TEMASEK POLYTECHNIC

School of Informatics and IT

Diploma in Digital Forensics
AY 2016/2017

Lab 2 & 3 (eLearning)

Android Operating System Overview
Objectives 
Introduce commands and basic tools for conducting Android OS forensics.

Background
This lab explores Basic Android OS forensics commands and tools.

Tools
 1 PC with Windows OS and Oracle VirtualBox installed.
 Installed with:
o Ubuntu 10.10_64 virtual machine image.

Procedure

Part A: Warming up with Android Software Development Kit (SDK)

1. Start up the virtual machine VirtualBox,

2. Select the virtual machine (DMF Ubuntu 10.10_64) image and login to the operating
system, as
- user: root
- password: forensics

3. In the virtual machine of SIFT Workstation, start a terminal window.

- Under Application Tab => Accessories => Terminal

4. Go to the Android Software Development Kit directory:

cd /root/android-sdk-linux_86/tools/

5. Start Android SDK

./android

6. Ensure Updates/New, Installed and Obsolete options are checked.

7. Currently SDK Platform API 9 for Android 2.3.1 is installed. What other SDK API is
installed?

SDK platform API 16 for Android 4.1 is installed.

1
8. To start Android Virtual Device Manager (AVD), select Tools => Manage AVDs
from the menu.

9. Click the New button to create a new 2.3.1 Android Virtual Devices (AVD), complete
the fields as follows:
Note: Use Google APIs (Google Inc.) – API Level 9 for Target option.

2
10. Click Create AVD to complete the creation of a new AVD.

11. To start up the newly created AVD, highlight the newly created AVD and click the
Start button.

3
12. Accept the default setting and click the Launch button:

13. Whoopee! You have just created and launch an Android Virtual Device. Play around
with it such as web browsing.

4
Part B: Android Debug Bridge (ADB)
1. Android Debug Bridge (adb) is located under folder:
/root/android-sdk-linux_86/platform-tools

2. To access adb without specifying the full path, edit the ~/.bashrc file:
nano ~/.bashrc

3. Insert the following 2 lines into the ~/.bashrc file:

export PATH=$PATH:/root/android-sdk-linux_86/tools
export PATH=$PATH:/root/android-sdk-linux_86/platform-tools

4. Save the file (Crtl-O), exit from the nano (Crtl-X) and close the terminal session.
5. For the newly inserted path to be effective, start a new terminal session.
6. And now, let’s take a look at the usage of adb:
a. Ensure no adb daemon is running: adb kill-server
b. To start a adb daemon: adb start-server
i. Note down the TCP port number that adb is using:
____________________________________________

5
 ii. Verify the adb port number by using: netstat -ant
iii. Note down the following from the output of part (ii):
- Local Address:
- Foreign Address:
- State:
iv. Is the adb server connected to any android device? ___________
c. Check adb server connected to any android device: adb devices
i. Is the adb server connected to any android device? _______
7. Start the AVD that you have created in Part A. (Refer to the steps in Part A)
8. Ensure USB debugging is enabled in the AVD, this option allows ADB to
communicate with the AVD over USB connection.
a. From the AVD, select Settings, Applications, Development

9. Check adb server connected to any android device: adb devices

i. Is the adb server connected to any android device? _______
ii. What is the name of the device? ______________________
iii. Using netstat -ant and fill in the blanks:

ADB Server USB Android Device

Listening TCP port: _________ Listening TCP port: _________
Established TCP port: ________ Established TCP port: ________

10. To execute a shell over adb to connected AVD: adb shell

a. Do you have root access? __ _________
b. How do you verify you have root access? ______

11. What is the date/time setting of the AVD? _________

12. How long has the AVD been started? ____________

Reflection 1
1. Create another 2.3.1 Android Virtual Devices (AVD), that means in total there are
two AVDs.
2. Send Short Message Service (SMS) and make a call between the two AVDs.
a. Record down the phone number of AVD1: ____________________
b. Record down the phone number of AVD2: ____________________

Hint - http://developer.android.com/tools/devices/emulator.html

Part C: Data in Android Virtual Device (AVD)

6
 1. Application data is stored in the form of NAND flash, SD card or in the network for
AVD using one of following methods:
a. Shared preferences
b. Internal storage
c. External storage
d. SQLite
e. Network
2. Let’s dip straight into the pool of Shared Preferences and Internal storage.
a. List the contents of the Android web browser under folders:
/data/data/com.android.browser
b. Note that it has a folder shared_prefs
c. Record down the xml file under the shared_prefs:

______________________________________________________
d. What is the possible evidence found in this xml file?

______________________________________________________

3. External storage could be a physical SD card (mounted at /mnt/sdcard) or emulated

SD card (mounted at /mnt/emmc).
a. Display the contents of the physical SD card: ls -l /mnt/sdcard
b. Take a photo using the AVD camera (well, only an Android logo is displayed
as the image of the photo shot) and a new folder Camera is created under
/mnt/sdcard/DCIM. Record the JPEG image just taken by you:
- Time taken: _______________

- Date taken: _______________

.
- File name: ________________

- File size: _________________

4. Now, the SQLite. It is a database used by an application to store data. From the AVD
created in Part A and Reflection A, ensure at least one SMS is sent. Also, ensure only
one AVD is running.
a. You must complete Reflection 1 (sending SMS and make a call between two
AVD (Android Virtual Devices) to proper populate the SMS/telephony
database.
b. Connect to the AVD using adb: adb shell
c. Change directory to the SMS database:
cd /data/data/com.android.providers.telephony/databases
d. Using built-in SQLite (yeap, SQL commands) to view the SMS database:
sqlite3 mmssms.db
i. From the sqlite prompt:
a. Show all tables: .tables
b. Record the command use the select command to list records from
sms table:

___________________________

7
 c. Using the help (type .help) to enable the header for the display of
part b.

_____________________________

Reflection 2
1. Leverage from the sqlite knowledge, record down the SQL commands to list the
wireless carrier in telephony.db:

Answer:

8
Part D: Application memory in Android Virtual Device (AVD)
1. We will acquire the application memory (heap); note this is not the whole memory of
AVD. Remember each application runs in its virtual memory. Start only one AVD is
running.
2. From the 2.3.1 (Google Inc.) AVD create in Part A, install YouTube apps using
YouTube 4.1.23.apk at /root/Downloads directory from Ubuntu; not from the AVD.
(Hint to install from Ubuntu: “adb -h”)
3. Start the YouTube app and search for “gangnam style”.
4. We will utilize Dalvik Debug Monitor Server (DDMS) to capture the heap memory of
YouTube app.
5. Start a terminal and change directory to /root/android-sdk-linux_86/tools. Proceed to
start the DDMS by typing: ./ddms
6. It should connect to the started AVD (from step 2).

7. Question: What is the port number assigned to monitor YouTube apps? __________
8. Highlight the YouTube app in DDMS and click the “Dump HPROF file” button to
extract the heap memory of YouTube apps.

9
9. Save the hprof file under /root/Downloads/YouTube folder. Create the YouTube
folder.

10. Well, now is the moment for our good sidekick (i.e. hexedit) to work its magic.
11. Open the YouTube hprof file with hexedit:
hexedit /root/Downloads/YouTube/com.google.android.youtube.hprof
12. Press the TAB (on your physical keyboard) to search with ASCII; ensure the blinking
cursor is on the ASCII area.

13. Press the forward slash / (on your physical keyboard) and search for “gangnam”.
14. Based the search hit, what is evidentiary about it?

15. We are done with hexedit, exit from it by pressing keys: CTRL-X.
16. Using another method to search the hprof file, the Eclipse Memory Analyzer Tool
(MAT).

10
17. Before the YouTube hprof file could be used by MAT, it needs to be converted to a
format compatible with MAT by typing:
/root/android-sdk-linux_86/tools/hprof-conv
/root/Downloads/YouTube/com.google.android.youtube.hprof
/root/Downloads/YouTube/youtube_stand.hprof
(Note: all in one command).
18. Change directory to /root/Downloads/mat. Proceed to start the by typing:
./MemoryAnalyzer
19. Open the file (/root/Downloads/YouTube/youtube_stand.hprof) and press Cancel
when a wizard appears.
20. Using Open Query Language (OQL); it is just another variation of SQL for Object
Oriented database. 
21. Click the Open Object Query Language button to explore the OQL function.

22. Search for all the strings in YouTube hprof file using OQL:
Select * from java.lang.String

23. Click the Execute Query button to play the OQL statement from step 22.

11
24. Let’s extract all the strings into a text file for easy searching. Highlight the last row
with Total:…. Follow by right-click and select Expand All. Click OK when prompt.

Note: This command will take some time to complete processing.

12
 25. Click on the Export button and select Export to TXT. This is to extract all the strings
into a text file for easy searching. Save the file as YouTube_text under
/root/Downloads/YouTube folder.

26. Open the YouTube_text.txt file and search for evidentiary records on possible
watching gangnam style by the AVD user.

Part E: NAND flash in Android Virtual Device (AVD)

1. Android devices do not have traditional hard disk or SSD, it utilizes NAND flash as
non-volatile storage. But flash devices are not block devices thus it required
abstraction layer FTL (Flash Translation Layer) which is part of MTD (Memory
Technology Device) to manage the flash device.

Apps

File system

MTD (FTL)

Flash device

2. Take a look at the NAND flash from the 2.3.1(Google Inc.) AVD create in Part A.
3. From the AVD, start the browser and go to www.tp.edu.sg. Make sure it successfully
load the website.
4. To execute a shell over adb to connected AVD: adb shell
(Hint: refer to Part B again for executing shell over adb.)

13
 5. List the MTD devices, by typing: ls -l /dev/mtd
6. Record down the MTD devices shown:
Answer:

7. Another location to list the usage of MTD devices is under /proc, by typing:
cat /proc/mtd
8. Record down the MTD devices shown and note the relationship between Step 5 and 6:
# cat /proc/mtd
dev: size erasesize name
mtd0: 0c200000 00020000 "system"
mtd1: 0c200000 00020000 "userdata"
mtd2: 04000000 00020000 "cache"

9. Image size of system, userdata and cache partitions.

What are the size for the 3 partitions?
 System: 194MB
 Userdata: 194MB
 Cache: 64MB
 Total size for the 3 partition: 452MB
(Hint: use the df command)
10. Record down the file system for the 3 partitions: system, userdata and cache.
System: yaffs2
Userdata: yaffs2
Cache: yaffs2
(Hint: use the mount command)

Answer:

14
11. It is now to create a SD card with a size of 700MB (that is greater than the total size
of the 3 partitions).
Close the started AVD. (Click the X button at the top left of AVD).
Create a new folder Lab1 under /root/Downloads folder.
Change directory to /root/Downloads/Lab1 folder.
Create a SD card image with a size of 700MB.
 mksdcard 700M Lab1_sdcard
 Question:
What is the file system for the Lab1_sdcard? ____________
(Hint: fsstat Lab1_sdcard or mksdcard)
Update the AVD to use the newly created SD card (Review the steps in Part A
for how to edit the AVD).

12. Start the AVD and check the AVD is updated with 700MB SD card. From AVD,
Setting -> Storage.
13. From the AVD, start the browser and go to www.tp.edu.sg. Make sure it successfully
load the website. Also access YouTube app and search for gangnam style.
14. To execute a shell over adb to connected AVD: adb shell
15. To create forensic images of system, userdata and cache partitions using nanddump.
Question:
What is the purpose of nanddump? ____________

15
 Copy nanddump from the /root/Downloads/mtd-utils folder to AVD SD card
using adb push.
Copying Files to or from an Emulator/Device Instance
You can use the adb commands pull and push to copy files to and from an emulator/device
instance's data file. Unlike the install command, which only copies an .apk file to a specific
location, the pull and push commands let you copy arbitrary directories and files to any
location in an emulator/device instance.

To copy a file or directory (recursively) from the emulator or device, use

adb pull <remote> <local>

To copy a file or directory (recursively) to the emulator or device, use

adb push <local> <remote>

In the commands, <local> and <remote> refer to the paths to the target files/directory on your
development machine (local) and on the emulator/device instance (remote).

Here's an example:

adb push zash.txt / sdcard/zash

16. To dump system partition from adb shell:

cd to sdcard: cd /sdcard
dump system partition from adb shell:
./nanddump /dev/mtd/mtd0 > /sdcard/mtd0.dd
 Record down the error seen:

_________________________________________________________________
 Question :
What is your explanation for the error?
__________________________________________________
Ans:

What is your suggestion to rectify the error and allow the execution of
nanddump?
__________________________________________________
dump system partition from adb shell, again:
./nanddump /dev/mtd/mtd0 > /sdcard/mtd0.dd

Note: This will take about 28.51 seconds to complete. Your patience is appreciated.
Record down the file size of mtd0.dd
__________________________________________________
Is the file size the same as Step 8?
__________________________________________________
17. Loop Step 14
While (partition = userdata || partition = cache);
18. In summary, you should have 3 dd files (for system, userdata and cache partitions)
and their file sizes are the same as step 8. If not, please revisit step 14.

16
 # ./nanddump /dev/mtd/mtd1 > /sdcard/mtd1.dd
# ./nanddump /dev/mtd/mtd2 > /sdcard/mtd2.dd
# ls -l
----rwxr-x system sdcard_rw 203423744 2012-10-31 02:42 mtd0.dd
----rwxr-x system sdcard_rw 203423744 2012-10-31 03:03 mtd1.dd
----rwxr-x system sdcard_rw 67108864 2012-10-31 03:04 mtd2.dd

19. The next logical step is to copy the 3 dd files into the forensics virtual machine using
adb pull.
adb pull /sdcard/mtd0.dd /root/Downloads/Lab1/mtd0.dd
adb pull /sdcard/mtd1.dd /root/Downloads/Lab1/mtd1.dd
adb pull /sdcard/mtd2.dd /root/Downloads/Lab1/mtd2.dd

Note: Every pull takes roughly 75.516 seconds to complete. Your patience is appreciated.

20. Question: How can we extract evidentiary items from the 3 dd files?

Part E1: Searching of evidentiary item utilizing file carving

21. We will make use of an open source file carving program, scalpel.
22. Edit the scalpel.conf file to uncomment GIF, JPG, PNG and BMP file types for file
carving process: nano /etc/scalpel/scalpel.conf
23. Create a new directory to store the output of file carving:
mkdir -p /root/Downloads/Lab1/Carve
24. To start the process to carve for GIF, JPG, PNG and BMP file:
scalpel -c /etc/scalpel/scalpel.conf /root/Downloads/Lab1/mtd1.dd -o
/root/Downloads/Lab1/Carve

Note: The carving takes roughly 352 seconds to complete. Your patience is appreciated.

25. View through the carved files under folder /roo/Downloads/Lab1/Carve, you should
be able to find familiar pictures as you have previously access your TP website using
AVD. Gotcha!
26. Repeat from Step 24 for the other 2 dd files. Record down their carved output:

Part E2: Searching of evidentiary item utilizing Strings

27. Search for text output from the 3 dd files.

17
 strings -a /root/Downloads/Lab1/mtd1.dd >
/root/Downloads/Lab1/mtd1_text.txt
28. There are humongous amounts of text generated. How about search for gangnam
style? Or the TP website?
29. Repeat Step 27 for the cache dd file. Record down the possible website visited:

= End =

18