From an expert's standpoint, an Android phone is a large data repository that can be stored either locally or remotely. Besides, its platform allows analysts to acquire device data and evidence, collecting information about its owner and facts under investigation. This way, by means of exploring and cross referencing that rich data source, one can get information related to unlawful acts and its perpetrator. There are widespread and well documented approaches to forensic examining mobile devices and computers. Nevertheless, they are neither specific nor detailed enough to be conducted on Android cell phones. These approaches are not totally adequate to examine modern smartphones, since these devices have internal memories whose removal or mirroring procedures are considered invasive and complex, due to difficulties in having direct hardware access. The exam and analysis are not supported by forensic tools when having to deal with specific file systems, such as YAFFS2 (Yet Another Flash File System). Furthermore, specific features of each smartphone platform have to be considered prior to acquiring and analyzing its data. In order to deal with those challenges, this paper proposes a method to perform data acquisition and analysis of Android smartphones, regardless of version and manufacturer. The proposed approach takes into account existing techniques of computer and cell phone forensic examination, adapting them to specific Android characteristics, its data storage structure, popular applications and the conditions under which the device was sent to the forensic examiner. The method was defined in a broad manner, not naming specific tools or techniques. Then, it was deployed into the examination of six Android smartphones, which addressed different scenarios that an analyst might face, and was validated to perform an entire evidence acquisition and analysis.
Resumo-Sob a perspectiva pericial, um celular operando o sistema operacional Android é um grande repositório de informações que ficam armazenadas localmente ou dispostas remotamente. Essa plataforma permite ao analista extrair evidências diretamente do aparelho, coletando informações sobre seu proprietário e fatos que estão sob investigação. Desse modo, é possível obter a autoria e materialização de delitos, bem como fornecer informações ao apuratório por meio da análise e correlação desses dados. Existem abordagens periciais bem difundidas e documentadas para exames em aparelhos celulares e computadores. Entretanto, não são suficientemente específicas e detalhadas para a realização de exames em dispositivos controlados pelo Android. Essas abordagens não se aplicam em sua totalidade quando associadas a exames em smartphones, uma vez que nesses dispositivos, as soluções de hardware e software são minimalistas e o sistema operacional possui suporte à utilização de memórias internas cuja remoção ou espelhamento são procedimentos considerados invasivos e com maior grau de complexidade, devido às dificuldades de acesso direto ao hardware. Além disso, os dispositivos possuem características específicas para cada versão e fabricante do hardware. Diante desses desafios, este artigo propõe um método para realizar a aquisição dos dados de um smartphone utilizando o sistema operacional Android, abstraindo a versão e o fabricante do aparelho. A abordagem proposta utiliza as técnicas periciais adotadas tanto para análise de telefones celulares como para computadores, adaptando-as às características do sistema Android, sua estrutura de armazenamento de dados, seus aplicativos e às condições em que o equipamento tenha sido encaminhado ao analista pericial. Palavras-chave-perícia forense; aquisição de dados; análise de evidências; telefone celular; smarphone; Android.
During the execution of a search warrant, one may try to hamper law enforcement officials by hiding database artifacts. One way this can be done is by detaching a given database, which will drop all its metadata and make it invisible to the DBMS. This paper describes Microsoft SQL Server's database files and presents an algorithm capable of finding and extracting metadata from those files still present in the file system, in order to be scrutinized by forensics teams.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.