Monday, Sep 26th, 2011
Posted By Eoghan Casey
This year Eoghan Casey worked with Tim Vidas at Carnegie Mellon University and Matthew Geiger at CERT to create the DFRWS Forensics Challenge in an effort to advance forensic analysis of Android mobile devices. The winners of the challenge were Ivo Pooters, Steffen Moorrees and Pascal Arends from Fox-IT. Their submission provides a suite of utilities written in Python for extracting information from data acquired from Flash memory on Android devices. Complete results are posted on the DFRWS Web site.
The scenarios for the DFRWS 2011 Forensics Challenge were two seemingly unrelated crimes that turned out to be tightly linked with each other. The first scenario was a suspicious death and the goal of the investigation was to determine whether the victim killed himself or was murdered. The second scenario was an intellectual property theft case and the goal of the investigation was to document any evidence that intellectual property was stolen and to support termination of the suspected insider.
An interesting outcome of the challenge was that using dd to acquire data from the Android device in Scenario 1 did not copy the important information in out-of-band (OOB) areas of the YAFFS2 file system. As a result, it was not possible to reconstruct the file system. However, contestants were still able to carve out usable content from this data.
The winning submission provides a technical analysis of data structures found in memory dump from Android mobile devices and provides an Android analysis toolkit that extracts specific items and formats them in a report. Using this toolkit to perform a forensic examination of a full NAND dump of a YAFFS2 file system (such as in Scenario 2 of the DFRWS 2011 Forensics Challenge) first requires the file system to be mounted under Linux as an emulated Flash device (using nandsim).
A sample of the information extracted by the winners from the SQLite database located on the Android device in Scenario 2 (mtd8\data\com.android.providers.telephony\databases\mmssms.db) is provided here:
| Address |
date/time (UTC) |
read |
type |
body |
| shandra@cheerful.com |
05/06/2011 01:34:55 AM |
True |
in |
(Nearby! Coming for my beer) Hey Yob, I am closing in on Fat Heads. See ya soon. |
| sms.dynadel@gmail.com |
05/06/2011 05:53:30 PM |
True |
in |
Reminder, planned IT outage this weekend. This maintenance window will start at 3 PM today and continue for approx 48 hours. |
| sms.dynadel@gmail.com |
05/06/2011 05:55:16 PM |
True |
in |
This effects external services such as website, email, webmail, and the ftp server. Use the secondary email access and helpdesk # for emergencies |
| shandra@cheerful.com |
05/07/2011 11:39:16 PM |
True |
in |
(Save me!) If Luke asks, I’m going out with you to dinner, OK?
I just can’t face Mr. Smooth tonight.
Shandra |
| 6245 |
05/07/2011 11:44:27 PM |
True |
out |
Sure thing. Do you know where the wine loft is? |
| 6245 |
05/07/2011 11:54:37 PM |
True |
out |
I ran into some friends at the double wide, meetup at 8:30 or so? |
| 6245 |
05/07/2011 11:56:53 PM |
True |
out |
Or you can walk down Carson and join us |
Much more information was extracted from both Android devices as detailed in the reports, which include an impressive graphical reconstruction of events.
(No Comments)
443-451-7330
