Mobile Forensics Assignment: Android OS and Data Forensics Report

Verified

Added on 2023/05/26

AI Summary

This report provides an overview of Android OS data forensics, focusing on investigation techniques, malware analysis, and data recovery methods. It begins with an introduction to the prevalence of Android OS in mobile devices and the increasing need for digital forensic investigators (DFIs) to examine these devices in cybercrime cases. The report details the architecture of the Android OS, including the Linux Kernel, Libraries, Application Framework, and Applications layers. It discusses Android malware classification methods, highlighting Dalvik Bytecode Frequency Analysis, and third-party kit properties. The report also covers Android malware analysis methods and tools, such as analyzing Dalvik code properties and third-party kit properties, and compares analysis methods between Android devices and personal computers. Furthermore, it addresses common malware infection methods, the Android analysis environment, procedures to avoid malware infection, and tools to generate string signatures for future malware detection. The report concludes by emphasizing the importance of understanding Android operating systems and associated risks, as well as the risk mitigation techniques that can be applied. This document is available on Desklib, a platform offering AI-based study tools and solved assignments for students.

Running head: ANDROID OS AND DATA FORENSICS
Android OS and data forensics
Name of the Student
Name of the University
Authors note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1ANDROID OS AND DATA FORENSICS
Introduction
In the mobile device world, the Android OS is predominantly becoming the most used
operating system. The enhancement of technology further has made the mobile devices
become vulnerable to either fall victim or be the tool for victimizing users through
cybercrimes. In the world today, the Digital Forensic Investigators are keener on checking a
mobile device to gather necessary information when a cyber crime has occurred to gather or
cease data. The Android OS devices like a cell phone, a tablet or other devices are the first
ones to be investigated in these kinds of incidents. The following report will put forward the
Data Forensic Investigation techniques and their utilization of the Android OS in these cases.
As the responsibility of a DFI or a Digital Forensic Investigator goes, these people are bound
to go through various advanced and technologically sound devices and they need to be
familiar with the Operating Systems they run on. The predominance of Android OS in the
market leads the DFIs in investigating Android devices every now and then. Thus, the
following report would focus on this phenomenon to assess the understanding of the
commonly used Android OS, the different types in which they are available at including the
classifications of Android malware and the techniques to detect and prevent the malware
functions within the Android devices.
Overview of Android architecture
Basically the Android OS is a modified version of Linux OS. Based on this kernel
new library layer and application framework is developed and implemented so that it can be
compatible with the mobile devices and its hardware architecture. The Linux Kernel is
responsible for managing the network connectivity, device driver functionalities, process
management, and memory management. The operating system is mostly a stack of

2ANDROID OS AND DATA FORENSICS
components which are further roughly divided into four sections and four main layers, such
as, Applications, Application Framework, Libraries and Linux Kernel.
The Linux Kernel lies at the extreme bottom layer with a total of approximately 115
patches. This enables an abstraction level in between the hardware of the devices containing
the essential hardware driver components like the camera, display, keypads and others. This
Kernel also handles the Linux oriented networking and device drivers, making interfacing
much easier to develop a peripheral hardware.
The Libraries are located at the top of the Linux Kernel. There are a set of Libraries
located within the set including the open source web browser engine WebKit, SQLite
Database, library libc, libraries to record and play videos and audios, SSL libraries
responsible for the security of Internet and others. The Java Based libraries are specific to the
development of android OS. In this category, the application libraries are included that adds
to the fact that facilitates the building of user interface, drawing graphics and accessing the
database. The library is added available to an Android developers are android.app,
android.content, android.database, android.opengl, android.os, android.text, android.view,
android.widget, and android.webkit. Other than all these, there is also C and C++ based
libraries that come within the layer of Android software stack.
The Android application Framework layer comes on top of the Android libraries and
this forms the high-level services for the application in form of Java classes. The framework
includes the following key services of an activity manager, content provider, resource
manager, notifications manager and view system. The next layer are the Android applications
which forms the top most layer.

3ANDROID OS AND DATA FORENSICS
Android malware classification
With the emerging versions of Android operating system, it is increasing the potential
of Android malware. This is why there has been in need to create a method so that the
malware families can be classified. there has been many classification methods that various
researchers have proposed so far, however most of them were only based on the permission
of information and does not actually represented the behaviour of the applications and
permissions easily separated into the various applications communicating between each other
and the permission based classification method resulted in false alarms. Videos authors of
suggested that Dalvik Bytecode Frequency Analysis and the third party kit properties are
appropriate methods that have the potential to properly classify the Android malware
families. These are the methods that have been achieved with the help of the machine
learning technique and the appropriate parameter selection. It has been analyse that the
parameters taken from random forest algorithm, performed classification and the
classification accuracy evaluated.
Android malware analysis methods and tools
As the application always asks for different types of permission for running smooth
on the devices thus in order to analyse the type of malware that is installed on the devices
following are the few of the techniques that are widely used.
Analysis of the Dalvik Code properties: The information extracted from Dalvik
executable which resides inside Android package of the installed application. In this
extracted information it is possible to find out different properties that can help in the
detection of the use of any malicious and specific APIs such as send Text Message or actions
like ACTION CALL. In addition to that the intents such as EXTRA SUBJECT or Dalvik
opcodes include const-string, nop.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4ANDROID OS AND DATA FORENSICS
Analysis of third party kit properties: Often android apps embed third party kits
orcodes in order engage statistics, advertisement as well as error reporting. Some of this kits
are also reported that transfers confidential data without the user permission and knowledge.
Difference of the analysis methods/tools between Android and Personal
Computer
The most obvious difference between analysis tool used for Android device and
personal computer is that the tools used in the mobile devices are usually approach for huge
number of user having much more diversity between the devices and an increasing broad
range of communication than the personal computers. although with increasing time the
difference between both the computing categories are gradually decreasing since various
personal computer analytical tools are becoming available within the mobile formats and as
the complexity of these applications and tools are becoming more and more expand table
with the increase of complexity in their functions which the mobile devices must be
supported to.
It can be possible that a mobile device analytical tool is able to be run on several
devices like a Smartphone, a fitness tracker, a lock system, Smartwatch or tablet. However
the applications or tools that are used for analysing the personal computers were created as
stations. Both analytical tools act-on for different devices therefore the analytical tools and
application made for web based personal computers I need to be static rather than the ones
used for mobile devices as they are meant to be performing on the go computing functions.
Other than this the primary differences that are there in the analytical tools between a mobile
device and a personal computer is the difference in constant connectivity, notification
management and application syncing across multiple platforms.

5ANDROID OS AND DATA FORENSICS
Malware infection methods
Despite various security measurements been taken and antivirus is installed on the
device of a user there are various common ways under which the malware can severely harm
and infect the personal data and privacy of a person through their connecting devices.
There are various undetectable sophisticated hacks on the server side that various
organisation cannot get passed through their security infrastructure. These actually are very
serious attacks however there very difficult to execute an easier to be detected if the
companies can react quickly.
Almost 15 to 30 per cent users are subjected to this client side attacks from the
browser extensions that they download willingly. Although they cannot be deemed as illegal
but these are the download links that the users are not fully aware of and once installed they
enable a client side script that shifts within the pieces of software within the browser of user.
In addition to that, one of the most common ways by which malware attack happens is
through the spam mails.
Android analysis environment
In recent years, static and dynamic analysis of Smartphone applications has been
popularized. These kinds of analysis have assisted in detecting malware among other
applications. In order to evade detection on emulator based dynamic analysis environments,
number of malware rely on specific details of the emulator and user input, such as IMEI
number, button press, phone call, accelerometer readings and others.
Procedures to avoid infection with the similar malware

6ANDROID OS AND DATA FORENSICS
Tools to generate a string signature for future malware detection
Scanning of files or signatures has been a proven Technology but the exponential
growth has been a problem in unique malware programs that has caused an explosion within
the signature sizes of databases. One of the solutions to this problem has been the use of
string signatures that detect each of the detected sequences and potentially matches the
variants of malware family. It is not exactly clear that how automatically the string signatures
are generated committing to a sufficient low false positive rate. One of the first string
signatures generated is Hancock which takes on the challenge for a large scale.
Conclusion
Therefore in conclusion it can be said that the understanding of Android operating
systems has been effectively set up as per the above report with different types and
classification of Android malware and their detection and prevention techniques. This also
clears the view about the various kinds of advancement in technology and in which way they
bring about several risk associated with it. However, there are also risk mitigation techniques
that can be applied to eradicate the problems once and for all and do not cause them to come
back again to harm the system.