timestamp is empty if message is not seen by everyone in a group
   • media_name column contains name of the media storing in Whatsapp folder, which are sent
   • media_name column contains caption of the media we provided during sending
   • media_url gives location of the media in WhatsApp server
     
2. Table: chat_list – Contains all contacts (subject column is empty) and groups (has value in subject column) where chat has been done (both sent & receive).
   • Group has column creation showing creation date
   • message_table_id column field values maps to docid column values in the messages_fts_content table (contains all messages), which says last message (sent/received).
     
3. Table: group_participants – Contains participants in the group
   • gjid colum contains group id
   • jid column contains group participants id (creator does not has this field)
   • admin colum has values 0 or 1:
     • Value 0 – user
     • Value 1 – admin
       

DB FILE: WA.DB

1. Table: wa_contacts – Contains contact’s name display name, phone number and their status
   
   Whatsapp stores profile picture in the location \data\com.whatsapp\files\Avatars with extension [.j]. These can be renamed with extension [.jpg], the images will appear. The files are identified by name which are phone numbers.
   

CONTACTS
Location: data\com.android.providers.contacts\databases

DB FILE: CONTACTS2.DB

1. Table: data – Contains phone number and name
2. Table: sync_state – Contains which all accounts has been synced with phone
   
3. Table: calls – Contain full call log details.
   
   • The column ‘duration’ stores the duration of the call in seconds.
   • ‘type’ column:
     • 1 for incoming call
     • 2 for outgoing call
     • 2 with ‘duration’=0 for outgoing missed call.
     • 3 for incoming missed call
4. Table: contacts – Contain contact details in the phone and SIM
   
   • times_contacted indicate how many times contacted to that number and last_time_contacted is the time stamp of recent contact.
   • has_phone_number field will be 1 if the phone number is provided while saving the contact and else it will be 0.
   • photo_file_id value indicate which photo is given to the contact. The photo with that file name can be obtained from com.android.providers.contacts\files\photos.
   • The photo file details can be found in table photo_files.
     
     
   • custom_ringtone indicate the URI of the ringtone for a contact if assigned.
     
   • indicate_phone_or_sim_contact column will be -1 if the contact is saved in phone memory and will be 1 if it is saved in SIM memory.
     
5. Table: raw_contacts – Contains a person’s data coming from a single account type and account name.
   1. The column deleted will be 0 for non-deleted contacts and 1 for deleted contacts.
      
      TELEPHONY
      Location: data\com.android.providers.telephony\databases

DB FILE: TELEPHONY.DB

1. Table: siminfo – Contains sims which have been inserted

DB FILE: MMSSMS.DB

1. Table: siminfo – Contains service provider, messages, phone numbers and roaming status
2. Table: accounts – Contains which all accounts are created – Lcal phone acc., SIM acc., Google, Whatsapp, Viber etc
   
3. Table: canonical_addresses – Contains all numbers through which SMS contact took place
   
4. Table: sms – Contains phone number, size timestamp, message body, service center etc.
   

BLUETOOTH

Location: data\com.android.bluetooth\databases

DB FILE: SHARE.DB

1. Table: btopp – Contains information about Bluetooth transfer
   • Column uri shows the URI of the transferred files
   • Column hint shows the name of the file transferred
   • Column _data shows the location of the received file stored
   • Column direction says whether the file is sent/received and it has 2 values – 0 and 1:
     • Value 0 – Sent
     • Value 1 – Received
   • Column destination shows MAC address of Bluetooth device connected
     

WIFI

Location: \data\misc\bluetooth

FILE NAME: DYNAMIC_AUTO_PAIRING.CONF

The dynamic_auto_pairing.conf file contains basic information about the phone and required details about the WiFi networks which are connected. WiFi details includes:

1. SSID name
2. PSK in plain text
3. Connection/ encryption type
4. Connection priority