Learning Android Forensics电子书

Title Page

Copyright and Credits

Learning Android Forensics Second Edition

About Packt

Why subscribe?

Packt.com

Contributors

About the authors

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Introducing Android Forensics

Mobile forensics

The mobile forensics approach

Investigation preparation

Seizure and isolation

The acquisition phase

Examination and analysis

Reporting

Challenges in mobile forensics

Android architecture

The Linux kernel

Hardware abstraction level

Android Runtime

Native C/C++ Libraries

Java API Framework

The application layer

Android security

Security at OS level through the Linux kernel

Permission model

Sample permission model in Android

Application sandboxing

SELinux in Android

Application signing

Secure inter-process communication

Binder communication model

Android hardware components

Core components

Central Processing Unit (CPU)

Baseband processor

Memory

SD Card

Display

Battery

Android boot process

Boot ROM code execution

The bootloader

The Linux kernel

The init process

Zygote and Dalvik

System server

Summary

Setting up the Android Forensic Environment

Android forensic setup

Android SDK

Installing the Android SDK

Android Virtual Device

Connecting and accessing Android devices from the workstation

Identifying the correct device cable

Installing device drivers

Accessing the device

Android Debug Bridge

Using ADB to access the device

Detecting a connected device

Directing commands to a specific device

Issuing shell commands

Basic Linux commands

Installing an application

Pulling data from the device

Pushing data to the device

Restarting the ADB server

Viewing log data

Rooting Android

What is rooting?

Why root?

Recovery and fastboot

Recovery mode

Accessing recovery mode

Custom recovery

Fastboot mode

Locked and unlocked boot loaders

How to root

Rooting an unlocked boot loader

Rooting a locked boot loader

ADB on a rooted device

Summary

Understanding Data Storage on Android Devices

Android partition layout

Common partitions in Android

Identifying partition layout

Android file hierarchy

Overview of directories

The acct directory

The cache directory

The config directory

The data directory

The dev directory

The mnt directory

The proc directory

The sbin directory

The storage directory

The system directory

Application data storage on the device

Shared preferences

Internal storage

External storage

SQLite database

Network

Android filesystem overview

Viewing filesystems on an Android device

Common Android filesystems

Flash memory filesystems

Media-based filesystems

Pseudo filesystems

Summary

Extracting Data Logically from Android Devices

Logical extraction overview

What data can be recovered logically?

Root access

Manual ADB data extraction

USB Debugging

Using adb shell to determine if a device is rooted

adb pull

Recovery Mode

Fastboot mode

Determining bootloader status

Booting to a custom recovery image

ADB backup extractions

Extracting a backup over ADB

Parsing ADB backups

Data locations within ADB backups

ADB dumpsys

Dumpsys batterystats

Dumpsys procstats

Dumpsys user

Dumpsys App Ops

Dumpsys Wi-Fi

Dumpsys notification

Dumpsys conclusions

Helium backup extractions

Bypassing Android lock screens

Lock screen types

None/Slide lock screens

Pattern lock screens

Password/PIN lock screens

Smart Locks

Trusted Face

Trusted Voice

Trusted Location

Trusted Device

On-body Detection

General bypass information

Removing Android lock screens

Removing PIN/password with ADB

Removing PIN/Password with ADB and SQL

Android SIM card extractions

Acquiring SIM card data

SIM Security

SIM cloning

Summary

Extracting Data Physically from Android Devices

Physical extraction overview

What data can be acquired physically?

Root access

Extracting data physically with dd

Determining what to image

Writing to an SD card

Writing directly to an examiner's computer with netcat

Installing netcat on the device

Using netcat

Extracting data physically with nanddump

Extracting data physically with Magnet ACQUIRE

Verifying a full physical image

Analyzing a full physical image

Autopsy

Issues with analyzing physical dumps

Imaging and analyzing Android RAM

What can be found in RAM?

Imaging RAM with LiME

Acquiring Android SD cards

What can be found on an SD card?

SD card security

Advanced forensic methods

JTAG

Chip-off

Summary

Recovering Deleted Data from an Android Device

Data recovery overview

How can deleted files be recovered?

Recovering deleted data from SD cards

Recovering deleted records from SQLite databases

Recovering deleted data from internal memory

Recovering deleted data using file carving

Summary

Forensic Analysis of Android Applications

Application analysis overview

Why do app analysis?

Layout of this chapter

Determining which apps are installed

Understanding Unix epoch time

Wi-Fi analysis

Contacts/Call analysis

SMS/MMS analysis

User dictionary analysis

Gmail analysis

Google Chrome analysis

Decoding the Webkit time format

Google Maps analysis

Google Hangouts analysis

Google Keep analysis

Converting a Julian date

Google Plus analysis

Facebook analysis

Facebook Messenger analysis

Skype analysis

Recovering video messages from Skype

Snapchat analysis

Viber analysis

Tango analysis

Decoding Tango messages

WhatsApp analysis

Decrypting WhatsApp backups

Kik analysis

WeChat analysis

Decrypting the WeChat EnMicroMsg.db

Summary

Android Forensic Tools Overview

Autopsy

Creating a case in Autopsy

Analyzing data in Autopsy

Belkasoft Evidence Center

Creating a case in Belkasoft Evidence Center

Analyzing data in Belkasoft Evidence Center

Magnet AXIOM

Creating a case in Magnet AXIOM

Analyzing data in Magnet AXIOM

Summary

Identifying Android Malware

An introduction to Android malware

Android malware overview

Banking malware

Spyware

Adware

Ransomware

Cryptomining malware

Android malware identification

Android malware identification using antivirus scanners

Android malware identification using VirusTotal

Android malware identification using YARA rules

Summary

Android Malware Analysis

Dynamic analysis of malicious Android applications

Dynamic analysis using an online sandbox

Static analysis of malicious Android applications

Unpacking Android applications

Manifest file decoding and analysis

Android application decompilation

Viewing and analyzing decompiled code

Summary

Further reading

Other Books You May Enjoy

Leave a review - let other readers know what you think