T_ADD
2014-08-07, 10:55 AM
Android Forensics Investigation, Analysis, and Mobile Security for Google Android
372 pages.
CHAPTER 1
This chapter provides not only a history of the Android platform but also discusses
the Android Open Source Project (AOSP), the internationalization of the platform,
the Android Market, a brief Linux tutorial, and a quick fb-non-chapter to Android
forensics. It also provides a step-by-step tutorial for creating an Ubuntu-based
virtual machine (VM), which will be used throughout the book in examples. The
Ubuntu VM is a highly recommended component of this book and can also be used
outside of the book for Android forensic cases.
CHAPTER 2
In this chapter, a wide array of Android-supported hardware and device types is
covered. Although the hardware compatibility is great for manufacturers, wireless
providers, and ultimately consumers, this diversity poses challenges for forensic
analysts and security engineers. Understanding the hardware components, device
types, and boot process for Android will aid in your overall understanding of
Android and assist in both forensic and security investigations.
CHAPTER 3
This chapter covers the various Android releases, the Android software development
kit (SDK), the Davlik virtual machine, key components of Android security, and
several other concepts core to Android forensics such as the Android debug bridge
(adb) and the USB debugging setting. Step-by-step examples include installing the
SDK on Linux, OS X, and Windows as well as creating an Android virtual device
that can be used to test forensic techniques.
CHAPTER 4
This chapter covers the information needed to understand how data are stored on an
Android device. This includes reviewing the methods in which data are stored
(shared preferences, files, SQLite, and network) as well as the types of memory used
in an Android device such as RAM and the all important NAND flash. The various
file systems the reader might encounter in an Android device are also covered in
great detail including the YAFFS2, EXT, FAT32/FAT16, and a variety of low-level
file systems.
CHAPTER 5
This chapter covers the security of Android devices, data, and apps. A review not
only of how data can be exfiltrated from an Android device is covered but also of
how an Android device can be used as an active attack vector. After discussing
several overarching security concepts, this chapter provides specific advice for three
primary audiences: individuals, corporate security, and app developers. As the
growth of Android continues, issues of data security will be increasingly important
and this chapter provides a thorough and practical fb-non-chapter to this important
topic.
CHAPTER 6
This chapter covers specific techniques that are useful in the forensic acquisition of
Android devices. After clarifying the different types of acquisitions and providing
procedures for handling an Android device, seven different strategies for circumventing a pass code are discussed. Next, techniques and a specific script for
acquiring an SD card and, if present, the Embedded MultiMediaCard (eMMC) are
covered. Logical acquisition techniques are then covered including ones built into
Android and the SDK, a solution free to law enforcement and government agencies
called AFLogical, and finally a review of six commercial forensic software packages. Finally, techniques for acquiring a physical image of the NAND flash are
described in detail including six strategies for gaining root privileges and the
AFPhysical technique developed by viaForensics.
CHAPTER 7
In this final chapter, strategies and specific utilities are provided, which enable
a forensic analyst or security engineer to analyze an acquired Android device.
Although many of the techniques used in traditional forensic investigations are
applicable in Android forensics analysis, the new file system and the underlying
hardware characteristics require new techniques. Without these new techniques,
little content and value can be extracted from an Android physical acquisition.
Beyond providing the background and actual utilities, an overview of Android’s
directory structure as well as an in-depth analysis of 11 important applications that
provide significant data about the device are given. Armed with this knowledge,
a forensic analyst or security engineer can investigate any Android device they
encounter.
372 pages.
CHAPTER 1
This chapter provides not only a history of the Android platform but also discusses
the Android Open Source Project (AOSP), the internationalization of the platform,
the Android Market, a brief Linux tutorial, and a quick fb-non-chapter to Android
forensics. It also provides a step-by-step tutorial for creating an Ubuntu-based
virtual machine (VM), which will be used throughout the book in examples. The
Ubuntu VM is a highly recommended component of this book and can also be used
outside of the book for Android forensic cases.
CHAPTER 2
In this chapter, a wide array of Android-supported hardware and device types is
covered. Although the hardware compatibility is great for manufacturers, wireless
providers, and ultimately consumers, this diversity poses challenges for forensic
analysts and security engineers. Understanding the hardware components, device
types, and boot process for Android will aid in your overall understanding of
Android and assist in both forensic and security investigations.
CHAPTER 3
This chapter covers the various Android releases, the Android software development
kit (SDK), the Davlik virtual machine, key components of Android security, and
several other concepts core to Android forensics such as the Android debug bridge
(adb) and the USB debugging setting. Step-by-step examples include installing the
SDK on Linux, OS X, and Windows as well as creating an Android virtual device
that can be used to test forensic techniques.
CHAPTER 4
This chapter covers the information needed to understand how data are stored on an
Android device. This includes reviewing the methods in which data are stored
(shared preferences, files, SQLite, and network) as well as the types of memory used
in an Android device such as RAM and the all important NAND flash. The various
file systems the reader might encounter in an Android device are also covered in
great detail including the YAFFS2, EXT, FAT32/FAT16, and a variety of low-level
file systems.
CHAPTER 5
This chapter covers the security of Android devices, data, and apps. A review not
only of how data can be exfiltrated from an Android device is covered but also of
how an Android device can be used as an active attack vector. After discussing
several overarching security concepts, this chapter provides specific advice for three
primary audiences: individuals, corporate security, and app developers. As the
growth of Android continues, issues of data security will be increasingly important
and this chapter provides a thorough and practical fb-non-chapter to this important
topic.
CHAPTER 6
This chapter covers specific techniques that are useful in the forensic acquisition of
Android devices. After clarifying the different types of acquisitions and providing
procedures for handling an Android device, seven different strategies for circumventing a pass code are discussed. Next, techniques and a specific script for
acquiring an SD card and, if present, the Embedded MultiMediaCard (eMMC) are
covered. Logical acquisition techniques are then covered including ones built into
Android and the SDK, a solution free to law enforcement and government agencies
called AFLogical, and finally a review of six commercial forensic software packages. Finally, techniques for acquiring a physical image of the NAND flash are
described in detail including six strategies for gaining root privileges and the
AFPhysical technique developed by viaForensics.
CHAPTER 7
In this final chapter, strategies and specific utilities are provided, which enable
a forensic analyst or security engineer to analyze an acquired Android device.
Although many of the techniques used in traditional forensic investigations are
applicable in Android forensics analysis, the new file system and the underlying
hardware characteristics require new techniques. Without these new techniques,
little content and value can be extracted from an Android physical acquisition.
Beyond providing the background and actual utilities, an overview of Android’s
directory structure as well as an in-depth analysis of 11 important applications that
provide significant data about the device are given. Armed with this knowledge,
a forensic analyst or security engineer can investigate any Android device they
encounter.