androidâ—¢ app forensic evidence database (androidaed) · forensic evidence 2-17-2020...
TRANSCRIPT
CSAFE Presentations and Proceedings Center for Statistics and Applications in Forensic Evidence
2-17-2020
Android™ App Forensic Evidence Database (AndroidAED) Android™ App Forensic Evidence Database (AndroidAED)
Chen Shi Iowa State University, [email protected]
Chao-Chun Cheng Iowa State University, [email protected]
Connor Kocolowski Iowa State University
Emmett Kozlowski Iowa State University
Justin Kuennen Iowa State University
See next page for additional authors
Follow this and additional works at: https://lib.dr.iastate.edu/csafe_conf
Part of the Electrical and Computer Engineering Commons, and the Forensic Science and Technology
Commons
Recommended Citation Recommended Citation Shi, Chen; Cheng, Chao-Chun; Kocolowski, Connor; Kozlowski, Emmett; Kuennen, Justin; Lawlor, Matthew; Kerr, Mitchell; Stair, Jacob; Liao, Zhonghao; Gong, Zhenqiang; and Guan, Yong, "Android™ App Forensic Evidence Database (AndroidAED)" (2020). CSAFE Presentations and Proceedings. 63. https://lib.dr.iastate.edu/csafe_conf/63
This Presentation is brought to you for free and open access by the Center for Statistics and Applications in Forensic Evidence at Iowa State University Digital Repository. It has been accepted for inclusion in CSAFE Presentations and Proceedings by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected].
Android™ App Forensic Evidence Database (AndroidAED) Android™ App Forensic Evidence Database (AndroidAED)
Abstract Abstract Learning Overview: After attending this presentation, attendees will better understand how AndroidAED will be beneficial for academic researchers whose studies relate to mobile applications that grant them the ability to search through many of the available applications across various third-party app stores.
Disciplines Disciplines Electrical and Computer Engineering | Forensic Science and Technology
Comments Comments Shi, C., Cheng, C.C., Kocoloski, C., Kozlowski, E., Kuennen, J., Lawlor, M., Kerr, M., Stair, J., Liao, Z., Gong, Z., Guan, Y., Android app Forensic Evidence Database (AndroidAED), 2020 AAFS, Anaheim, CA. Posted with permission from CSAFE.
Authors Authors Chen Shi, Chao-Chun Cheng, Connor Kocolowski, Emmett Kozlowski, Justin Kuennen, Matthew Lawlor, Mitchell Kerr, Jacob Stair, Zhonghao Liao, Zhenqiang Gong, and Yong Guan
This presentation is available at Iowa State University Digital Repository: https://lib.dr.iastate.edu/csafe_conf/63
Android™ App Forensic Evidence Database(AndroidAED)
Chen Shi, Chris Chao-Chun Cheng, Brody Concannon, Neil Zhenqiang Gong, and Yong Guan
Acknowledgement: Barbara Guttman, Michael Ogata, and James Lyle (NIST)
UIUC Chinese Scholar Kidnapping
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Mobile App’s Evidence: UIUC Kidnapping
Obtain the suspect’s mobile device
Extract the file system image
Identify evidence in the image
Web browsing historyabduction 101
Perfect abduction fantasy
decomposition
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Rape and Murder in Germany
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Mobile App’s Evidence: Rape and Murder
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Mobile Forensics Problems
1. Given an app, what kinds of information will be collected and where will it be stored?
2. After the app is updated, what are the changes of the evidentiary data?
3. What kinds of evidence stored in the suspect’s device? Where they are?
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
App Evidence Database
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Design and Implementation
System Diagram Website UIResearch funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
App Crawlers Development
• 54 App Markets: Google Play Store, ApkPure, ApkMirror
• Versions, MD5 hash, Permission list, Release date …
App Crawlers ServersResearch funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Design and Implementation
System Diagram Website UIResearch funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
enter keyword to search
various sources
ApkMirror
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
evidentiary datametadata
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
EviHunter - Static Program Analysis
1. Obtain Android Package file2. Extract app’s code3. Perform forward analysis
and apply propagation rules4. Output when reaching a
sink method
Chris Chao-Chun Cheng, Chen Shi, Neil Zhenqiang Gong, and Yong Guan, "EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis," in ACM CCS 2018
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
EviHunter - Dynamic Program Analysis
Preprocessing:Install customized Android OS on device
For each app:1. Install and run it on device
carried modified OS2. Output when reaching a
sink method
Zhen Xu, Chen Shi, Chris Cheng, Neil Gong and Yong Guan, "A Dynamic Taint Analysis Tool for Android App Forensics," in SADFE 2018
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
450 Million Users > 300K Apps
Source:https://airpush.com/about/Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Hourly Tracking
133 apps:Path: /data/data/<package name>/databases/ldata.dbEvidence Type: Location and Time
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Step1. Crawl Apps from markets
Step2. Apply EviHunter to generate result
Step3. Upload apps, metadata, forensic
analysis result
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org
Summary and Future Directions
• Save time and move fast in real-world cases.
• Up-to-date forensic analysis result of real-world apps.
Research funded by the Center for Statistics and Applications in Forensic Evidence (CSAFE) - forensicstats.org