Android Forensic Analysis in Depth

- Dr Bradley Schatz

This training will introduce attendees the theory and practise of forensic acquisition and analysis of Android based devices, with a focus on identifying and interpreting user and malware activity on mobile phones and tablets. Attendees will gain practical hands on experience with a range of acquisition techniques including low level flasher box and OS based acquisition, mid-level interpretation and recovery of flash memory, FTL, and common android filesystems, and finally at the upper level focusing on the analysis and interpretation of application artefacts, and reverse engineering of Dalvik based malware.

Pre-requisite of Training Class:

Student

• Should have basic command line experience (preferably Linux) and some awareness of forensic fundamentals.

Hardware

• A laptop capable of running a VMWare virtual machine.

Software

• Provided.

Class Outline

The following overview covers the topics which will be covered over the three day course, which will include a mixture of hands on workshops and lectures covering theory.

1. Android software and hardware architecture: Introduces the theory of operation of the android OS and userspace stack, the various storage technologies used, encryption and the implications on acquisition and analysis.
2. Acquisition: Introduction to the range of techniques available to acquiring forensic copies of the storage of android devices, including chip off, flasher box, ADB Physical, ADB logical, commercial tools, and the role of exploits.
3. Flash recovery & Android filesystems: Normalising physical flash dumps and extracting prior versions of files. Analysis tools and techniques for android related file systems. Defeating encryption.
4. Application trace analysis: Analysis and interpretation of common application artefacts and methodologies for interpreting uncommon ones. Carving for deleted artefacts within application files.
5. Malware reverse engineering: Dynamic and static analysis of android applications, determining indicators of initial compromise and application behaviour.