CC BY
11
EXAMINING THE FILE SYSTEM OF ANDROID DEVICES: IMPLICATIONS
FOR DIGITAL FORENSICS
Alkattan Sameh, Graduate Student Chiziba Andrew, Graduate Student V.D. Pronichev, Graduate Student
The Bonch-Bruevich Saint-Petersburg State University of Telecommunication (Russia, Saint Petersburg)
DOI:10.24412/2500-1000-2024-10-1-228-232
Abstract. This article explores the critical role of the Android file system in digital forensics, emphasizing its architecture and data storage methods. It highlights the challenges investigators face in data recovery, particularly with deleted files and encryption. A practical case study illustrates the use of the Android Debug Bridge (ADB) for identifying a port scan attack, showcasing the effectiveness of network traffic analysis in uncovering security incidents on Android devices. This examination underscores the importance of understanding the Android file system for successful forensic investigations in an increasingly mobile-centric world.
Keywords: Android, Digital Forensics, File System, Data Recovery, Security, ADB, SQLite, Encryption.
As smartphones increasingly integrate into our daily lives, the need for effective digital forensics has grown significantly. Android devices, which dominate the global smartphone market with over 70% share [1], present unique challenges and opportunities for forensic investigators. A key element of successful forensic analysis is a thorough understanding of the Android file system, which directly influences data storage, retrieval, and the overall investigation process. This article delves into the architecture of the Android file system, its implications for digital forensics, and a case study demonstrating its application in identifying a port scan attack.
Android File System Overview
Android primarily utilizes the ext4 file system, although newer devices may employ the Flash-Friendly File System (F2FS) to optimize performance on flash storage [2]. Understanding the file system structure is essential for forensic analysis as it dictates how data is stored, accessed, and potentially recovered.
Key Partitions
Android devices are structured into several key partitions, each serving distinct functions:
- Boot Partition: Contains the kernel and boot-loader necessary for the device to start. This partition is critical for understanding the device's startup process and can provide insights into potential tampering.
- System Partition: Houses the Android operating system and pre-installed applications. Analyzing this partition helps investigators understand the baseline functionality of the device and identify any potential malware or unauthorized applications.
- Data Partition: This partition is crucial as it stores user data, including app data, settings, and personal files. It is the primary focus of forensic investigations, containing valuable information such as text messages, call logs, and photos.
- Cache Partition: Used for temporary files, the cache partition can provide insights into user activity and app usage, revealing recently accessed files.
- Recovery Partition: Contains recovery tools that can be used to restore the system. Understanding this partition is important for investigators looking to recover data or restore a device to its factory settings during an investigation.
File System Structure
The file system is organized hierarchically, resembling traditional UNIX-like systems. Key directories include:
- /data: Contains user and app-specific data, holding a wealth of information crucial for forensic analysis, such as SQLite databases for app data and shared preferences for user settings.
- /system: Houses the Android OS files and pre-installed applications. Changes in this parti-
tion can indicate unauthorized modifications or malware presence.
- /cache: Stores temporary files, which can be useful for tracking user activity, as it may contain remnants of recently accessed data.
- /sdcard: Represents external storage, containing user files like photos and documents that may serve as critical evidence during investigations.
Data Storage in Android
Data storage in Android is complex and varies by application. Common storage methods include:
- SQLite Databases: Many applications utilize SQLite for data storage, allowing structured data management. Investigators must be proficient in SQL to extract and analyze this data effectively. Data stored in SQLite databases can include user profiles, messages, and transaction histories.
- Shared Preferences: Lightweight storage for key-value pairs used to save user settings. This can be significant in understanding user behavior, preferences, and application configurations.
- Internal and External Storage: Applications can store data in internal (private) or external (shared) storage, impacting data accessibility during forensic analysis. External storage may contain user files that are more readily accessible during investigations.
Forensic Implications of Android File Systems
The intricacies of the Android file system have significant forensic implications, particularly concerning data recovery:
1) Data Recovery Challenges: Investigators often face challenges in recovering data due to the nature of the file system:
- Deleted Data: When a file is deleted, the data may not be immediately removed; instead, the system marks the space as available for new data. As a result, forensic tools can often recover deleted files unless overwritten.
- Fragmentation: The nature of file allocation can lead to fragmentation, complicating recovery efforts. Understanding how data is stored and organized can improve the chances of successful recovery.
2) Encryption Impact: Android devices increasingly implement full-disk encryption, which significantly impacts forensic investigations. When a device is encrypted, accessing user data without the decryption key becomes nearly impossible. Investigators must often rely on the us-
er's credentials to unlock the device, presenting a considerable hurdle in many cases.
Tools for Analyzing Android File Systems
Numerous tools assist in forensic analysis of Android file systems, both open-source and commercial. Key tools include:
- Autopsy: An open-source digital forensics platform that can analyze disk images, including those from Android devices. Its user-friendly interface allows investigators to parse data efficiently [3].
- SIFT Workstation: Developed by SANS, this open-source toolkit includes modules specifically designed for analyzing Android devices, aiding in memory analysis and data extraction [4].
- Android Debug Bridge (ADB): A versatile command-line tool that enables communication with Android devices, allowing investigators to run various commands to extract files and data. ADB can also be instrumental in capturing logs, which can provide insights into device usage and application behavior [5].
Extracting Logs and Other Data with ADB
Using ADB, forensic investigators can access various types of logs and data, including:
- System Logs: ADB can retrieve system logs (logcat), which provide real-time insights into the device's operations. Logs can include information about application crashes, system events, and user interactions, helping investigators reconstruct user activity.
- Application Logs: Individual applications may maintain their own logs, which can provide further context on user actions and application behavior. Analyzing these logs can be vital in understanding how an app was used during a critical time.
- User Data Extraction: ADB facilitates the extraction of files and databases from the device's file system, including critical user data stored in SQLite databases. This capability allows investigators to analyze text messages, contacts, and other pertinent information.
To use ADB effectively, forensic investigators typically need to enable USB debugging on the device, which allows ADB to communicate with it. However, this requires access to the device's settings, which can be a limitation in certain scenarios.
Case Study: Identifying a Port Scan Attack Through Network Analysis
- WpudunecKue nayHU -
As part of our exploration into the digital fo-rensics of Android devices, we conducted a case study focused on identifying a port scan attack using the Android Debug Bridge (ADB) and network traffic analysis. This method demon-
strates how forensic investigators can leverage tools available within the Android ecosystem to uncover security incidents.
As illustrated in Figure 1, we utilized an Android emulator to simulate the target device.
Status
Figure 1. The Android Emulator Device
For the attacking component, we used a separate virtual machine to perform a network scan. This setup allowed us to observe the interactions between the two systems.
/home/kali nmap-| 192.168.43.154 Starting Nmap7.94SVN ( https://nnnap.org >24-10-0713:05 EDT Nmap scan report for 192.168.43.154 Host is up (0.0072s latency). Not shown: 65526 closed tcp ports (reset) PORT STATE SERVICE 5555/tcp open free civ 6379/tcp open redis 22468/tcp open unknown 24296/tcp open unknown 24297/tcp open unknown 24800/tcp open unknown 24810/tcp open unknown 25000/tcp open icl-twobase1 30102/tcp open unknown
MAC Address: 0B:00:27:69:A7:65 (Oracle VirtualBox virtual NIC)
Figure 2. The Nmap Scan on the Android Device
We executed the command adb shell tcpdump -i any -s 0 -w /data/local/tmp/scan.pcap to capture all network traffic on the emulator in real-time, as shown in Figure 3. This command is particularly useful for digital forensics, as it enables investigators to monitor traffic across all interfaces without missing critical data.
/ho me/kali
adb connect 192.168.43.164
* daemon not running; starting now at tcp:5037
* daemon started successfully connected to 192.168.43.164:5555
/home/kali
adb devices List of devices attached 192.168.43.164:5555 device
Figure 3. Connecting to the Android Device Using ADB After capturing the traffic, we extracted the pcap file using ADB, as illustrated in Figure 4.
I—(kali© каЦ-
*— adb shelltcpdump any 0 /data/local/tmp/scan.pcap
r—(kali© kal&- ~ L$ adb shell root@vbox86p:/it cd d d/ data/ default.prop dev/ root@vbox86p:/it cd data/l local/ lost+found/ root@vbox86p:/it cd data/local/tmp/ root@vbox86p:/data/local/tmp # Is scan.pcap
root@vbox86p:/data/local/tmp ttexit
r—(kali© k D- ~
adb pull/data/local/tmp/scan.pcap /data/local/tmp/scan.pcap: 1 file pulled, 0 skipped.32.3 MB/s (11477622 bytes in 0.339s)
Figure 4. Extracting the Network Traffic Capture Using ADB
Upon reviewing the generated .pcap file with Wireshark, we identified a series of distinct patterns indicative of a port scan. Specifically, we observed a rapid succession of SYN packets targeting multiple ports, suggesting an unauthorized attempt to discover open services on the device.
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help
d □ zfi ® Biiaa * <- -» i ■»• ■ ■ □ b n u
W | ip.addr == 192.16B.43.56
No. Time Source Destination Protocol Length Info
1 0 000000 192 168 43 164 192 168 43 56 TCP 181 5555 - 49180 [PSH, ACK] Seq-1 Ack=l Wi
2 0. 001033 192 168 43 56 192 168 43 164 TCP 68 49180 - 5555 [ACK] 5eq=l Ack=114 Win=2
3 0. 001593 192 168 43 56 192 168 43 164 TCP 92 49180 - 5555 [PSH, ACK] Seq=l Ack=114
4 0. 040704 192 168 43 164 192 168 43 56 TCP 68 5555 _ 49180 [ACK] Seq-114 Ack=25 Will =
SI 1. 051323 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 49180 - 5555 [ACK] Se
52 1. 051408 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 _ 49180 [ACK
131 2. 071963 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 491B0 - 5555 [ACK] Se
132 2. 072542 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 _ 49180 [ACK
179 3. 090654 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 49180 - 5555 [ACK] Se
180 3. 091084 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 _ 49180 [ACK
260 4. 141338 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 49180 - 5555 [ACK] Se
261 4. 141409 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 - 49180 [ACK
319 5. 175109 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 491S0 5555 [ACK] Se
320 5. 175244 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 - 49180 [ACK
369 6. 298404 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 491S0 5555 [ACK] Se
370 6. 298531 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 - 49180 [ACK
419 7. 312297 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 491S0 - 5555 [ACK] Se
420 7. 312403 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 - 49180 [ACK
467 a. 335361 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 491S0 - 5555 [ACK] Se
463 8. 336347 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 - 49180 [ACK
515 9. 418906 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 491S0 - 5555 [ACK] Se
516 9. 419004 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 - 49180 [ACK
564 IE 1.448902 192 168 43 56 192 168 43 164 TCP 68 [TCP Keep-Alive] 49180 - 5555 [ACK] Se
565 It 1.449121 192 168 43 164 192 168 43 56 TCP 68 [TCP Keep-Alive ACK] 5555 - 49180 [ACK
Figure 5. Analysis of the Traffic Using Wireshark
The frequency of these packets-often within milliseconds of one another-aligned with known characteristics of port scanning techniques such as SYN scans and FIN scans. Further analysis of the captured data revealed that the majority of the targeted ports were non-responsive, indicating that they were likely closed or filtered.
This case study underscores the significance of ADB in digital forensics, offering valuable insights into identifying and analyzing network threats on Android devices. By capturing and scrutinizing network traffic, forensic investigators can provide a more comprehensive assessment of security incidents, thereby enhancing overall mobile device security.
Future Considerations in Android Foren-sics
References
1. Statista. (2023). Market share of smartphone operating systems worldwide from January 2012 to January 2023. Statista.
2. Nystrom, P. (2020). Android Forensics: Investigating Mobile Devices. Syngress.
3. Carrier, B., & Spafford, E. H. (2004). An Event-Based Digital Forensic Investigation Framework. In Digital Forensics Research Workshop.
4. Garfinkel, S. (2010). Digital Forensics Research: The Next 10 Years. ACM Digital Library.
5. Cohen, F. (2015). The Computer Forensic Investigator's Handbook. The Forensics Library.
As Android continues to evolve, so will its file systems and associated forensic challenges. Key trends include emerging file systems, the integration of AI for data analysis, and ongoing research into Android file systems and their implications for forensics.
Conclusion
A comprehensive understanding of the Android file system is vital for effective forensic investigations. The complexities of file storage, log retrieval, and data recovery present both challenges and opportunities for investigators. Forensic professionals must stay informed about file system structures, data storage methods, and emerging challenges to navigate the complexities of digital investigations successfully.
ИЗУЧЕНИЕ ФАЙЛОВОЙ СИСТЕМЫ УСТРОЙСТВ ANDROID: ПОСЛЕДСТВИЯ
ДЛЯ ЦИФРОВОЙ КРИМИНАЛИСТИКИ
Алькаттан Самех, магистрант Чизиба Эндрю, магистрант В.Д. Проничев, магистрант
Санкт-Петербургский государственный университет телекоммуникаций имени Бонч-Бруевича
Санкт-Петербургский государственный университет телекоммуникаций имени профессора М.А. Бонч-Бруевича (Россия, г. Санкт-Петербург)
Аннотация. В этой статье рассматривается важнейшая роль файловой системы Android в цифровой криминалистике, с упором на ее архитектуру и методы хранения данных. В ней освещаются проблемы, с которыми сталкиваются следователи при восстановлении данных, особенно с удаленными файлами и шифрованием. Практический пример иллюстрирует использование Android Debug Bridge (ADB) для идентификации атаки сканирования портов, демонстрируя эффективность анализа сетевого трафика при раскрытии инцидентов безопасности на устройствах Android. В этом исследовании подчеркивается важность понимания файловой системы Android для успешных криминалистических расследований в мире, который все больше ориентируется на мобильные устройства.
Ключевые слова: Android, цифровая криминалистика, файловая система, восстановление данных, безопасность, ADB, SQLite, шифрование.
