Android Forensics: Exploring Android Internals and Android Apps

Android Forensics:
Exploring Android Internals and Android Apps

Moe Tanabian

Devices used –

Examples in this presentation are demonstrated on the following
devices:

Google Galaxy Nexus HTC Thunderbolt
(ICS 4.0.3, Samsung) (Gingerbread 2.3.4)

2

A quick overview of Android Devices –

Software :

§  A patched version of Linux OS kernel

§  Overhauled user space, bionic libc, utilities
§  Application security based uid, gid: 1 uid per application to protect each app’s
space from other apps

§  Permission model to access system resources (e.g. phone HW, databases, etc)

§  Run Java applications in Dalvik VM environment

§  Can run native applications through JNI

Hardware:

§  Mostly ARM based, x86 becoming more popular

§  Form factors: smartphones, tables, TVs, ebook readers, refrigerators, etc

Outline

Android System Acquisition and Analysis

Analyzing Android Applications

Other tools and references

4

The 3 levels of accessing data on an Android Device – Accessing the Device,
Physical Extraction, and Logical Extraction

Physical Data Logical Data
Device access Extraction Extraction

1 2 3
5

Device access

1

Source: http://www.ifixit.com/ 6

Bypassing Security – Bypassing pattern by Smudge Attack

__:
•  There are research and proposals
that suggest that one can detect the
Android security pattern by examining
screen’s touch residue

•  While there are some merits in these,
still it is pretty hard to do this
consistently.

Smudge pattern on a device: Before and
after contrast adjustment
Photography and Lighting setup

Source: Smudge Attacks on Smartphone Touch Screens, By: Adam J. Aviv, et al.
7

Bypassing Security – Bypassing security code

__: you can find user’s gmail account information, then Android will allow you to
•  If
reset the pass code (after 5 attempts)

•  If not:
•  Reboot to bootloader mode (or press down-volume + power, etc)

$ adb reboot bootloader

•  Using fastboot, load a different ROM (e.g. Clockwork recovery image)

•  Remove the key file related to challenge
$ adb shell!
$ su
# cd /data/system!
# rm gesture.key!
Or in case of password or PIN:
# rm password.key!
!

Source: Smudge Attacks on Smartphone Touch Screens, By: Adam J. Aviv, et al.
8

Network isolation – Making device unreachable
A shielded box or tent (Faraday cage) can isolate the device and prevent it
from being manipulated remotely.

A
Faraday
tent

Don’t try
this at
Home!

A Faraday cage work desk

9

Physical Extraction

2

10

Android Mass Storage – MTD, FTL, MMC, eMMC

§  The Linux kernel is designed to deal with Block (sectorized) storage
devices
§  Raw flash storage is not a block device
§  SSD, MMC, eMMC, RS-MMC, SD, mini-SD, micro-SD, USB flash
drive, CompactFlash, MemoryStick, MemoryStick and other FTL
devices are block devices, not raw flash devices, meaning FTL is
built in to HW
§  To use a conventional file system – e.g. ext2, ext3,ext4, XFS, JFS,
FAT on top of a raw flash device an abstraction layer AKA “Flash
Translation Layer” or FTL is needed

Source: http://www.linux-mtd.infradead.org/faq/general.html
11

More recent Android devices use eMMC which is a block device and does not
require software FTL, hence no MTD

Applications

Applications
Files system
e.g. YAFFS2

Files system
FTL e.g. ext4

MTD (SW)
FTL

Raw Flash (HW) Raw Flash (HW)

Earlier Android devices More recent Android devices
12


§  MTD (Memory Technology Device) provides a very simple FTL:
Block interface, ECC, wear leveling and few other functions
§  Most current Android devices use the FTL that comes with MTD
(mtdblock)
§  Wear leveling writes rewritten logical blocks to avoid writing
physical blocks repeatedly until all blocks have been utilized

Stage 2 stage 1

Wear leveling in FTL
Source: http://lwn.net/Articles/428793/
13

Android Mass Storage – SD and eMMC

§  Android’s partitions: /dev/block, /dev/mtd, etc

# cat /proc/mtd!
dev: size erasesize name!
mtd0: 00100000 00001000 "w25q80"!
# shell@android:/dev/mtd # ls -l /dev/mtd!
crw-rw---- media media 90, 0 2012-05-10 02:54 mtd0!
crw------- root root 90, 1 2012-05-10 02:54 mtd0ro!

14

Physical data extraction– Write blockers

•  When performing physical
extraction, use a write blocker to
protect the data on the device
against accidental / malfunction
writing
•  The last option which often is USB Write Blocker
destructive to the device, is to un-
solder the flash chip and use
special tools to read its content

USB Write Blocker

15

Android Mass Storage – dd, dc3dd

# mount!
rootfs / rootfs rw,relatime 0 0!
tmpfs /dev tmpfs rw,relatime,mode=755 0 0!
devpts /dev/pts devpts rw,relatime,mode=600 0 0!
proc /proc proc rw,relatime 0 0!
sysfs /sys sysfs rw,relatime 0 0!
/dev/block/mmcblk0p25 /system ext3 !
"rw,relatime,errors=continue,barrier=0,data=ordered 0 0!
/dev/block/mmcblk0p26 /data ext3 !
"rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0!
/dev/block/mmcblk0p27 /cache ext3!
/dev/block/mmcblk0p29 /devlog ext3!
....!

16

Physical data extraction – dd, dc3dd

!
# dd if=/dev/block/platform/omap/omap_hsmmc.0/by-name/cache !
"of=/sdcard/cache.imgdd!
!
!
On the host:!
$ adb pull /sdcard/userdata.imgdd ./userdata.imgdd!
!
$ od –x userdata.imgdd!
!
$ strings userdata.imgdd | grep <desired pattern regex>!
!
!

17

JTAG, Chip-off – The last resorts

•  If all other access methods fail,
JTAG access or chip-off (de-
soldering of the flash chip) can
provide access to the device’s
internal flash:

•  With JTAG (and using a tool
such as Riff-Box) – it is possible
put the CPU in debug mode Samsung Galaxy S JTAG pin-outs
and dump the content of
internal flash

•  The last option which often is
destructive to the device, is to
un-solder the flash chip and use
special tools to read its content

Connecting Galaxy S to Riff-Box
Source: http://www.bongozone.com/jtag-service-i9000-unbrick-others/

18

Logical Extraction

3

Source: xxxxxxxx 19

Getting ready for logical extraction: to Root or Not to Root –

n  Rooting can potentially change the status of the data on the device, and
destroy information
Rooting an Android n  Nonetheless, a rooted device provides full access, and for most of the
device techniques here, rooting is needed
n  ROM is the collection of stuff that makes your device to work:
§  Kernel
§  The rest of the OS
§  Drivers
§  Configuration files
§  System apps
n  ROMs are usually provided by the manufacturer and get customized by the
mobile operator
n  There are also custom ROMs that enhance some functions of the standard
ROM that comes with the device and remove some of the limitations e.g.
CyonegenMod ROM
n  Before you can run a custom ROM, you need to to recovery mode, flash the
ROM file

20

Three different ways to perform logical extraction on an Android device:

n  Can be done recursively
adb pull n  Use tar to create archive
n  User gzip to compress

Logical extraction n  Access to over sql databses on the devices including
in Android system apps
sqlite3! n  No programming needed
n  Can use familiar sql statements

Accessing n  Can be done programmatically
Content n  Can be used to build forensic data collection tools
Providers n  Access to over 45+ Content Providers on the device

21

Getting ready for logical extraction – Busybox

n  Get and install Busybox on the device
Busybox:
most commonly Unix
commands in Android
shell

22

Getting ready for logical extraction – BusyBox

# busybox!
BusyBox is a multi-call binary that combines many common Unix utilities into a single
executable. Most people will create a!
"link to busybox for each function they wish to use and BusyBox will act like whatever
it was invoked as.!
!
Currently defined functions:!
"[, [[, ash, awk, base64, basename, blkid, bunzip2, bzcat, bzip2, cal,!
"cat, chat, chattr, chgrp, chmod, chown, chroot, chrt, cksum, clear,!
"comm, cp, crond, crontab, cut, date, dd, depmod, devmem, df, diff,!
"dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, echo, egrep, env,!
"ether-wake, expand, expr, fakeidentd, fdflush, fdformat, fdisk, fgrep,!
"find, fold, free, freeramdisk, fsck, fsync, ftpd, ftpget, ftpput,!
"getopt, grep, groups, gunzip, gzip, hd, head, hexdump, hostid,!
"hostname, httpd, hwclock, id, ifconfig, ifenslave, inetd, inotifyd,!
"insmod, install, ionice, iostat, ip, ipaddr, ipcalc, iplink, iproute,!
"iprule, iptunnel, kill, killall, killall5, less, ln, logname, losetup,!
"ls, lsattr, lsmod, lsof, lsusb, lzop, lzopcat, md5sum, microcom, mkdir,!
"mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, mkswap, modinfo,!
"modprobe, more, mount, mountpoint, mt, mv, nameif, nanddump, nandwrite,!
"nc, netstat, nice, nmeter, nslookup, ntpd, od, patch, pgrep, pidof,!
"ping, ping6, pkill, pmap, powertop, printenv, printf, ps, pscan, pwd,!
"rdate, rdev, readahead, realpath, renice, reset, rev, rfkill, rm,!
"rmdir, rmmod, route, run-parts, script, scriptreplay, sed, seq,!
"...!
"test, tftp, tftpd, time, timeout, top, touch, tr, traceroute,!
"traceroute6, tty, ttysize, tunctl, umount, uname, uncompress, unexpand,!
"uniq, unix2dos, unlzop, unzip, uptime, usleep, uudecode, uuencode,!
"vconfig, vi, watch, wc, wget, which, who, whoami, whois, xargs, zcat!

23

Getting ready for logical extraction – sqlite3

n  Get and install sqlite3
1.  Only available on some development devices
Getting
sqlite3 e.g. Google Nexus series
2.  You can get it from sqlite.org (source code), and compile/built/etc
3.  Easiest way is to get from your emulator installation:

"$ cd /Applications/android-sdk-macosx/tools!
"$ adb push ./sqlite3 /system/xbin/sqlite3!
"$ adb shell !
"$ su!
"# cd /system/xbin!
"# chmod 755 sqlite3!

24

Logical extraction – important directories

/
"system/!
Android files system
notable directories " " bin/!
" " xbin/!
"!
"data/ !
" " data/!
" " app/!
"mnt/!
" " sdcard/!
" " !
"dev/!
" " mtd/!
" " block/

25

Logical extraction: adb pull with tar –

n  adb supports recursive pull
$ adb pull <remote> <local>!
Recursive adb pull
with tar !
Example:
$ adb shell !
$ su!
# cd /data/app!
# tar -cvf /sdcard/all-apps.tar ./*apk!
# gzip all-apps.tar all-apps.tar.gz!
^C!
$ adb pull /sdcard/all-apps.tar.gz ./!
$ tar -xvf all-apps.tar ./*apk!
!

26

Logical extraction: logs –

Example:
# adb logcat > logs!
logcat # cat logs!
!
/SystemServer( 197): Wi-Fi P2pService!
I/SystemServer( 197): Wi-Fi Service!
I/SystemServer( 197): Connectivity Service!
D/ConnectivityService( 197): ConnectivityService starting up!
I/ActivityManager( 197): Config changed: {1.0 0mcc0mnc en_US
layoutdir=0 sw360dp w360dp h592dp nrml port ?uimode ?night
finger -keyb/v/h -nav/h s.3}!
E/ConnectivityService( 197): Ignoring protectedNetwork 10!
E/MobileDataStateTracker( 197): default: Ignoring feature
request because could not acquire PhoneService!
E/MobileDataStateTracker( 197): default: Could not enable APN
type "default"!
D/NetworkManagementService( 197): Registering observer!
D/NetworkManagementService( 197): Registering observer!
I/WifiService( 197): WifiService starting up with Wi-Fi enabled!
D/NetworkManagementService( 197): rsp <213 00:90:4c:11:22:33
0.0.0.0 0 [down broadcast multicast]>!

!

27

Logical extraction: snooping around with sqlite3 -

# shell@android:/ # find data -name "*.db" -print | wc -l !

74 (this is nonly for this device)!

# find data -name "*.db" –print /data/data/!
data/data/com.google.android.browser/app_appcache/ApplicationCache.db!

data/data/com.google.android.browser/app_databases/Databases.db!

data/data/com.google.android.browser/app_geolocation/CachedGeoposition.db!

data/data/com.android.providers.calendar/databases/calendar.db!

data/data/com.android.providers.contacts/databases/profile.db!

data/data/com.android.providers.contacts/databases/contacts2.db!

data/data/com.android.providers.downloads/databases/downloads.db!

data/data/com.google.android.email/databases/EmailProvider.db!

data/data/com.google.android.gm/databases/internal.mometan@gmail.com.db!

data/data/com.google.android.gm/databases/mailstore.mometan@gmail.com.db!

data/data/com.google.android.gm/databases/webviewCookiesChromium.db!

data/data/com.google.android.music/databases/music.db!

data/data/com.android.providers.telephony/databases/telephony.db!

data/data/com.android.providers.telephony/databases/mmssms.db!

data/system/accounts.db!

!
DISCLAIMER: Names and other information are fictional .All data is for presentation purposes only.
28

Logical extraction: sqlite3 –

# find data -name "*.db" -print!
Sqlite> !
Useful sqlite3
commands ".help!
".databases!
".tables!
".schema <TABLE>!
".header on!
".mode <column | line>!
".output <FILE NAME>!
!
Example:!
Sqlite> select * from accounts;!
Sqlite> select * from sms where rowid < 5;!
!
!

29

Logical extraction: snooping around with sqlite3 –

# sqlite3 /data/data/com.android.providers.contacts/databases/contacts2.db!
!
Sqlite> .schema accounts!
CREATE TABLE accounts (account_name TEXT, account_type TEXT, data_set TEXT);!
sqlite> select * from accounts;!
||tanabianmoe@gmail.com|!
!
sqlite> .mode line;!
sqlite> select data1 from data;!
||tanabianmoe@gmail.com|!
!
!
sqlite> select * from data;!
!
8448||9|1154|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/tanabianmoe%40gmail.com/
595d6cef09539135|||0!
8449||7|1154|0|0|0|0|John Ford|John|Ford|||||||1|3||||||||10!
8450||11|1154|0|0|0|0|||||||||||||||||||10!
8451||3|1154|0|0|0|0|||||||||||||||||||10!
8452||12|1154|0|0|0|0||||||||4|5||||||||||10!
8453||1|1154|0|1|0|1|john.ford@myemail.com|1|||||||||||||||||10!
8454||8|1154|0|0|0|0|123 Spring Dale st.!
Beverly Hills, CA 90210!
USA|1||123 Spring Dale st.|||Beverly Hills|CA|90210|USA|||||||||10!
8455||10|1154|0|0|0|0|8||||||||||||||||||10!
8456||5|1154|0|0|0|0|+1-310-555-1876|2||+13105551876|||||||||||||||10!
8457||15|1154|0|0|0|0|www.johnfordontheweb.com|3|||||||||||||||||10!
8458||9|1155|0|0|0|0||||||||||||||||https://www.google.com/m8/feeds/photos/media/tanabianmoe%40gmail.com/
795ec48099e213e|||0!
8459||7|1155|0|0|0|0|Jenny Hackson|Jenny|Hackson|||||||1|3||||||||10
...!
30


!
#!
# sqlite3 /data/data/com.android.providers.telephony/databases/mmssms.db!
!
Sqlite> .mode column!
sqlite> .header on!
!
sqlite> select address, date, body from sms;!
!
address date body !
------------ ------------- -----------------------------------------------------!
+11113272608 1336592918275 AT&T Free Msg: Welcome to GoPhone! To learn more ...
310498xxxx 1336720180796 Hey, nice day today. Up for a hike?:-) !
+1310498xxxx 1336720230196 Hike sounds good:) kahuna beach canyon? !
310498xxxx 1336720272373 Laguna is good. See you at 5:30. !

!
sqlite>

Date: GMT: Fri, 11 May 2012 07:10:30 GMT
(ms since 1/1/1970)
... !

31


!
#!
# sqlite3 /data/data/com.google.android.gm/databases/mailstore.mometan@gmail.com.db!
Sqlite> .schema messages!
.schema messages;!
!
CREATE TABLE messages (_id INTEGER PRIMARY KEY,messageId INTEGER,conversation
INTEGER,fromAddress TEXT,toAddresses TEXT,ccAddresses TEXT,bccAddresses
TEXT,replyToAddresses TEXT,dateSentMs INTEGER,dateReceivedMs INTEGER,subject TEXT,snippet
TEXT,listInfo TEXT,personalLevel INTEGER,body TEXT,bodyEmbedsExternalResources
INTEGER,joinedAttachmentInfos STRING,synced INTEGER,error TEXT, clientCreated INTEGER,
refMessageId INTEGER DEFAULT 0, forward INTEGER DEFAULT 0, includeQuotedText INTEGER DEFAULT
0, quoteStartPos INTEGER DEFAULT 0, bodyCompressed BLOB DEFAULT NULL, customFromAddress TEXT
DEFAULT NULL, queryId INTEGER DEFAULT 1, UNIQUE(messageId));!
!
Sqlite> select fromAddress, toAddresses, dateSentMs, subject from messages; !
!
fromAddress toAddresses dateSentMs subject !
------------------------------------------------- -------------------------- ------------- --------------------------!
"Google+ team" <noreply-daa26fef@plus.google.com> "" <tanabianmoe@gmail.com> 1336438677000 Getting started on Google+!
"Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438616000 Customize Gmail with color!
"Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438616000 Import your contacts and o!
"Gmail Team" <mail-noreply@google.com> "Moe Tanabian" <tanabianmo 1336438613000 Get Gmail on your mobile p!
!
!
Sqlite> !
Date: GMT: Tue, 08 May 2012 00:56:53 GMT
(ms since 1/1/1970)

32

Logical extraction: Content Providers – build a forensics data-collection tool

•  Content Providers: A specialized type
of complex data store in Android to
standardize access and
manipulation of stored data

•  Some useful Content Providers for
forensic purposes:

•  Browser: bookmarks, browse
history, etc

•  CallLog: missed calls, call
details, etc

•  Contacts: Contact details

•  MediaStore: Media files (audio,
video, images, etc)

Source: http://ofps.oreilly.com/titles/9781449390501/Main_Building_Blocks.html

33


•  The database of a content provider is always addressed via URI. URI is a
means to encapsulate exposing data:

•  General URI format:
<standard_prefix>://<authority>/<data_path>/<id>

content://com.android.contacts/data/phones/2

•  Content Providers allow CRUD operations to be performed on databases:

•  Create, Read, Update, Delete

•  They use a SQL like query called cursor object through managedQuery()
(deprecated but still usable)

34


Steps to query a content provider:
Steps to query a content provider:

1. Identify URI of the desired content provider

2. Create a projection (String array which holding the names
of the columns to query)

3. Use managedQuery() to query the CP into a Cursor object

4. Add needed permissions to AndroidManifest.xml

35


!
package com.example.ContentProvider; !
import com.example.ContentProvider.R;!
import android.app.ListActivity; !
2.Projection (columns)
import android.database.Cursor; !
import android.net.Uri; !
import android.os.Bundle; !
import android.provider.ContactsContract; ! Filtering
import android.widget.SimpleCursorAdapter; ! (WHERE)
!
public class ContentProviderActivity extends ListActivity { !
"/** Called when the activity is first created. */ !
Sorting
"@Override !
ORDER BY
"public void onCreate(Bundle savedInstanceState) { !
" "super.onCreate(savedInstanceState); !
"
1. URI "setContentView(R.layout.main); !
" "Uri allContacts = Uri.parse("content://contacts/people"); !
!
" "Cursor c= managedQuery(allContacts, null, null, null, null); !
" "String[] columns = new String[] { !
3. managedQuery()"
" "ContactsContract.Contacts.DISPLAY_NAME, !
" " "ContactsContract.Contacts._ID};!
" "int[] views = new int[] {R.id.contactName, R.id.contactID}; !
" "SimpleCursorAdapter adapter = !
" " "new SimpleCursorAdapter(this, R.layout.main, c, columns, views); !
" "this.setListAdapter(adapter); !
"}!
}!

36


!
!
<?xml version="1.0" encoding="utf-8"?>!
<manifest xmlns:android="http://schemas.android.com/apk/res/android"!
package="com.example.ContentProvider"!
android:versionCode="1"!
android:versionName="1.0" >! 4. Permissions
!
<uses-sdk android:minSdkVersion="7" />!
"<uses-permission android:name="android.permission.READ_CONTACTS" /> !
"<application!
android:icon="@drawable/ic_launcher"!
android:label="@string/app_name" >!
<activity!
android:name="com.example.ContentProvider.ContentProviderActivity"!
android:label="@string/app_name" >!
<intent-filter>!
<action android:name="android.intent.action.MAIN" />!
<category android:name="android.intent.category.LAUNCHER" />!
</intent-filter>!
</activity>!
</application>!
!
</manifest>!

37

Logical extraction: Content Providers – Let’s put it all together

38

Outline




39

Android Applications – The development flow

Android Asset Packaging Tool
Manifest

Resources
aapt Packaged
Create Packaged
Resource apkbuilder -u
Resources Create unsigned apk
File

Assets

dx
Source code Javac Dalivk
Compile Classes.dex Unsigned
Bytecode
apk

Libraries
Libraries
Libraries

jarsigner adb
Sign apk Signed
Publish or Test
KEY apk

40

Android Applications – Java bytecode versus Dalvik bytecode

!
public int method( int i1, int i2 ) { !
int i3 = i1 * i2;!
return i3 * 2; !
} !
!

- var 0 is “this” ! -  this: v1 (Ltest2;) !
- var 1 is argument #1 ! Java bytecode -  parameter[0] : v2 (I) ! Dalvik bytecode
- Var 2 is argument #2! (VM stack based) -  parameter[1] : v3 (I) ! (VM register based)
!
!method public method(II)I ! method public method(II)I !
! "iload _1 ! "mulint v0,v2,v3 !
"iload _2 ! "mulint/lit8 v0,v0,2 !
!
"imul! "return v0!
"istore _3 ! .end method!
!
"iload _3 !
"iconst _2 !
"imul!
"ireturn!
.end method !
!
!

Source: Practice of Android Reverse Engineering, Jim Haung
41

Android Applications – apktoolit

n  Get and install apktoolkit
1.  http://code.google.com/p/android-apktool/
Getting
apktoolkit 1.  Download apktool-install-macos-* file
2.  Download apktool-* file
3.  Unpack both to /usr/local/bin directory (you must
have root permissions)

2. To unpack and decode an apk:
"$ abd pull <the apk you want> (from /data/app)!
"$ apktool d com.example.ContentProvider-1.apk ./!
"$ ls -l !
-rw-r--r-- 1 moetan ANTDomain Users 801 May 13 12:41 AndroidManifest.xml!

-rw-r--r-- 1 moetan ANTDomain Users 112 May 13 12:41 apktool.yml!

drwxr-xr-x 8 moetan ANTDomain Users 272 May 13 12:41 res!

drwxr-xr-x 4 moetan ANTDomain Users 136 May 13 12:41 smali

42

Android Applications – Unpacking apk using apktoolit

To unpack and decode an apk:

$ abd pull <the apk you want> (from /data/app)!
$ apktool d com.example.ContentProvider-1.apk ./!
$ ls -l !
!
-rw-r--r-- 1 moetan ANTDomain Users 801 May 13 12:41 AndroidManifest.xml!

-rw-r--r-- 1 moetan ANTDomain Users 112 May 13 12:41 apktool.yml!
drwxr-xr-x 8 moetan ANTDomain Users 272 May 13 12:41 res!

drwxr-xr-x 4 moetan ANTDomain Users 136 May 13 12:41 smali

43

Android Applications – Decompiled code from smali (apktoolkit)

$ cd smali/com/example/ContentProvider!
$ ls -l !
!
-rw-r--r-- 1 moetan ANTDomain Users 355 May 13 12:41 BuildConfig.smali!

-rw-r--r-- 1 moetan ANTDomain Users 2400 May 13 12:41 ContentProviderActivity.smali!

-rw-r--r-- 1 moetan ANTDomain Users 519 May 13 12:41 R$attr.smali!

-rw-r--r-- 1 moetan ANTDomain Users 599 May 13 12:41 R$drawable.smali!

-rw-r--r-- 1 moetan ANTDomain Users 640 May 13 12:41 R$id.smali!
-rw-r--r-- 1 moetan ANTDomain Users 588 May 13 12:41 R$layout.smali!

-rw-r--r-- 1 moetan ANTDomain Users 641 May 13 12:41 R$string.smali!

-rw-r--r-- 1 moetan ANTDomain Users 616 May 13 12:41 R.smali!

!

$ ls –l!
$ vim ContentProviderActivity.smali!
!
!

44

Android Applications – Decompiled code from smali (apktoolkit)

! class public Lcom/example/ContentProvider/
ContentProviderActivity;!
.super Landroid/app/ListActivity;!
! .source "ContentProviderActivity.java”!
!
! ....!
!
# virtual methods!
.method public onCreate(Landroid/os/Bundle;)V!
.locals 10!
.parameter "savedInstanceState"!
!
.prologue!
const/high16 v9, 0x7f03!
!
const/4 v8, 0x2!
!
const/4 v2, 0x0!
!
.line 16!
invoke-super {p0, p1}, Landroid/app/ListActivity;-
>onCreate(Landroid/os/Bundle;)V!
!
.line 17!
invoke-virtual {p0, v9}, Lcom/example/
ContentProvider/ContentProviderActivity;-
>setContentView(I)V!
!
.line 18!
const-string v0, "content://contacts/people"!
!
....!
Total: 100+ LoC

45

Android Applications – Decompiling apk using dex2jar, jd-gui

n  Get and install dex2jar tool , and jar decompiler
1.  http://code.google.com/p/dex2jar/,
Getting
Dex2jar, jd-gui 2.  Download dex2jar-x.x.x.x.tar.gz file (x: version digits)
3.  http://java.decompiler.free.fr/?q=jdgui, and intstall the .dmg file

1. To unpack and decode an apk:
"$ dex2jar.sh com.example.ContentProvider-1.apk
"$ ls –l *jar !
!
rw-r--r-- 1 moetan ANTDomain Users 4278 May 13 15:20
com.example.ContentProvider-1_dex2jar.jar!

!

"$ jd-gui com.example.ContentProvider-1_dex2jar.jar&!

46

Android Applications – jd-gui .jar decompiler

__:

n  _
n  _
n  _
n  _

47

Outline




48

Commercial tools

•  Standalone device

Cellbright UFED •  Can extract data from 1600+ devices
•  Covers Android devices
•  Built-in SIM reader and cloner
•  Can store output on SD, Flash or PC
•  http://www.cellebrite.com/mobile-forensics-products,

•  Software solution
•  Android, Blackberry, iOS and WinMobile

enCase Forensics •  Device Settings
•  Contacts , Call logs
•  E-mail
•  Images
•  SMS/MMS
•  Calendars
49

Commercial tools

•  Software and Hardware bundle
Micro Systemation •  Comes in different packaging for lab, field, etc
XRY
•  Built-in SIM reader and cloner
•  Runs on Windows
•  Supports Physical and Logical extractions
•  http://www.msab.com/xry,

•  Software solution
•  Logical recovery of
Viaforensics •  call logs,
ViaExtract
•  contacts, browser history,
•  SMS/MMS
•  Logical extraction
•  https://viaforensics.com/products/viaextract/,
!
50

Thank You!

Moe Tanabian
@motanabian

52

Android Forensics: Exploring Android Internals and Android Apps

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Android Forensics: Exploring Android Internals and Android Apps (20)

Recently uploaded (20)

Android Forensics: Exploring Android Internals and Android Apps