13-04-2012, 11:11 AM
Android anti-forensics through a local paradigm
[attachment=20048]
Introduction
Mobile devices, and in particular mobile phones, are among
the most common and diffused current technologies (Kalba,
2008). The 2.6 billion of subscribers in the world and the
recent trend of growth registered especially in the rural areas
(e.g., China Mobile declare that they are adding 6 million of
new subscribers per month) confirm how this technology is
over diffused. In addition to the market penetration of such
devices, another interesting item is represented by the
advanced functionalities they have; these functionalities
range from user interface, to computational resources, to
connectivity, to application development.
Definition of anti-forensics
AF is a quite young and immature discipline even more if we
consider the Mobile Environment (ME); regarding ME,
a number of difficulties and issues during forensics analysis
are still to overcome (Jansen et al., 2008), hence the possible
shapes of AF techniques are continuously and rapidly
evolving (Geiger, 2005; Peron; Berghel, 2007).
Currently, there is no unique and standard definition of AF,
while several definitions exist and focus on different and
specific aspects. Among those, some focus on breaking
forensic tools or avoiding the detection of evidence (Foster and
Liu, 2005) while some others relate AF to system intrusions (S.
B., 2002).
Mobile anti-forensics
The definitions provided in the Sections 2.1 and 2.2 can be
applied to any kind of evidence and to any Forensic discipline
as well. In this paper, we focus on Mobile Forensics with the
related implications on the kind of digital evidence we are
interested in.
Kinds of anti-forensics
The work described in this paper refers to the kinds of AF
techniques which are described in Arriving at an antiforensics
consensus (2006). These techniques, which have
been identified in general, are briefly summarized as follows.
Destroying evidence
It involves the destruction of evidence, in order to make it
unusable during the investigative process. Although the
destruction of evidence is often fatal, it is worth noticing that
the tools, or the operations, used to destroy the evidence can
produce evidence themselves in terms of traces of their usage.
The android operating system
Android is a set of open source software elements specifically
designed for MDs developed by Google; it includes the Operating
System (OS), a middleware and a set of applications.
Although it has been designed and developed for MDs (e.g.,
Smartphones), several laptop manufacturers plan to equip
their products with Android.
Current android forensic techniques and tools
This section outlines the possible techniques currently
available for Android Forensics; these techniques were firstly
introduced by Hoog (backup tools are included in the set of the
forensics tools).
Conclusions
AF is a quite young and immature discipline, even more when
contextualized to the ME. Several efforts have been made in
order to properly describe and classify the widespread AF
techniques (e.g., Arriving at an anti-forensics consensus,
2006), but they do not focus on mobile devices.
[attachment=20048]
Introduction
Mobile devices, and in particular mobile phones, are among
the most common and diffused current technologies (Kalba,
2008). The 2.6 billion of subscribers in the world and the
recent trend of growth registered especially in the rural areas
(e.g., China Mobile declare that they are adding 6 million of
new subscribers per month) confirm how this technology is
over diffused. In addition to the market penetration of such
devices, another interesting item is represented by the
advanced functionalities they have; these functionalities
range from user interface, to computational resources, to
connectivity, to application development.
Definition of anti-forensics
AF is a quite young and immature discipline even more if we
consider the Mobile Environment (ME); regarding ME,
a number of difficulties and issues during forensics analysis
are still to overcome (Jansen et al., 2008), hence the possible
shapes of AF techniques are continuously and rapidly
evolving (Geiger, 2005; Peron; Berghel, 2007).
Currently, there is no unique and standard definition of AF,
while several definitions exist and focus on different and
specific aspects. Among those, some focus on breaking
forensic tools or avoiding the detection of evidence (Foster and
Liu, 2005) while some others relate AF to system intrusions (S.
B., 2002).
Mobile anti-forensics
The definitions provided in the Sections 2.1 and 2.2 can be
applied to any kind of evidence and to any Forensic discipline
as well. In this paper, we focus on Mobile Forensics with the
related implications on the kind of digital evidence we are
interested in.
Kinds of anti-forensics
The work described in this paper refers to the kinds of AF
techniques which are described in Arriving at an antiforensics
consensus (2006). These techniques, which have
been identified in general, are briefly summarized as follows.
Destroying evidence
It involves the destruction of evidence, in order to make it
unusable during the investigative process. Although the
destruction of evidence is often fatal, it is worth noticing that
the tools, or the operations, used to destroy the evidence can
produce evidence themselves in terms of traces of their usage.
The android operating system
Android is a set of open source software elements specifically
designed for MDs developed by Google; it includes the Operating
System (OS), a middleware and a set of applications.
Although it has been designed and developed for MDs (e.g.,
Smartphones), several laptop manufacturers plan to equip
their products with Android.
Current android forensic techniques and tools
This section outlines the possible techniques currently
available for Android Forensics; these techniques were firstly
introduced by Hoog (backup tools are included in the set of the
forensics tools).
Conclusions
AF is a quite young and immature discipline, even more when
contextualized to the ME. Several efforts have been made in
order to properly describe and classify the widespread AF
techniques (e.g., Arriving at an anti-forensics consensus,
2006), but they do not focus on mobile devices.