Quang Do

A Forensically Sound Adversary Model for Mobile Devices.

In this paper, we propose an adversary model to facilitate forensic investigations of mobile devices (e.g. Android, iOS and Windows smartphones) that can be readily adapted to the latest mobile device technologies. This is essential given the ongoing and rapidly changing nature of mobile device technologies. An integral principle and significant constraint upon forensic practitioners is that of forensic soundness. Our adversary model specifically considers and integrates the constraints of forensic soundness on the adversary, in our case, a forensic practitioner. One construction of the adversary model is an evidence collection and analysis methodology for Android devices. Using the methodology with six popular cloud apps, we were successful in extracting various information of forensic interest in both the external and internal storage of the mobile device.

Exfiltrating data from Android devices

Modern mobile devices have security capabilities built into the native operating system, which are generally designed to ensure the security of personal or corporate data stored on the device, both at rest and in transit. In recent times, there has been interest from researchers and governments in securing as well as exfiltrating data stored on such devices (e.g. the high profile PRISM program involving the US Government). In this paper, we propose an adversary model for Android covert data exfiltration, and demonstrate how it can be used to construct a mobile data exfiltration technique (MDET) to covertly exfiltrate data from Android devices. Two proof-of-concepts were implemented to demonstrate the feasibility of exfiltrating data via SMS and inaudible audio transmission using standard mobile devices. Display Omitted Adversary model for Android covert data exfiltration.Mobile data exfiltration technique (MDET).Inaudible data exfiltration.

Mobile cloud forensics: An analysis of seven popular Android apps

Using the evidence collection and analysis methodology for Android devices proposed by Martini, Do and Choo, we examined and analyzed seven popular Android cloud-based apps. Firstly, we analyzed each app in order to see what information could be obtained from their private app storage and SD card directories. We collated the information and used it to aid our investigation of each app database files and AccountManager data. To complete our understanding of the forensic artefacts stored by apps we analyzed, we performed further analysis on the apps to determine if the user authentication credentials could be collected for each app based on the information gained in the initial analysis stages. The contributions of this research include a detailed description of artefacts, which are of general forensic interest, for each app analyzed.

Is the data on your wearable device secure? An Android Wear smartwatch case study

The increasing convergence of wearable technologies and cloud services in applications, such as health care, could result in new attack vectors for the ‘Cloud of Things’, which could in turn be exploited to exfiltrate sensitive user data. In this paper, we analyze the types of sensitive user data that may be present on a wearable device and develop a method to demonstrate that they can be exfiltrated by an adversary. To undertake this study, we select the Android Wear smartwatch operating system as a case study and, specifically, the Samsung Gear Live smartwatch. We present a technique that allows an adversary to exfiltrate data from smartwatches. Using this technique, we determine that the smartwatch stores a relatively large amount of sensitive user data, including SMS messages, contact information, and biomedical data, and does not effectively protect this user data from physical exfiltration. Copyright

Conceptual evidence collection and analysis methodology for Android devices

Android devices continue to grow in popularity and capability meaning the need for a forensically sound evidence collection methodology for these devices also increases. This chapter proposes a methodology for evidence collection and analysis for Android devices that is, as far as practical, device agnostic. Android devices may contain a significant amount of evidential data that could be essential to a forensic practitioner in their investigations. However, the retrieval of this data requires that the practitioner understand and utilize techniques to analyze information collected from the device. The major contribution of this research is an in-depth evidence collection and analysis methodology for forensic practitioners.

Enhancing User Privacy on Android Mobile Devices via Permissions Removal

Android mobile devices are becoming a popular alternative to computers. The rise in the number of tasks performed on smartphones means sensitive information is stored on the devices. Consequently, Android devices are a potential vector for criminal exploitation. Existing research on enhancing user privacy on Android devices can generally be classified as Android modifications. These solutions often require operating system modifications, which significantly reduce their potential. This research proposes the use of permissions removal, wherein a reverse engineering process is used to remove an apps permission to a resource. The repackaged app will run on all devices the original app supported. Our findings that are based on a study of seven popular social networking apps for Android mobile devices indicate that the difficulty of permissions removal may vary between types of permissions and how well-integrated a permission is within an app.

A Cloud-Focused Mobile Forensics Methodology

The ubiquity of the smartphone means that there is a high probability that a suspect under investigation uses one. Because of societys growing dependence on smartphones, such devices will likely contain a wealth of incriminating data such as emails, text messages, phone logs, and sensitive documents. Furthermore, with the prevalence of cloud-based storage, it is also possible that the evidential data that forensic investigators seek would not be located directly on the device. Thus, there is a need for a forensically sound and specialized methodology to access this remote data, which might be critical in a forensic investigation. This column describes one such methodology.

Windows Event Forensic Process

Event logs provide an audit trail that records user events and activities on a computer and are a potential source of evidence in digital forensic investigations. This paper presents a Windows event forensic process (WinEFP) for analyzing Windows operating system event log files. The WinEFP covers a number of relevant events that are encountered in Windows forensics. As such, it provides practitioners with guidance on the use of Windows event logs in digital forensic investigations.

Enforcing File System Permissions on Android External Storage: Android File System Permissions (AFP) Prototype and ownCloud

Mobile devices are fast becoming critical information management tools often storing a range of personal and corporate confidential data often synced from online and cloud based storage services. Mobile device operating system designers are increasing the security available to users, not only from traditional security risk vectors, but also to protect their privacy from the various apps (with potential malicious intent) installed on their device. In this paper, we developed a process for enforcing file system permissions on Android external storage (with minimal modifications to the operating system). Our process makes use of the application sandboxing supported on this platform to restrict parts of the external file system to a particular app or multiple apps holding a particular permission. We present an Android File system Permissions (AFP) prototype demonstrating the applicability of this work and demonstrate its utility using the own Cloud app for Android. We then highlight a number of limitations with the current permission enforcement capabilities for external storage on the platform.

Cyber-physical systems information gathering: A smart home case study

Abstract With the growth in the use of Cyber-Physical Systems, such as Internet of Things (IoT) devices, there is a corresponding increase in the potential attack footprint of personal and corporate users. In this paper, we explore the potential for exploiting information retrieved from two IoT devices which, seemingly, are unlikely to store substantial amounts of data. We specifically focus on prominent smart home devices for the purpose of obtaining compromising information. We undertake a collection and analysis process, constrained by the limitations placed upon three types of adversaries, namely: forensic passive, forensic active and real-time active. The former two adversaries aim to comply with the requirements of forensic soundness, whereas the real-time active adversary does not have these constraints and therefore more closely models a malicious real-world attacker. The findings show that a variety of device data is available to even the passive adversary, and this data can be used to determine the actions and/or presence of an individual at a given time based on their interactions with the IoT device. These interactions can be both user initiated (e.g. powering on or off a switch or light) and device initiated (e.g. background polling).