Android – Page 10 – forensic blog

28/10/201102/03/2012

Decoding cache.cell and cache.wifi files

As everybody knows, Android is maintaining two cache files with location information. One is cache.wifi (a wifi router database with MAC and GPS of the router) the other is cache.cell (a database with mobile communication cells and their GPS). Due to the fact, that these files are in binary format the following Python code-snippet should help to encode the actual data:

cacheFile = open("cache.wifi", 'rb')
version, entries = struct.unpack('>hh', cacheFile.read(4))
i = 0
while i < entries:
   key = cacheFile.read(struct.unpack('>h', cacheFile.read(2))[0])
   (accuracy, confidence, latitude, longitude, readtime) = struct.unpack('>iiddQ', cacheFile.read(32))
   outputFile.write('%25s %7d %5d %10f %10f %s \n' % (key,accuracy,confidence,latitude,longitude,time.strftime("%x %X %z", time.localtime(readtime/1000))))
   i=i+1
cacheFile.close()

The cache files are located at:
/data/data/com.google.android.location/files/

This snippet works for both cache files, just change the filename 🙂

13/10/201102/03/2012

Sources of location information on Android phones

We investigated several well-known apps from the Android market with respect to the amount of location data stored. Some of these apps, their corresponding databases as well as the location data retrieved can be found in the following table.

App	Storage Location	Content
system	cache.cell	last 50 mobile telecommunication cells
system	cache.wifi	last 200 wifi routers
camera	JPG pictures	latitude and longitude of picture location
browser	CachedGeopositions.db	latitude, longitude, accuracy and timestamp
twitter	author_id.db -> statuses	latitude and longitude of status message
twitter	author_id.db -> search_queries	latitude, longitude and radius of location search queries
facebook	fb.db -> user_statuses	latitude and longitude of status message
facebook	fb.db -> user_values	latitude, longitude and timestamp of last checkin
google maps	da_destination_history	latitude and longitude of navigation start and destination

07/10/201107/10/2011

Dagstuhl Seminar

I was invited to this years Dagstuhl Seminar “Forensic Computing” to give a talk on mobile phone forensics. For all of you who hadn’t been there, here is the abstract of my talk:

Due to the ubiquitous use of smartphones, and the high amount of stored data on these devices, they become an increasingly important source of digital evidence in forensic investigations and they also implicate a vast risk of a potentially privacy leak for its users. In this paper we describe a new version of our developed tool – ADEL – that is able to forensically extract and analyze data from SQLite databases on Android devices and is also able to build a movement profile out of these data. Within the scope of a study we compared the data, gathered with the help of ADEL, with the data which a mobile-telecommunication-provider has from his customers. In the conclusion we also give some hints on how to stop your droid from gathering this much location data.

02/10/201122/10/2011

Overview of current Android Malware

Here is the full list of Android-Malware-Families with their corresponding reports from our mobile-sandbox-system. We will try to keep this table up-to-date.

13/09/201102/10/2011

Presentation on myPhD 2011

We will give a presentation on Android malware analysis and the mobile-sandbox-system on this years myPhD-workshop in Erlangen at the 20th of September.

See you all on our “home-base” 🙂