Android forensics: Automated data collection and reporting from a mobile device Justin Grover Digital Investigation Volume 10, Supplement, August 2013,

Slides:

Advertisements

Similar presentations

Capturing Remote Data in WIMS with. What is doFORMS? IIM has partnered with doFORMS, a third party vendor that allows data entry forms to be created on.

Advertisements

The recent technological advances in mobile communication, computing and geo-positioning technologies have made real-time transit vehicle information systems.

CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.

Utility Sentry | 5245 Old Dowd Road Suite 8 Charlotte, NC | |

Security for Mobile Devices

Mobile Access: BYOD Trends SCOTT DUMORE - DIRECTOR, TECHNOLOGY, CHANNELS & ALLIANCES AUTONOMY, HP SOFTWARE.

Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.

COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.

What’s new in this release? September 6, Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.

INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher P. Buse Assistant Commissioner and CISO State of Minnesota Mobile Device Management Assessing.

Mobile Financial Services Fraud ADIL ILYAS. Introduction Any electronic Device that can either STORE, PROCESS or COMMUNICATE can be used to either commission.

Page 1 of 29 Net-Scale Technologies, Inc. Network Based Personal Information and Messaging Services Urs Muller Beat Flepp

WAWC’05 Enhancing Mobile Peer-To-Peer Environment with Neighborhood Information Arto Hämäläinen -

“Turn you Smart phone into Business phone “

Jessica Mannino. Blog A blog (a contraction of the term " Web log ") is a website, usually maintained by an individual, with regular entries of commentary,

Parking Space Finder Lucia Wiguno Thursday, April

© 2009 Research In Motion Limited Methods of application development for mobile devices.

Interpret Application Specifications

IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

Bonrix Track & Trace System A GPS Based Vehicle Tracing System (SMS, GPRS/3G, Offline) Bonrix Software Systems Ahmedabad (INDIA) Website:

Department Of Computer Engineering

Network security policy: best practices

Building an Application Server for Home Network based on Android Platform Yi-hsien Liao Supervised by ： Dr. Chao-huang Wei Department of Electrical Engineering.

Adapting to a Mobile IT Landscape: From IT Silo to Enterprise Strategy Kimberly Hancher Chief Information Officer (CIO) U.S. Equal Employment Opportunity.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Date / references EBMS Solution for Police Agenda EBMS Product Range Emergency Service Sensor Solution Tracking Solution Video Solution Check.

Presentation By Deepak Katta

ISIGN IMS Proximity Marketing Solution (IMS) iSIGN Media Corp Sales 1ATTRACT. TRANSACT. MEASURE.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Confidential Crisis Management Innovations, LLC. CMI CrisisPad TM Product Overview Copyright © 2011, Crisis Management Innovations, LLC. All Rights Reserved.

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

QR CODES AUGUST 18, Scan this! Step 1 Download any QR code reader application Step 2 Scan the QR Code Step 3 Get more information.

Digital innovation. Introduction Personalised Videos iBeacons Reactive Websites.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

COEN 252 Computer Forensics

What is FORENSICS? Why do we need Network Forensics?

CRITICAL DESIGN REVIEW Gregory LaFlash Patrick O’Loughlin Zachary Snell Joshua Howell Hao Sun Kira Jones THAT ONE SPECIAL SHOT TOSS

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Image Collection Backend for Cameraphones. Introduction Project Goals Design an integrated system to upload image from a mobile phone to a remote server.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

GEOREMINDERS ANDROID APPLICATION BY: ADRIENNE KECK.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Presented by Team Alpha MOBILE DEVICE SECURITY 1.

Mobility In the Enterprise Friend or Foe? Bob West, CEO, Echelon One 2012 Workshop on Cyber Security and Global Affairs 20 Junio, 2012 Barcelona, España.

Content Sharing over Smartphone-Based Delay- Tolerant Networks.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

Chris Pannozzo September 20,2007 CSC 101 Asssignment 2 Web Resources.

Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.

DataFlow Diagram – Level 0

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

Cryptography and Network Security Sixth Edition by William Stallings.

Bus Detection Device For The Passenger Using GPS And Gsm Application Student Name USN NO Guide Name H.O.D Name Name Of The College & Dept.

Understand Audit Policies LESSON Security Fundamentals.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

Role Of Network IDS in Network Perimeter Defense.

The Claromentis Digital Workplace An Introduction

© 2014 IBM Corporation Mobile Customization & Administration IBM Connections 5.0 Workshop Author: Paul Godby IBM Ecosystem Development Duration: 30 minutes.

Exploring Networked Data and Data Stores Lesson 3.

整合 Wi-Fi 和 WiMAX 之無線網路管理系統 Wireless Network Management System for Wi-Fi and WiMAX Integrated Networks 報告人：李建毅指導教授：周立德教授國立中央大學資工系.

Visibook is instant, simple, and dynamic appointment booking We're headquartered in San Francisco, California "Visibook is awesome. My entire studio was.

Advanced Endpoint Security Data Connectors-Charlotte January 2016

Facebook privacy policy

EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY

PhoneSheriff – Best Parental Control Software For Mobiles and Tablets

Module 10: Managing and Monitoring Network Access

Outline Introduction Standards Project General Idea

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

Android forensics: Automated data collection and reporting from a mobile device Justin Grover Digital Investigation Volume 10, Supplement, August 2013, Pages S12-S20 Reporter: Shih-Fong Sie

Outline 1.Introduction 2.DroidWatch 3.Analysis and evaluation 4.Conclusions 5.Personal remark 2

1. Introduction 3 In the United States (U.S.), 121.3million people roughly one third of the population owned a smartphone as of October 2012 (comScore, 2012; USA Census Bureau, 2010). Some organizations have begun offering personnel the ability to use personal devices(including Android smartphones) on corporate networks under Bring Your Own Device (BYOD) policies.

1. Introduction Unlike Research In Motion (RIM), Android device vendors do not ship with built-in mobile device management (MDM) systems. Third-party MDM is a quickly evolving vendor space that addresses the security gaps left by the smartphone industry. 4

1. Introduction This paper focuses on the design and implementation of an Android application (“app”) that automates the collection of useful data for internal investigations, including policy violations, intellectual property theft, misuse, embezzlement, sabotage, and espionage. 5

2.DroidWatch DroidWatch is an automated system prototype composed of an Android application and an enterprise server. After obtaining user consent, DroidWatch continuously collects, stores, and transfers forensically valuable Android data to a remote Web server without root privileges. 6

2.DroidWatch Rooting enables users to perform higher privileged functions on a device than are ordinarily possible under regular user mode. The consequences can undermine the system’s security, decrease interoperability. 7

2.DroidWatch 8 Each descending layer represents a higher level of abstraction.

2.DroidWatch The DroidWatch app is dependent upon a user consent. Long-running service is launched to perform data collection, storage, and transfers. 9 User consent to monitoring

2.DroidWatch If broadcasts are not available, consider content observers for implementation. Alarms should be used if broadcasts and content observers are unavailable or ineffective for the targeted data collections. 10 Design strategy

2.DroidWatch All collected data is stored temporarily in a local SQLite database on the phone and is configured to be accessible to the DroidWatch app only. This allows each DroidWatch collection to perform in a thread-safe and structured manner. 11 Local storage

2.DroidWatch Splunk periodically pulls data from the MySQL database and makes the events available in its interface for analysis and reporting. 12 Enterprise server

13 2.DroidWatch Data collection is a continuous process, while transfers are attempted every 2 h (this value is configurable) Data process flo

2.DroidWatch Lists the data sets collected by DroidWatch. 14 Data sets

3. Analysis and evaluation Illustrates the number of logged events extracted from Splunk over the span of a single day, broken down by data set. 15 Events logged over 24 h

3. Analysis and evaluation A search for “Screen Unlocked” in Splunk displays a timeline of user-performed actions that indicate active phone usage. 16 Detected screen unlock actions (Splunk)

3. Analysis and evaluation Shows a search revealing the logs of a picture taken on Saturday, December 22, 2012, at 3:20 p.m. that was subsequently attached to an outgoing MMS(Management and Marketing Society)message. If it is found (possibly through GPS tracking) that the user was alone in the office, more analysis may be required to determine whether a data leakage occurred. 17 Suspicious contacts and communications

3. Analysis and evaluation Last known locations recorded by DroidWatch include the device ID, latitude, longitude, and capture time. The approach that DroidWatch uses to collect locations conserves battery life, but results in the sparse logging of recorded locations. 18 Location monitoring

3. Analysis and evaluation DroidWatch collects and makes available the events performed within the built-in Android Web browser. This information can be used to identify suspicious browser usage on an enterprise, such as uploads of intellectual property to external websites. 19 Internet history

3. Analysis and evaluation Provided DroidWatch result fields include the app’s name, action taken, and install/removal date. This would warrant additional concerns and security measures during an internal investigation. 20 Malicious apps

4.Conclusions DroidWatch requires further development to broaden and improve its capabilities. Anti-tampering mechanisms will also need to be implemented to increase security. This research contributes a novel development design strategy,which can be used to prioritize Android app components for monitoring. 21

Personal Remark Because people often use smartphones USB(Universal Serial Bus) device to transfer data. DroidWatch can subjoin “USB(Universal Serial Bus)” data set: Connection device ID. Transmission of data. Connection Device time. 22

Thanks for your attention! 23