Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android forensics: Automated data collection and reporting from a mobile device Justin Grover Digital Investigation Volume 10, Supplement, August 2013,

Published byLorraine Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Android forensics: Automated data collection and reporting from a mobile device Justin Grover Digital Investigation Volume 10, Supplement, August 2013,"— Presentation transcript:

1 Android forensics: Automated data collection and reporting from a mobile device Justin Grover Digital Investigation Volume 10, Supplement, August 2013, Pages S12-S20 Reporter: Shih-Fong Sie

2 Outline 1.Introduction 2.DroidWatch 3.Analysis and evaluation 4.Conclusions 5.Personal remark 2

3 1. Introduction 3 In the United States (U.S.), 121.3million people roughly one third of the population owned a smartphone as of October 2012 (comScore, 2012; USA Census Bureau, 2010). Some organizations have begun offering personnel the ability to use personal devices(including Android smartphones) on corporate networks under Bring Your Own Device (BYOD) policies.

4 1. Introduction Unlike Research In Motion (RIM), Android device vendors do not ship with built-in mobile device management (MDM) systems. Third-party MDM is a quickly evolving vendor space that addresses the security gaps left by the smartphone industry. 4

5 1. Introduction This paper focuses on the design and implementation of an Android application (“app”) that automates the collection of useful data for internal investigations, including policy violations, intellectual property theft, misuse, embezzlement, sabotage, and espionage. 5

6 2.DroidWatch DroidWatch is an automated system prototype composed of an Android application and an enterprise server. After obtaining user consent, DroidWatch continuously collects, stores, and transfers forensically valuable Android data to a remote Web server without root privileges. 6

7 2.DroidWatch Rooting enables users to perform higher privileged functions on a device than are ordinarily possible under regular user mode. The consequences can undermine the system’s security, decrease interoperability. 7

8 2.DroidWatch 8 Each descending layer represents a higher level of abstraction.

9 2.DroidWatch The DroidWatch app is dependent upon a user consent. Long-running service is launched to perform data collection, storage, and transfers. 9 User consent to monitoring

10 2.DroidWatch If broadcasts are not available, consider content observers for implementation. Alarms should be used if broadcasts and content observers are unavailable or ineffective for the targeted data collections. 10 Design strategy

11 2.DroidWatch All collected data is stored temporarily in a local SQLite database on the phone and is configured to be accessible to the DroidWatch app only. This allows each DroidWatch collection to perform in a thread-safe and structured manner. 11 Local storage

12 2.DroidWatch Splunk periodically pulls data from the MySQL database and makes the events available in its interface for analysis and reporting. 12 Enterprise server

13 13 2.DroidWatch Data collection is a continuous process, while transfers are attempted every 2 h (this value is configurable) Data process flo

14 2.DroidWatch Lists the data sets collected by DroidWatch. 14 Data sets

15 3. Analysis and evaluation Illustrates the number of logged events extracted from Splunk over the span of a single day, broken down by data set. 15 Events logged over 24 h

16 3. Analysis and evaluation A search for “Screen Unlocked” in Splunk displays a timeline of user-performed actions that indicate active phone usage. 16 Detected screen unlock actions (Splunk)

17 3. Analysis and evaluation Shows a search revealing the logs of a picture taken on Saturday, December 22, 2012, at 3:20 p.m. that was subsequently attached to an outgoing MMS(Management and Marketing Society)message. If it is found (possibly through GPS tracking) that the user was alone in the office, more analysis may be required to determine whether a data leakage occurred. 17 Suspicious contacts and communications

18 3. Analysis and evaluation Last known locations recorded by DroidWatch include the device ID, latitude, longitude, and capture time. The approach that DroidWatch uses to collect locations conserves battery life, but results in the sparse logging of recorded locations. 18 Location monitoring

19 3. Analysis and evaluation DroidWatch collects and makes available the events performed within the built-in Android Web browser. This information can be used to identify suspicious browser usage on an enterprise, such as uploads of intellectual property to external websites. 19 Internet history

20 3. Analysis and evaluation Provided DroidWatch result fields include the app’s name, action taken, and install/removal date. This would warrant additional concerns and security measures during an internal investigation. 20 Malicious apps

21 4.Conclusions DroidWatch requires further development to broaden and improve its capabilities. Anti-tampering mechanisms will also need to be implemented to increase security. This research contributes a novel development design strategy,which can be used to prioritize Android app components for monitoring. 21

22 Personal Remark Because people often use smartphones USB(Universal Serial Bus) device to transfer data. DroidWatch can subjoin “USB(Universal Serial Bus)” data set: Connection device ID. Transmission of data. Connection Device time. 22

23 Thanks for your attention! 23

Download ppt "Android forensics: Automated data collection and reporting from a mobile device Justin Grover Digital Investigation Volume 10, Supplement, August 2013,"

Similar presentations

Capturing Remote Data in WIMS with. What is doFORMS? IIM has partnered with doFORMS, a third party vendor that allows data entry forms to be created on.

Capturing Remote Data in WIMS with. What is doFORMS? IIM has partnered with doFORMS, a third party vendor that allows data entry forms to be created on.
Mobile GIS.

Mobile GIS.
The recent technological advances in mobile communication, computing and geo-positioning technologies have made real-time transit vehicle information systems.

The recent technological advances in mobile communication, computing and geo-positioning technologies have made real-time transit vehicle information systems.
CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.

CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.
Utility Sentry | 5245 Old Dowd Road Suite 8 Charlotte, NC 28208 | 704-392-9626 www.utilitysentry.com | www.utilitysentrytraining.com.

Utility Sentry | 5245 Old Dowd Road Suite 8 Charlotte, NC | |
Security for Mobile Devices

Security for Mobile Devices
Mobile Access: BYOD Trends SCOTT DUMORE - DIRECTOR, TECHNOLOGY, CHANNELS & ALLIANCES AUTONOMY, HP SOFTWARE.

Mobile Access: BYOD Trends SCOTT DUMORE - DIRECTOR, TECHNOLOGY, CHANNELS & ALLIANCES AUTONOMY, HP SOFTWARE.
Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.

Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.
COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.

COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.
What’s new in this release? September 6, 2012. Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.

What’s new in this release? September 6, Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.
INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher P. Buse Assistant Commissioner and CISO State of Minnesota Mobile Device Management Assessing.

INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher P. Buse Assistant Commissioner and CISO State of Minnesota Mobile Device Management Assessing.
Mobile Financial Services Fraud ADIL ILYAS. Introduction Any electronic Device that can either STORE, PROCESS or COMMUNICATE can be used to either commission.

Mobile Financial Services Fraud ADIL ILYAS. Introduction Any electronic Device that can either STORE, PROCESS or COMMUNICATE can be used to either commission.
Page 1 of 29 Net-Scale Technologies, Inc. Network Based Personal Information and Messaging Services Urs Muller Beat Flepp

Page 1 of 29 Net-Scale Technologies, Inc. Network Based Personal Information and Messaging Services Urs Muller Beat Flepp
WAWC’05 Enhancing Mobile Peer-To-Peer Environment with Neighborhood Information Arto Hämäläinen -

WAWC’05 Enhancing Mobile Peer-To-Peer Environment with Neighborhood Information Arto Hämäläinen -
“Turn you Smart phone into Business phone “

“Turn you Smart phone into Business phone “
Jessica Mannino. Blog A blog (a contraction of the term Web log ) is a website, usually maintained by an individual, with regular entries of commentary,

Jessica Mannino. Blog A blog (a contraction of the term " Web log ") is a website, usually maintained by an individual, with regular entries of commentary,
Parking Space Finder Lucia Wiguno Thursday, April 15 2004.

Parking Space Finder Lucia Wiguno Thursday, April
© 2009 Research In Motion Limited Methods of application development for mobile devices.

© 2009 Research In Motion Limited Methods of application development for mobile devices.
Interpret Application Specifications

Interpret Application Specifications
IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

Similar presentations

Ads by Google