See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/322511440

Android digital forensics — Simplifying Android forensics using regular

expressions

Conference Paper · September 2017

DOI: 10.1109/ICTER.2017.8257836

CITATIONS READS
2 790

1 author:

Neera Jeyamohan

4 PUBLICATIONS   8 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Neera Jeyamohan on 09 October 2018.

The user has requested enhancement of the downloaded file.

 Android Digital Forensics – Simplifying Android
Forensics Using Regular Expressions
Neera Jeyamohan
Asia Pacific Institute of Information Technology
388, Union Place
Colombo - 02
Email –jneera@gmail.com
Abstract— Smartphones can store and process vital evidence
which is required for an investigation since they have become
cradle of personal information of an individual. But these devices
can be challenging during evidence acquisition and analysis since
information stored in these devices are volatile and investigation
process should be properly validated for admissibility of evidence
in court of law. Therefore, acquisition and examination of
evidence based on smartphones has become a laborious task for
forensics investigators who requires an appropriate and
validated forensics examination tools and methodologies to
extract evidence. In this paper, investigational methodology
suitable for android based smart phones for acquisition and
analysis of data is presented.
Keywords— Mobile Devices, Mobile Forensics, Forensic
investigational framework, Android, Smart phones, Tablets
I. INTRODUCTION
The [1] defines digital evidence as “information of probative
value that is stored or transmitted in binary form”. Hence
according to specified description, digital evidence can be
collected not only from computers but also from any
electronic devices which stores and process user related data.
Most of the mobile device users stores sensitive information in
mobile devices which becomes wealth of digital evidence
during an investigation [2]. The challenge forensics
investigators face is identifying potential evidence a mobile
device might contain. Since digital forensics community has
done minimal research on mobile devices forensics, forensic
investigators are struggling without a standard approach or
procedure to follow during investigations. Therefore, validated
frameworks that can be used to collect evidence from mobile
devices are virtually not existent in current digital forensics
environment.
The aim of this research is to present an appropriate
framework for mobile device forensics which can be used by
forensic investigators during their investigation. Also, this
research aimed to update forensic investigators and other
incident response personnel regarding new generation mobile
devices and their value during a forensic investigation.
II. RELATED WORK
The advancement of technology has increased the computing
power of mobile devices and at the same time keeping their
size small enough to fit inside user’s pocket. In a research
conducted it was found that mobile device market has seen an
unbelievable growth and people are using smart phones,
digital music players and personal digital assistants for their
official and personal purposes [3]. It is therefore inevitably
necessary to analyze these devices using appropriate digital
forensics procedures and methodologies. Exponentially
growing number of mobile phone manufacturing has made it
difficult to design a framework or layout a procedure to
address all possible eventualities in mobile forensics. With the
increase of mobile device user base worldwide there is a need
for increase in mobile proliferation [4].
Forensics investigators can collect evidence such as call logs,
contact information, web activity logs and private messages
from mobile devices [5] along with additional user related
multimedia files and documents which can be acquired from
external storage media of the device. But how ever mobile
forensics is still found to be lagging in performance due to
following reasons.
• Mobility and ubiquity nature of mobile devices
required forensics investigators to possess specialized
tools to acquire and analyze mobile device storage
• Most of the device’s data resides in volatile memory
and battery power drainage may cause loss of
evidence
• Device remains active other than the times when it’s
on hibernation or powered off state
• Mobile devices tend to have short product cycles and
everyday new devices with different operating
systems are emerging in the market
According to ACPO’s guide for police officers [6], law and
enforcement officials should not take any actions which will
result a change in data held on computers or any storage
media which will be submitted to courts as essential evidence.
However not all digitally collected evidence will fall under the
scope of ACPO guide and principles specified in the guide
cannot be complied especially during mobile forensics.
Because data stored in mobile devices tend to change during
an investigation even without any interference from
investigators.
Dynamic nature of data found in mobile device is often
considered as a critical problem to forensics investigators.
Distinct to other digital devices which operates either in on or
off state, mobile devices operate on various states such as
• Nascent State: The device operates under factory
configuration and contains no user data [7]. This is
the default state of a mobile device the device must
be charged for a specified period before entering in to
a new state. Once user performs an action this state
will automatically change and only a hard reset will
cause the device to return to nascent state.
• Active State: If the user is using a mobile device to
complete some task and the file system is storing data
then the device is in active state. A soft reset caused
during active state of a mobile device will clear the
cache memory causing loss in user data [8].
• Quiescent State: Device appears to be not active
during this state but processes will be running in
background and user data will be preserved using
battery life [9].
• Semi Active State: When the device is between
active and quiescent state it is said to be in semi
active state and device tries to save battery life by
reducing brightness of screen display or completely
changing screen display to dark [10].
A forensics investigator needs to know what state the mobile
device is on to determine whether to perform live or offline
forensics. Mobile devices normally store information in
volatile memory of the device and recovering evidence will be
a tedious task. These devices consist of an internal memory
and an external memory from which several types of evidence
can be obtained. Internal memory consists of type of flash
memory which is embedded to the handset. The data in these
flash memories will be deleted or lost if the device battery life
has worn out [11]. Unlike in computers, investigators cannot
recover information from slack space of a mobile device as
these slack spaces are often filled with FF hex value.
Manufacturers are also now using compact drives to store
mobile operating system kernel execution codes and other
types of files. Even though forensics tools such as FTK or
ENCASE can be used to examine these types of storage,
proprietary files systems prevent forensics investigators to
interpret the data found in these devices [8].
[12] did an analysis on performance of mobile device
forensics tools such as Mobiledit, cell seizure and oxygen
phone manager. During this analysis, it was determined that
some tools might not deliver the features promised by these
tools. Currently available mobile forensics tools are often
restricting themselves to support limited type of devices.
Some forensics tools can be used to acquire device memory
image but cannot be used to examine collected evidence or to
create reports. Most forensics tools can obtain data from a
mobile device through physical acquisition or through logical
acquisition [5].
Measures taken by forensics investigators to prevent any
further interference in potential evidence might produce an
undesirable alteration or loss of evidence and this call for live
analysis of mobile devices. Live memory analysis helps
forensics investigators to overcome any issues related to
techniques such as encryption or password protection and it
enhances formal forensics investigation procedure [13].
Current mobile phone forensics investigations are often
concentrated on obtaining evidence from SIM (Subscriber
Identity Module), external memory card and internal flash
memory [10]. However, since mobile devices have a
limitation on storage capacity, often volatile data such as
third-party application data are stored in volatile memory.
Without performing live analysis on mobile devices these
evidences which might be so critical for the investigation can
be lost forever or can be overwritten easily.
III. INVESTIGATION METHODOLOGY
Over the past years, researchers have proposed many digital
forensics models for gathering information from mobile
devices but still there is no conclusive model which is proved
to be the most appropriate methodology to follow. This mobile
device forensic model discussed below proposed to aid
forensics investigators to investigate mobile devices which are
based on android operating system.
A. Phase one – Preparation and Preservation
Preparation stage involves identifying potential source of
evidence, searching for device, documenting complete process
and collection of digital evidence. If the forensics investigator
fails to preserve the integrity of evidence it might jeopardize
whole investigation and the evidence might become
inadmissible in court of law. This stage also involves
gathering appropriate understanding of committed crime,
preparing tools for investigation, building a team and
assigning roles to team members to carry out effective
investigation.
First responders must formulate a search plan and evaluate the
scene for possible digital evidence. They also must secure the
scene from unauthorized access to prevent evidence
contamination and to ensure safety of investigators working in
the crime scene. Top priority should be provided to prevent or
minimize corruption of evidence at this stage. If a mobile
device is found in the scene, first responders might have to
follow a series of steps as discussed below.
If the device is found in a liquid, battery of the device should
be removed and if the device is found in caustic liquid it
should be stored in same fluid until it is examined by forensics
investigator. The device model and manufacturer name should
be identified by examining manufacturer logos, power
adapter, serial number and cables attached with it. Without
appropriate identification of device forensics investigators
might not be able to decide on what forensics tools to be used
for further analysis or to decide what type of cables required
to connect device with a PC for data synchronization.
If the device is switched on necessary precautions must be
taken to ensure uninterrupted power is provided and the
device is shielded from any radio signals. It is required to keep
the device isolated to make sure that incoming traffic or any
other network data does not modify or overwrite information
stored in the device. If the device is switched off, the device
should be secured along with accessories which were found in
scene of crime. Most of mobile devices might run out of
power before acquiring evidence. So, it is essential that first
responders possess a tool kit which consists standard power
supplies. Device must be kept in existing state until
appropriate assessment is made by forensics investigator.
Conducting a thorough preparation and preservation phase
ensures the integrity of evidence and by thus eases the work of
forensics investigators in acquisition, analysis and
examination phase.
B. Phase Two – Acquisition
The acquisition process commences once the device is handed
over to forensics investigator. Initially it is required for
forensics investigators to choose correct acquisition tool and
its best practice to test the tool in similar device before
actually employing it on actual device. Tools used in
acquisition should be able to maintain the integrity of
evidence (Vidas et.al, 2011). To protect the integrity of data
source, data write blocking techniques can be used. Integrity
of collected data can also be protected via creating hash of
collected evidence and recurrently verifying it to ensure that
the value is unchanged throughout the investigation.
Forensics investigators can employ investigative techniques to
gain knowledge about PIN or Passcode by interviewing the
device owner or individuals who are involved with crime. On
the other hand, they can use backdoors created by
manufacturers to gain access to these devices. During this
phase, mobile devices must be placed in debug mode and if
sync option is turned on it must be disabled. After acquiring
physical image investigator can switch on hot sync button to
commence logical acquisition of data. The logical data will be
available in the RAM image obtained but investigator has an
option of using sync protocol to perform logical acquisition as
well. Since most of the evidence is being transferred from an
off-site scene “pull the plug” approach will not be suitable [7]
for mobile forensics. Most of mobile devices contain or store
data in volatile memory and acquiring evidence from volatile
memory is problematic due to dynamic nature of device state
and evidence. A combination of forensics acquisition
techniques must be used to get appropriate results from
volatile memory. While acquiring nonvolatile evidence, data
will be collected from external media storage such as compact
flash memory cards, MMC cards and secure digital memory
cards.
C. Phase Three – Examination
Examination phase involves examining the evidence collected
from mobile devices and extracting appropriate information
which will be used to support or build the hypothesis of the
investigators. Forensics investigators should create appropriate
backups of acquired images before conducting examination on
them. In this phase, the originality and significance of
collected evidence will be reflected. Investigators can perform
keyword search, pattern matching, data filtering techniques
etc. to reduce the size of collected data to manageable size.
While analyzing evidence forensics investigator also should
search for evidence for device tampering, data wiping, data
hiding techniques and unauthorized system modifications.
Challenge for investigator here is detecting obscured or hidden
data. However, capacity of given tools plays a vital role as
collected data should be searched thoroughly for unusual files
and directories.
D. Phase Four – Analysis
In this phase, forensic investigator should conduct a technical
review based on gathered examination results. Analyzing
identified hidden data, recognizing relationships between data,
approving significance of found evidence from examination,
reconstructing event timeline and providing appropriate
conclusion are the essential activities performed at this stage
(NIJ, 2008). From the results of this phase forensics
investigator can determine whether additional tasks should be
performed or repeated on previous phases.
E. Phase Five – Reporting
After following all the necessary steps, the results collected
should be submitted to a group of people including law and
enforcement officials, legal officials and sometimes even to
corporate management teams. The documented evidence and
results will be submitted to court of law if it is a law and
enforcement investigation or will be submitted to investigation
management team if it is an internal investigation within an
organization. The report will aid management team or court of
law to decide on allegations on the incident. The report should
contain details about steps followed during process of digital
investigation and conclusions arrived after analyzing the
evidence.
IV. EVIDENCE EXAMINATION FINDINGS FOR ANDROID
SMARTPHONES
The scope of this section is to compare and analyze evidence
that can be collected from Android smartphones. Offline
investigation methods can be used effectively to find the
evidence stored in android smartphones. For the experiment
purpose a Samsung phone running Android Lollipop OS
version 5.1.1 is used. The developed methodology however
has its restrictions.
• The ADB bridge of the Android phone should be
enabled to acquire data through USB port
• The phone also needed to be rooted to capture and
recover system related information.
 • In super user privilege mode examiner should be able /data/data/com.android.providers.contacts. It is also can be
to acquire all system partitions and files. noted that some information of the deleted contacts can also
be acquired in the newer versions of Android. The
Using Cellibrite UFED touch for the acquisition phase is corresponding table name which stores these information is
recommended but the same time it can be done using ‘dd’ ‘deleted_contacts’.
open source tool as well (Lessard and Kessler, 2010). The
acquired image is examined using regular expressions. It is
C. Messaging
necessary for the investigator to initially specify what
information is needed to define what regular expression can be Messaged are stored in the com.android.providers.telephony
used to obtain such evidence. A regular expression is like a package and resides in the
group of characters that can be used to located any content /data/data/com.android.providers.telephony directory [10].
desired. By crafting appropriate regular expressions Both MMS (Multimedia Message Service) and SMS (Short
investigators should be able to easily examine the acquired Message Service) are saved here. There will be two SQLite
image. In this section set of regular expressions that can be databases under this directory.
used by forensic analysts to quickly and easily locate
information in android smartphones are discussed.
D. Instant Messaging
A. Analysing Phone Information
Widely used IM apps are WhatsApp and Viber both having
Phone manufacturer details, carrier details, device build and over million subscribed users. Information related to this is
any other specific information can be extracted using the adb stored in SQLite databases by both apps. WhatsApp database
shell command. Table 1 displays the information that can be can be found in /data/data/com.whatsapp/databases and Viber
obtained using various adb shell commands. database can be found in /data/data/com.viber.voip/databases.
Google Hangouts database resides in
/data/data/com.google.android.talk/databases.
TABLE I
ACQUIRED PHONE INFORMATION
If an investigator wants to retrieve information related to
Results from adb shell Remarks WhatsApp related activities there are two databases that
getprop should be analyzed.
ro.build.fingerprint Device Build • mgstore.db which saves the messages and chat
ro.bootloader Boot loader information history
ro.build.date Build date • wa.db which saves WhatsApp contact information.
ro.build.version.release Android version installed in
the phone Other media files that are transferred are saved in the SD card
ro.product.brand The Product brand and can be found in the below directories:
ro.product.manufacturer Phone manufacturer • Audio: WhatsApp/Media/WhatsApp Audio
ro.product.model Product Model • Video: WhatsApp/Media/WhatsApp Video
ro.product.name Product Name • Voice notes: WhatsApp/Media/WhatsApp Voice
ro.serialno The serial Number Notes
Network Information • Calls: WhatsApp/Media/WhatsApp Calls
dhcp.wlan0.dns1 IP address • Images: WhatsApp/Media/WhatsApp Images
dhcp.wlan0.gateway Gateway IP address
dhcp.wlan0.mask Subnet mask Each folder has a sub folder named “Sent” that stores the
net.hostname Hostname for internet media files that has been sent by the user. The date when a
connection contact was added is available in the log files in
Carrier Information data/com.whatsapp/files/Logs/whatsapp.txt. By comparing the
gsm.sim.operator.iso- SIM operator country log file and the contacts table, the investigator should be able
country to identify the deleted contacts. The Viber application
gsm.sim.state SIM operator state database folder has two main databases that will be used
Other Information during analysis. One such database is viber_data.db which
persist.sys.country Phone built country stores information about the viber contacts including blocked
persist.sys.language Language the phone uses numbers. Other database is viber_messages.db which stores
persist.sys.timezone Timezone the messages, call history and participants in each
conversation. Furthermore, it’s also found that even though a
B. Contact Information and Call Logs contact is deleted from the list, the conversation history related
The contacts information and call logs related information is to the specific contact will remain in the database unless it is
available in the com.android.providers.contacts container overwritten. So, any messages related to deleted contacts can
which is stored in the be extracted from the device.

E. E-Mail
Most of the android device’s email accounts are based on
Gmail application. Gmail application saves its information in
SQLite databases and can be found in
/data/data/com.google.android.gm/databases. Android
devices also consists of another built-in email app which is
another method android users can use to access non-Gmail
based accounts especially the accounts based on their
organizational mail server.
/data/data/com.android.email/databases is the directory where
this app stores its relevant data.
For the Gmail application, the email addresses are the only
information that is stored in the database. The password
related informatioon is stored in google servers and used by
the client device only to authenticate the user. Once
authentication is successful, an auth token is provided which
in turn will be used during the subsequent login attempts to
provide authenticated access. Therefore, the Auth Token is
saved instead of password. The token can be extracted from
the accounts database located in /data/system/users.
• webview.db - This table is supposed to store
password related login information. At most
circumstances, the table is empty.
But it was learned that at the time when this research was
completed, Facebook has made changes to the structure of the
information stored and with the introduction of Facebook
messenger the valuable information lies in following two main
folders:
• /data/data/com.facebook.katana – user activity, friend
lists, uploaded photos, messages, etc. are saved in
this folder
• /data/data/com.facebook.orca – This folder is created
when the Facebook messenger app is installed. But, it
has the same databases as the other folder.
The Twitter application on the other hand stores information
in /data/data/com.twitter.android directory. The databases in
this directory contains records of posted tweets, photos,
followers, and other information regarding twitter usage
(Mutawa, Baggili & Marrington, 2012).

F. Browser V. CONCLUSION
The built-in browser application in Android is based on the Mobile devices are evolving rapidly with recent technological
open source WebKit project and belongs to the development but mobile forensic is evolving slowly. In this
com.android.browser package and is in the research, a new mobile forensics framework has been
/data/data/com.android.browser folder. According to [10]: proposed and this model exclusively addresses the problems
• The browser database exists in related to mobile device forensics investigation. This model
/data/data/com.android.browser/databases/browser2 depends on regular expressions to examine the acquired image
.db and does not depend on any commercial tools to perform the
examination/analysis. Activities proposed in this model are
• Password information is available in the table named
not presented completely since there are restrictions on testing
password, located in
and there is yet more work need to be done in the future.
/data/data/com.android.browser/databases/webview.
db.
Google Chrome is now used as the default browser in newer REFERENCES
version of Android devices. Most information related to 1. Science Working Group on Digital Evidence (2009). SWGDE and
Google Chrome is stored in the /data/ SWGIT Digital & Multimedia Evidence Glossary [ONLINE]
data/com.android.chrome/app_chrome/Default folder. Available
at:https://www.swgde.org/documents/Archived%20Documents/
009-05-22%20SWGDESWGIT%
G. Social Networking App 20Digital%20and%20Multimedia%20Evidence%20Glossary%20v
2.3.
Information related to the social networking applications 2. Grispos, G., Storer, T., and Glisson, W.B., (2011).A comparison of
Facebook and Twitter also can be retrieved using regular forensic evidence recovery techniques for a windows mobile smart
expressions. If these network sites are accessed through the phone. Digital Investigation.8 (), pp.23-36.
3. Canalys (2008). Smart mobile device shipments hit 118 million in
browser then the information related to them can be retrieved
2007, up 53% on 2006. [ONLINE] Available at:
through browser analysis. The records of Facebook and http://www.canalys.com/newsroom/smart-mobile-
Twitter login is stored in the /data/system/users/0/accounts.db, deviceshipments-hit-118-million-2007-53-2006.
but no password related information is stored. While 4. Slay, J. and Turnbull, B., (2006). The need for a technical
approach to digital forensics evidence collection for wireless
investigating Facebook application related information technologies. In Proceedings of the 2006 IEEE workshop on
retrieval investigator must look for two important SQLite Information Assurance.
databases such as (Mutawa, Baggili & Marrington, 2012): 5. Sansurooah, K. (2007). An overview and examination of digital
• fb.db - which has tables that list the user activity, PDA devices under forensics toolkits. Proceedings of the 5th
Australian Digital Forensics Conference
photo albums, chat messages, friend lists and 6. ACPO (2007). Good Practice Guide for Computer-Based
uploaded photos. Electronic Evidence. [ONLINE] Available at:
 http://www.7safe.com/electronic_evidence/ACPO_guidelines_com
puter_evidence.pdf.
7. Thing, V., Ng, K., and Chang, E., (2010). Live memory forensics
of mobile phones. Digital Investigation.7, pp.s74-s82.
8. Punja, S., Mislan, R., (2008).Mobile device analysis. Small Scale
Digital Device Forensics Journal. 2 (1), pp.1-16
9. Raghunathan, V., Pering, T., Want, R., Nguyen, A. and Jensen, P.,
(2004). Experience with a low power wireless mobile computing
platform. In Proceedings of ISLPED.
10. Hoog, A., (2009). Android forensics. In: Mobile Forensics World
Conference on May 2009.
11. Lim, N. and Khoo, A., (2009). Forensics of Computers and
Handheld Devices: Identical or Fraternal Twins. Communications
of The ACM. 52 (6), pp.132-135.
12. Williamson, B., Apeldoorn, P., Cheam, B. and Macdonal, M.,
(2006).Forensic analysis of the contents of nokia mobile phones.
In: Australian digital forensic conference.
13. Carrier, B.D and Grand, J.A, (2004). A hardware based memory
acquisition procedure for digital investigations. Digital
Investigation.1 (1), pp.50-60.

View publication stats