Date post: | 13-Feb-2018 |
Category: |
Documents |
Upload: | marcoantoniomartinezf |
View: | 225 times |
Download: | 0 times |
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 1/52
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 2/52
Devices used –
Examples in this presentation are demonstrated on the following
devices:
2
Google Galaxy Nexus
(ICS 4.0.3, Samsung)
HTC Thunderbolt
(Gingerbread 2.3.4)
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 3/52
A quick overview of Android Devices –
Software :
!
A patched version of Linux OS kernel
!
Overhauled user space, bionic libc, utilities
! Application security based uid, gid: 1 uid per application to protect each app’s
space from other apps
!
Permission model to access system resources (e.g. phone HW, databases, etc)
! Run Java applications in Dalvik VM environment
!
Can run native applications through JNI
Hardware:
! Mostly ARM based, x86 becoming more popular
!
Form factors: smartphones, tables, TVs, ebook readers, refrigerators, etc
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 4/52
Outline
4
Android System Acquisition and Analysis
Analyzing Android Applications
Other tools and references
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 5/52
The 3 levels of accessing data on an Android Device – Accessing the Device,Physical Extraction, and Logical Extraction
5
1 2 3
Device accessPhysical Data
ExtractionLogical DataExtraction
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 6/52
Device access
6
1
Source: http://www.ifixit.com/
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 7/52
Bypassing Security – Bypassing pattern by Smudge Attack
__:
7
• There are research and proposals
that suggest that one can detect the Android security pattern by examiningscreen’s touch residue
•
While there are some merits in these,
still it is pretty hard to do this
consistently.
Source: Smudge Attacks on Smartphone Touch Screens, By: Adam J. Aviv, et al.
Photography and Lighting setup
Smudge pattern on a device: Before andafter contrast adjustment
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 8/52
Bypassing Security – Bypassing security code
__:
8
• If you can find user’s gmail account information, then Android will allow you to
reset the pass code (after 5 attempts)
•
If not:
• Reboot to bootloader mode (or press down-volume + power, etc)
$ adb reboot bootloader
•
Using fastboot, load a different ROM (e.g. Clockwork recovery image)
• Remove the key file related to challenge
$ adb shell
$ su
# cd /data/system
# rm gesture.key
Or in case of password or PIN:
# rm password.key
Source: Smudge Attacks on Smartphone Touch Screens, By: Adam J. Aviv, et al.
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 9/52
Network isolation – Making device unreachable
A shielded box or tent (Faraday cage) can isolate the device and prevent it
from being manipulated remotely.
9
A Faraday cage work desk
AFaraday
tent
Don’t try
this atHome!
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 10/52
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 11/52
Android Mass Storage – MTD, FTL, MMC, eMMC
!
The Linux kernel is designed to deal with Block (sectorized) storage
devices
!
Raw flash storage is not a block device
!
SSD, MMC, eMMC, RS-MMC, SD, mini-SD, micro-SD, USB flash
drive, CompactFlash, MemoryStick, MemoryStick and other FTL
devices are block devices, not raw flash devices, meaning FTL is
built in to HW
!
To use a conventional file system – e.g. ext2, ext3,ext4, XFS, JFS,
FAT on top of a raw flash device an abstraction layer AKA “Flash
Translation Layer ” or FTL is needed
1111Source: http://www.linux-mtd.infradead.org/faq/general.html
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 12/52
Android Mass Storage – MTD, FTL, MMC, eMMC
More recent Android devices use eMMC which is a block device and does not
require software FTL, hence no MTD
12
Raw Flash (HW)
Files systeme.g. YAFFS2
Applications
Raw Flash (HW)
Files systeme.g. ext4
Applications
MTD (SW)
FTL
FTL
Earlier Android devices More recent Android devices
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 13/52
Android Mass Storage – MTD, FTL, MMC, eMMC
!
MTD (Memory Technology Device) provides a very simple FTL:
Block interface, ECC, wear leveling and few other functions
!
Most current Android devices use the FTL that comes with MTD
(mtdblock)
!
Wear leveling writes rewritten logical blocks to avoid writing
physical blocks repeatedly until all blocks have been utilized
13Source: http://lwn.net/Articles/428793/
Wear leveling in FTL
stage 1Stage 2
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 14/52
Android Mass Storage – SD and eMMC
!
Android’s partitions: /dev/block, /dev/mtd, etc
# cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00001000 "w25q80"
# shell@android:/dev/mtd # ls -l /dev/mtd
crw-rw---- media media 90, 0 2012-05-10 02:54 mtd0
crw------- root root 90, 1 2012-05-10 02:54 mtd0ro
14
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 15/52
Physical data extraction– Write blockers
15
• When performing physical
extraction, use a write blocker toprotect the data on the device
against accidental / malfunction
writing
•
The last option which often is
destructive to the device, is to un-solder the flash chip and use
special tools to read its content
USB Write Blocker
USB Write Blocker
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 16/52
Android Mass Storage – dd, dc3dd
# mount
rootfs / rootfs rw,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
/dev/block/mmcblk0p25 /system ext3
rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p26 /data ext3
rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3
rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p29 /devlog ext3
rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
....
16
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 17/52
Physical data extraction – dd, dc3dd
# dd if=/dev/block/platform/omap/omap_hsmmc.0/by-name/cacheof=/sdcard/cache.imgdd
On the host:
$ adb pull /sdcard/userdata.imgdd ./userdata.imgdd
$ od –x userdata.imgdd
$ strings userdata.imgdd | grep <desired pattern regex>
17
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 18/52
JTAG, Chip-off – The last resorts
18
Samsung Galaxy S JTAG pin-outs
Source: http://www.bongozone.com/jtag-service-i9000-unbrick-others/
•
If all other access methods fail,JTAG access or chip-off (de-
soldering of the flash chip) canprovide access to the device’s
internal flash:
•
With JTAG (and using a toolsuch as Riff-Box) – it is possible
put the CPU in debug modeand dump the content of
internal flash
•
The last option which often isdestructive to the device, is to
un-solder the flash chip and usespecial tools to read its content
Connecting Galaxy S to Riff-Box
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 19/52
Logical Extraction
19
3
Source: xxxxxxxx
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 20/52
Getting ready for logical extraction: to Root or Not to Root –
20
"
Rooting can potentially change the status of the data on the device, and
destroy information
" Nonetheless, a rooted device provides full access, and for most of the
techniques here, rooting is needed
"
ROM is the collection of stuff that makes your device to work:
! Kernel
!
The rest of the OS
! Drivers
! Configuration files
! System apps
" ROMs are usually provided by the manufacturer and get customized by the
mobile operator
" There are also custom ROMs that enhance some functions of the standard
ROM that comes with the device and remove some of the limitations e.g.
CyonegenMod ROM
" Before you can run a custom ROM, you need to to recovery mode, flash the
ROM file
Rooting an Android
device
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 21/52
Three different ways to perform logical extraction on an Android device:
2121
Logical extractionin Android
adb pull
Accessing
Content
Providers
" Can be done recursively" Use tar to create archive
" User gzip to compress
" Access to over sql databses on the devices includingsystem apps
"
No programming needed
" Can use familiar sql statements
"
Can be done programmatically "
Can be used to build forensic data collection tools
" Access to over 45+ Content Providers on the device
sqlite3
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 22/52
Getting ready for logical extraction – Busybox
22
"
Get and install Busybox on the device
Busybox:most commonly Unix
commands in Android
shell
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 23/52
Getting ready for logical extraction – BusyBox
23
# busyboxBusyBox is a multi-call binary that combines many common Unix utilities into a single
executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever
it was invoked as.
Currently defined functions: [, [[, ash, awk, base64, basename, blkid, bunzip2, bzcat, bzip2, cal, cat, chat, chattr, chgrp, chmod, chown, chroot, chrt, cksum, clear, comm, cp, crond, crontab, cut, date, dd, depmod, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, echo, egrep, env,
ether-wake, expand, expr, fakeidentd, fdflush, fdformat, fdisk, fgrep, find, fold, free, freeramdisk, fsck, fsync, ftpd, ftpget, ftpput, getopt, grep, groups, gunzip, gzip, hd, head, hexdump, hostid, hostname, httpd, hwclock, id, ifconfig, ifenslave, inetd, inotifyd, insmod, install, ionice, iostat, ip, ipaddr, ipcalc, iplink, iproute, iprule, iptunnel, kill, killall, killall5, less, ln, logname, losetup, ls, lsattr, lsmod, lsof, lsusb, lzop, lzopcat, md5sum, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, mkswap, modinfo, modprobe, more, mount, mountpoint, mt, mv, nameif, nanddump, nandwrite,
nc, netstat, nice, nmeter, nslookup, ntpd, od, patch, pgrep, pidof,
ping, ping6, pkill, pmap, powertop, printenv, printf, ps, pscan, pwd, rdate, rdev, readahead, realpath, renice, reset, rev, rfkill, rm, rmdir, rmmod, route, run-parts, script, scriptreplay, sed, seq, ... test, tftp, tftpd, time, timeout, top, touch, tr, traceroute, traceroute6, tty, ttysize, tunctl, umount, uname, uncompress, unexpand, uniq, unix2dos, unlzop, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, watch, wc, wget, which, who, whoami, whois, xargs, zcat
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 24/52
Getting ready for logical extraction – sqlite3
24
"
Get and install sqlite3
1.
Only available on some development devices
e.g. Google Nexus series
2. You can get it from sqlite.org (source code), and compile/built/etc
3. Easiest way is to get from your emulator installation:
$ cd /Applications/android-sdk-macosx/tools
$ adb push ./sqlite3 /system/xbin/sqlite3
$ adb shell
$ su
# cd /system/xbin
# chmod 755 sqlite3
Gettingsqlite3
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 25/52
Logical extraction – important directories
2525
/
system/
bin/
xbin/
data/
data/
app/
mnt/
sdcard/
dev/
mtd/
block/
Android files system
notable directories
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 26/52
Logical extraction: adb pull with tar –
26
"
adb supports recursive pull
$ adb pull <remote> <local>
Example:
$ adb shell
$ su
# cd /data/app
# tar -cvf /sdcard/all-apps.tar ./*apk
# gzip all-apps.tar all-apps.tar.gz
^C
$ adb pull /sdcard/all-apps.tar.gz ./
$ tar -xvf all-apps.tar ./*apk
Recursive adb pull
with tar
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 27/52
Logical extraction: logs –
27
Example:
# adb logcat > logs
# cat logs
/SystemServer( 197): Wi-Fi P2pService I/SystemServer( 197): Wi-Fi Service I/SystemServer( 197): Connectivity Service
D/ConnectivityService( 197): ConnectivityService starting up I/ActivityManager( 197): Config changed: {1.0 0mcc0mnc en_US
layoutdir=0 sw360dp w360dp h592dp nrml port ?uimode ?nightfinger -keyb/v/h -nav/h s.3} E/ConnectivityService( 197): Ignoring protectedNetwork 10 E/ConnectivityService( 197): Ignoring protectedNetwork 11 E/ConnectivityService( 197): Ignoring protectedNetwork 12 E/MobileDataStateTracker( 197): default: Ignoring featurerequest because could not acquire PhoneService
E/MobileDataStateTracker( 197): default: Could not enable APNtype "default" D/NetworkManagementService( 197): Registering observer D/NetworkManagementService( 197): Registering observer I/WifiService( 197): WifiService starting up with Wi-Fi enabled D/NetworkManagementService( 197): rsp <213 00:90:4c:11:22:330.0.0.0 0 [down broadcast multicast]>
logcat
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 28/52
28DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only.
# shell@android:/ # find data -name "*.db" -print | wc -l
74 (this is nonly for this device)
# find data -name "*.db" –print /data/data/
data/data/com.google.android.browser/app_appcache/ApplicationCache.db
data/data/com.google.android.browser/app_databases/Databases.db
data/data/com.google.android.browser/app_geolocation/CachedGeoposition.db
data/data/com.android.providers.calendar/databases/calendar.db
data/data/com.android.providers.contacts/databases/profile.db
data/data/com.android.providers.contacts/databases/contacts2.db
data/data/com.android.providers.downloads/databases/downloads.db
data/data/com.google.android.email/databases/EmailProvider.db
data/data/com.google.android.gm/databases/[email protected]
data/data/com.google.android.gm/databases/[email protected]
data/data/com.google.android.gm/databases/webviewCookiesChromium.db
data/data/com.google.android.music/databases/music.db
data/data/com.android.providers.telephony/databases/telephony.db
data/data/com.android.providers.telephony/databases/mmssms.db
data/system/accounts.db
Logical extraction: snooping around with sqlite3 -
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 29/52
Logical extraction: sqlite3 –
29
# find data -name "*.db" -print
Sqlite>
.help
.databases
.tables
.schema <TABLE>
.header on
.mode <column | line>
.output <FILE NAME>
Example:
Sqlite> select * from accounts;
Sqlite> select * from sms where rowid < 5;
Useful sqlite3
commands
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 30/52
Logical extraction: snooping around with sqlite3 –
30
# sqlite3 /data/data/com.android.providers.contacts/databases/contacts2.db
Sqlite> .schema accountsCREATE TABLE accounts (account_name TEXT, account_type TEXT, data_set TEXT);
sqlite> select * from accounts; ||[email protected]|
sqlite> .mode line;sqlite> select data1 from data;
sqlite> select * from data;
8448||9|1154|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/tanabianmoe%40gmail.com/595d6cef09539135|||0 8449||7|1154|0|0|0|0|John Ford|John|Ford|||||||1|3||||||||10 8450||11|1154|0|0|0|0|||||||||||||||||||10 8451||3|1154|0|0|0|0|||||||||||||||||||10 8452||12|1154|0|0|0|0||||||||4|5||||||||||10 8453||1|1154|0|1|0|1|[email protected]|1|||||||||||||||||10 8454||8|1154|0|0|0|0|123 Spring Dale st.
Beverly Hills, CA 90210 USA|1||123 Spring Dale st.|||Beverly Hills|CA|90210|USA|||||||||10 8455||10|1154|0|0|0|0|8||||||||||||||||||10 8456||5|1154|0|0|0|0|+1-310-555-1876|2||+13105551876|||||||||||||||10 8457||15|1154|0|0|0|0|www.johnfordontheweb.com|3|||||||||||||||||10 8458||9|1155|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/tanabianmoe%40gmail.com/795ec48099e213e|||0
8459||7|1155|0|0|0|0|Jenny Hackson|Jenny|Hackson|||||||1|3||||||||10 ...
DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only.
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 31/52
Logical extraction: snooping around with sqlite3 –
31
#
# sqlite3 /data/data/com.android.providers.telephony/databases/mmssms.db
Sqlite> .mode columnsqlite> .header on
sqlite> select address, date, body from sms;
address date body------------ ------------- ----------------------------------------------------- +11113272608 1336592918275 AT&T Free Msg: Welcome to GoPhone! To learn more ...310498xxxx 1336720180796 Hey, nice day today. Up for a hike?:-)+1310498xxxx 1336720230196 Hike sounds good:) kahuna beach canyon?310498xxxx 1336720272373 Laguna is good. See you at 5:30.
sqlite>
...
DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only.
Date: GMT: Fri, 11 May 2012 07:10:30 GMT(ms since 1/1/1970)
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 32/52
Logical extraction: snooping around with sqlite3 –
32
#
# sqlite3 /data/data/com.google.android.gm/databases/[email protected]> .schema messages.schema messages;
CREATE TABLE messages (_id INTEGER PRIMARY KEY,messageId INTEGER,conversationINTEGER,fromAddress TEXT,toAddresses TEXT,ccAddresses TEXT,bccAddressesTEXT,replyToAddresses TEXT,dateSentMs INTEGER,dateReceivedMs INTEGER,subject TEXT,snippetTEXT,listInfo TEXT,personalLevel INTEGER,body TEXT,bodyEmbedsExternalResourcesINTEGER,joinedAttachmentInfos STRING,synced INTEGER,error TEXT, clientCreated INTEGER,refMessageId INTEGER DEFAULT 0, forward INTEGER DEFAULT 0, includeQuotedText INTEGER DEFAULT0, quoteStartPos INTEGER DEFAULT 0, bodyCompressed BLOB DEFAULT NULL, customFromAddress TEXTDEFAULT NULL, queryId INTEGER DEFAULT 1, UNIQUE(messageId));
Sqlite> select fromAddress, toAddresses, dateSentMs, subject from messages;
fromAddress toAddresses dateSentMs subject------------------------------------------------- -------------------------- ------------- -------------------------- "Google+ team" <[email protected]> "" <[email protected]> 1336438677000 Getting started on Google+
"Gmail Team" <[email protected]> "Moe Tanabian" <tanabianmo 1336438616000 Customize Gmail with color
"Gmail Team" <[email protected]> "Moe Tanabian" <tanabianmo 1336438616000 Import your contacts and o "Gmail Team" <[email protected]> "Moe Tanabian" <tanabianmo 1336438613000 Get Gmail on your mobile p
Sqlite>
DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only.
Date: GMT: Tue, 08 May 2012 00:56:53 GMT(ms since 1/1/1970)
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 33/52
33
Logical extraction: Content Providers – build a forensics data-collection tool
• Content Providers: A specialized type
of complex data store in Android tostandardize access and
manipulation of stored data
•
Some useful Content Providers for
forensic purposes:
• Browser : bookmarks, browse
history, etc
•
CallLog: missed calls, call
details, etc
•
Contacts: Contact details
•
MediaStore: Media files (audio,
video, images, etc)
Source: http://ofps.oreilly.com/titles/9781449390501/Main_Building_Blocks.html
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 34/52
34
Logical extraction: Content Providers – build a forensics data-collection tool
• The database of a content provider is always addressed via URI. URI is a
means to encapsulate exposing data:
•
General URI format:
<standard_prefix>://<authority>/<data_path>/<id>
content://com.android.contacts/data/phones/2
• Content Providers allow CRUD operations to be performed on databases:
•
Create, Read, Update, Delete
•
They use a SQL like query called cursor object through managedQuery()(deprecated but still usable)
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 35/52
Steps to query a content provider:
35
Logical extraction: Content Providers – build a forensics data-collection tool
Steps to query a content provider:
1. Identify URI of the desired content provider
2. Create a projection (String array which holding the namesof the columns to query)
4. Add needed permissions to AndroidManifest.xml
3. Use managedQuery() to query the CP into a Cursor object
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 36/52
Logical extraction: Content Providers – build a forensics data-collection tool
36
package com.example.ContentProvider;
import com.example.ContentProvider.R;
import android.app.ListActivity;import android.database.Cursor;import android.net.Uri;import android.os.Bundle;import android.provider.ContactsContract;import android.widget.SimpleCursorAdapter;
public class ContentProviderActivity extends ListActivity {/** Called when the activity is first created. */@Overridepublic void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);setContentView(R.layout. main);Uri allContacts = Uri. parse("content://contacts/people");
Cursor c= managedQuery(allContacts, null, null, null, null);
String[] columns = new String[] {ContactsContract.Contacts. DISPLAY_NAME,ContactsContract.Contacts._ID};
int[] views = new int[] {R.id.contactName, R.id.contactID};SimpleCursorAdapter adapter =
new SimpleCursorAdapter(this, R.layout. main, c, columns, views);this.setListAdapter(adapter);
} }
1. URI
3. managedQuery()
Filtering(WHERE)
SortingORDER BY
2.Projection (columns)
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 37/52
Logical extraction: Content Providers – build a forensics data-collection tool
37
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.ContentProvider" android:versionCode="1" android:versionName="1.0" >
<uses-sdk android:minSdkVersion="7" /> <uses-permission android:name="android.permission.READ_CONTACTS" /><application
android:icon="@drawable/ic_launcher"
android:label="@string/app_name" > <activity
android:name="com.example.ContentProvider.ContentProviderActivity" android:label="@string/app_name" > <intent-filter>
<action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" />
</intent-filter> </activity>
</application>
</manifest>
4. Permissions
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 38/52
Logical extraction: Content Providers – Let’s put it all together
38
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 39/52
Outline
39
Android System Acquisition and Analysis
Analyzing Android Applications
Other tools and references
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 40/52
Android Applications – The development flow
40
KEY
Manifest
Resources
Assets
Source code
LibrariesLibrariesLibraries
aaptCreate Packaged
Resources
JavacCompile
dxDalivk
Bytecode
PackagedResource
File
Classes.dex
apkbuilder -uCreate unsigned apk
Unsignedapk
jarsigner Sign apk
Signedapk
adbPublish or Test
Android Asset Packaging Tool
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 41/52
Android Applications – Java bytecode versus Dalvik bytecode
41
method public method(II)I
mul#int v0,v2,v3
mul#int/lit#8 v0,v0,2
return v0
.end method
public int method( int i1, int i2 ) {int i3 = i1 * i2; return i3 * 2;
}
- var 0 is “this”- var 1 is argument #1- Var 2 is argument #2
- this: v1 (Ltest2;)- parameter[0] : v2 (I)- parameter[1] : v3 (I)
method public method(II)I
iload _1
iload _2
imul
istore _3
iload _3iconst _2
imul
ireturn
.end method
Java bytecode(VM stack based)
Dalvik bytecode(VM register based)
Source: Practice of Android Reverse Engineering, Jim Haung
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 42/52
Android Applications – apktoolit
42
"
Get and install apktoolkit
1.
http://code.google.com/p/android-apktool/
1.
Download apktool-install-macos-* file
2. Download apktool-* file
3. Unpack both to /usr/local/bin directory (you must
have root permissions)
2. To unpack and decode an apk:
$ abd pull <the apk you want> (from /data/app)
$ apktool d com.example.ContentProvider-1.apk ./
$ ls -l
-rw-r--r-- 1 moetan ANT\Domain Users 801 May 13 12:41 AndroidManifest.xml
-rw-r--r-- 1 moetan ANT\Domain Users 112 May 13 12:41 apktool.yml
drwxr-xr-x 8 moetan ANT\Domain Users 272 May 13 12:41 res
drwxr-xr-x 4 moetan ANT\Domain Users 136 May 13 12:41 smali
Gettingapktoolkit
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 43/52
Android Applications – Unpacking apk using apktoolit
43
To unpack and decode an apk:
$ abd pull <the apk you want> (from /data/app)
$ apktool d com.example.ContentProvider-1.apk ./
$ ls -l
-rw-r--r-- 1 moetan ANT\Domain Users 801 May 13 12:41 AndroidManifest.xml
-rw-r--r-- 1 moetan ANT\Domain Users 112 May 13 12:41 apktool.yml
drwxr-xr-x 8 moetan ANT\Domain Users 272 May 13 12:41 res
drwxr-xr-x 4 moetan ANT\Domain Users 136 May 13 12:41 smali
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 44/52
Android Applications – Decompiled code from smali (apktoolkit)
44
$ cd smali/com/example/ContentProvider
$ ls -l
-rw-r--r-- 1 moetan ANT\Domain Users 355 May 13 12:41 BuildConfig.smali
-rw-r--r-- 1 moetan ANT\Domain Users 2400 May 13 12:41 ContentProviderActivity.smali
-rw-r--r-- 1 moetan ANT\Domain Users 519 May 13 12:41 R$attr.smali
-rw-r--r-- 1 moetan ANT\Domain Users 599 May 13 12:41 R$drawable.smali
-rw-r--r-- 1 moetan ANT\Domain Users 640 May 13 12:41 R$id.smali
-rw-r--r-- 1 moetan ANT\Domain Users 588 May 13 12:41 R$layout.smali
-rw-r--r-- 1 moetan ANT\Domain Users 641 May 13 12:41 R$string.smali
-rw-r--r-- 1 moetan ANT\Domain Users 616 May 13 12:41 R.smali
$ ls –l
$ vim ContentProviderActivity.smali
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 45/52
Android Applications – Decompiled code from smali (apktoolkit)
45
class public Lcom/example/ContentProvider/ContentProviderActivity;
.super Landroid/app/ListActivity;
.source "ContentProviderActivity.java”
....
# virtual methods.method public onCreate(Landroid/os/Bundle;)V
.locals 10
.parameter "savedInstanceState"
.prologue
const/high16 v9, 0x7f03
const/4 v8, 0x2
const/4 v2, 0x0
.line 16 invoke-super {p0, p1}, Landroid/app/ListActivity;-
>onCreate(Landroid/os/Bundle;)V
.line 17 invoke-virtual {p0, v9}, Lcom/example/
ContentProvider/ContentProviderActivity;->setContentView(I)V
.line 18 const-string v0, "content://contacts/people"
.... Total: 100+ LoC
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 46/52
Android Applications – Decompiling apk using dex2jar, jd-gui
46
"
Get and install dex2jar tool , and jar decompiler
1.
http://code.google.com/p/dex2jar/,
2.
Download dex2jar-x.x.x.x.tar.gz file (x: version digits)
3. http://java.decompiler.free.fr/?q=jdgui, and intstall the .dmg file
1. To unpack and decode an apk:
$ dex2jar.sh com.example.ContentProvider-1.apk $ ls –l *jar
rw-r--r-- 1 moetan ANT\Domain Users 4278 May 13 15:20com.example.ContentProvider-1_dex2jar.jar
$ jd-gui com.example.ContentProvider-1_dex2jar.jar&
GettingDex2jar, jd-gui
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 47/52
Android Applications – jd-gui .jar decompiler
__:
"
_
"
_
"
_
"
_
47
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 48/52
Outline
48
Android System Acquisition and Analysis
Analyzing Android Applications
Other tools and references
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 49/52
Commercial tools
49
•
Standalone device
• Can extract data from 1600+ devices
• Covers Android devices
• Built-in SIM reader and cloner
• Can store output on SD, Flash or PC
•
http://www.cellebrite.com/mobile-forensics-products,
•
Android, Blackberry, iOS and WinMobile
• Device Settings
•
Contacts , Call logs
• Images
• SMS/MMS
•
Calendars
• Software solution
Cellbright UFED
enCase Forensics
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 50/52
Commercial tools
5050
•
Software and Hardware bundle
• Comes in different packaging for lab, field, etc
• Built-in SIM reader and cloner
• Runs on Windows
• Supports Physical and Logical extractions
•
http://www.msab.com/xry,
•
Logical recovery of
• call logs,
•
contacts, browser history,
• SMS/MMS
• Logical extraction
• https://viaforensics.com/products/viaextract/,
• Software solution
Micro Systemation
XRY
Viaforensics
ViaExtract
7/23/2019 Android Forensic Exploring Internals and Apps
http://slidepdf.com/reader/full/android-forensic-exploring-internals-and-apps 51/52
Further reading
51