I was invited to this years Dagstuhl Seminar “Forensic Computing” to give a talk on mobile phone forensics. For all of you who hadn’t been there, here is the abstract of my talk:
Due to the ubiquitous use of smartphones, and the high amount of stored data on these devices, they become an increasingly important source of digital evidence in forensic investigations and they also implicate a vast risk of a potentially privacy leak for its users. In this paper we describe a new version of our developed tool – ADEL – that is able to forensically extract and analyze data from SQLite databases on Android devices and is also able to build a movement profile out of these data. Within the scope of a study we compared the data, gathered with the help of ADEL, with the data which a mobile-telecommunication-provider has from his customers. In the conclusion we also give some hints on how to stop your droid from gathering this much location data.
We published a Technical-Report with id CS-2011-06 (ISSN 2191-5008) named Reverse Engineering of the Android File System (YAFFS2) today. This report originates from parts of the Diploma Thesis of Christian Zimmermann which was published earlier this year.
Abstract — YAFFS2 is a file system which is used in many modern smartphones. Allthough YAFFS2 is an open standard and there exists an open source implementation, the behavior of YAFFS2 is not very well understood. Additionally, several aspects like wear-leveling and garbage-collection are not well-specified in the standard so that their actual behavior has to be reverse engineered from the implementation. Here, we give an introduction to and describe the basic functionality of YAFFS2. We place a particular focus on the detailed analysis of both wear-leveling and garbage-collection mechanisms, since these are important within a forensic analysis of the file system.
As ADEL is under continuous development there are some pretty nice new features. The one which we want to mention here is that ADEL can read and analyze the Wifi- and Mobile-Cell-Cache from a connected Android device. In these caches Android stores up to 250 (50 cell and 200 wifi) GPS coordinates with corresponding time stamps. ADEL generates from these data a movement profile and plots it to a google map.
As a future development we will try to gather more location information from apps like facebook, twitter, etc. and plot them to this map, too.
We will give a presentation on Android forensics, our new tools (ADEL & Panoptes) and mobile malware on this years SPRING in Bochum at the 21st of March. The presentation slides will be available afterwards on the conference website.
See you all in Bochum!
Our paper for the ADFSL 2011 in Richmond (USA) has been accepted. So we will give our presentation about ADEL (Android forensic software) at the 26th of May.
See you all in Richmond!