Forensic Analysis of Personal Data Leakage on Android Phone

forensic Analysis of Personal Data Leakage on humanoid Ph sensationSheriff DrammehRESEARCH STATEMENT The proposed look for will seek personal entropy leakage on the humanoid rambling finish platform through and through rhetorical abstract of volatile and non-volatile retrospection.PROPOSAL SUMMARY The proposed explore will employ twain(prenominal) volatile memory forensic techniques and traditional plough forensic techniques to the mechanical man platform in order to identify semiprivateness breaches primarily in android mobile applications 1. The proposed look also scrams to demonstrate that forensic artifacts can be found both in the magnetic disc advertize (non-volatile) and memory (volatile).AIMS AND OBJECTIVES OF THE PROPOSED RESEARCH 1. Acquire non-volatile instruction from an android device using the traditional forensic approach and the memory dump, analyse the acquired selective information for any forensic artifacts and make a comparative analysis of both approaches. This will be achieve by contracting an experimental simulation of both approaches.2. Develop an effective methodology to improve the detection of personal data leakages and reasonable information from android mobile applications.RESOURCES The major part of this proposed interrogation will be conducting an experiment, hence few equipments atomic number 18 essential to be in place in order to carry out the experiment. The proposed question is mainly memory dumping and disk bewilder imaging for forensic analysis. Some open germ gumshoes will be highly utilize during the course of this proposed research, much(prenominal) as android studio SDK, Odin, ADB and mem. Addition tot altogetheryy, books on android forensics, mobile forensics, journals and YouTube video tutorials will also be utilize. As the research progresses more resources might be needed. The following is a non-exhaustive list of resources presently available for use- Window 10 OS with functioni ngor Intel (R) Core(TM)i7, shew memory of 16.0GB is the host operating corpse and forensic workstation for disk image analysis- Linux Ubuntu 15.10 x32 with kernel v2.6 is our forensic workstation for memory analysis- VMwargon Virtual Machine v11.1.2 Will be used to install guest operating scheme- Physical android surround Samsung galaxy S3 Is the subject of the experiment- mechanical man SDK developer tool for Linux x32 Is a software development tool used for application development and analysis.- mem is an open source tool for dumping running process on android remember- Odin3.-v3.10 is open source tool that enable us to rooted android phone- Samsung usb drive for mobile phone used to enable debugging bridge between android phone and forensic workstation- CF-Auto-Root-2dcan-2dvl-sghi747m is used to update firmware during rooting process. AccessData Forensic tool kit version 3.4.2 ( Download FTK Imager 3.4.2) is forensic software tool used to analysis disk image file3 P a g e CONNECTION TO THE COURSES OF MISSM PROGRAM This proposed research is closely related to Digital forensic course (ISSM536), which is one of the course we had covered in our teaching Systems and Security Management program. The proposed research used the techniques learned from this class and applied them in the android environment to divulge several types of personal information much(prenominal) as drug username, password, date of birth, postal addresses contact, photos, account number, messages etc. The comparative analysis method used covers the principles of digital leaven collection learned in tuition Technology Security Laws and Ethics course (ISSM561). The proposed research has a beginning and ending, as a dissolvent it need to be managed in order to suffer the end result. Therefore, the knowledge learned from (ISSM545) System Development and Project Management.REVIEW OF RELATED RESEARCHS Fuchs, et al., 2 presented the front analysis tool for android called SCanDroid, a framework for Android to perform information lam analysis on applications in order to understand the flow of information from one component to another component. Consider a case where an application request permission to access multiple data stores i.e., public data store and private data store. The application requires permission for practice the data from the private store and writing data to the public store. SCanDriod analyzes the information flow of the application and reports whether the application will transfer the information in the private store to the public store or not. However, SCanDroid also suffers from the same limitation of security policy expressibility. In order to select some information flow to be dangerous, the policy writers must define certain constraints prior to executing the policy. Similarly, if an information flow is not explicitly added to the traffic circle of constraints the framework will consider it to be safe.In 2012, C. Gibler, et al., pre sented AndroidLeaks, a static analysis framework for automatically finding potential leaks of sensitive information in Android applications on a massive scale4. It informed the user if applications are leaking their personal information. AndroidLeaks drastically reduces the number of applications and the number of traces that a security auditor has to verify manually. To secure seclusion information, they set up a mappings between Android API methods and the required permissions as the sources and sinks of private data for data flow analysis. However, AndroidLeaks does not yet analyze Android-specific control and data flows. This includes Intents, which are used for communication between Android and application components, and content providers, which provide access to database-like structures managed by other components.Sasa Mrdovic et al., 3 proposed a combination of static and cognise analysis for memory image, which is obtained by hibernation mode (power management feature tha t gos in most portable computers). After they obtained the physical memory image, they used it to boot the investigated system in the virtual machine (live view) to resume the system to the same state before it went into hibernation mode. Their proposal of using hibernating feature was to obtain the memory contents without violating the evidence integrity, but during their analysis they found out that they lost all the information about network connections because hibernation mode terminates the network connections before it starts in Windows environment.As one of best well-known analysis approaches, Taint Droid detects cover leaks using dynamic taint tracking 5. Enck et al. built a modified Android operating system to add taint tracking information to data from privacy-sensitive sources. They track private data as it propagates through applications during execution. If private data is leaked from the phone, the taint tracker records the event in a log which can be audited by the user. In 2015,Young ho Kim et al., proposed a methodology and an architecture for measuring user awareness of sensitive data leakage, which features runtime application analysis over timing distance between the user input event and actual privacy data leak6. 4 P a g eNai-Wei Lo, Kuo-Hui Yeh, and Chuan-Yen Fan present a user privacy analysis framework called LRPdroid7. LRPdroid has been proposed for an Android platform to offer a user privacy management model. In the LRPdroid framework, they defined required models to achieve user privacy management App execution data flow, user perception, leakage awareness, information leakage detection, privacy disclosure evaluation, and privacy risk assessment. To support the proposed privacy analysis model, two information capture modules for LRPdroid were designed to acquire incoming data inputted by a mobile user and outgoing data transmitted from a targeted App. A system prototype establish on the LRPdroid framework was developed to evaluate the feasibility and practicability of LRPdroid. Two general App usage scenarios were adopted during the usage of Line App to evaluate the effectiveness of LRPdroid on user privacy disclosure by kindly engineering attack, user information leakage from normal operations of a running App, and privacy risk assessment of targeted running App.In 201510, Pasquale Stirparo, Igor Nai Fovino, and Ioannis Kounelis developed a novel methodology called MobiLeak, for analysis of security and privacy level of mobile applications, which focuses more on user data instead of application code and its architecture. Their research work addressed and solved the problems related to the following three research questions for mobile environment and applications (1)what are data and where can such data exist? (2) How is personal data handled? (3)How can one properly assess the security and privacy of mobile applications? They start their research work with a fundamental demand in order to be able to prop erly treat them, which is studying and identifying every possibility state at which data can exist. After this step, they analyse how real life mobile applications and operating systems handle users personal data for each of the states previously identified. Based on these move they developed MobiLeak, which also feature concepts and principles from the digital forensics discipline.DESCRIPTION OF PROPOSED RESEARCH THE FOCUS OF THE RESEARCH The aim of this proposed research is to examine user data storage mechanism on a mobile application in a context of android platform. Analyzing mobile application for personal data leakage require extensive analysis and in-depth understanding of both the OS and application architecture. The analysis is anticipate to be conduct to data at fill-in and data in motion. The result of this proposed research will care to create awareness to both application developers and the android community that users personal data information such as username, password and other sensitive information are at risk both in volatile and non-volatile memory.Finding user sensitive data on android smart phone could be in three (3) locations disk drive, memory and app server. Our research is limited to two out of the three application data store which is disk drive and memory, both storage areas could prove strategic locations for finding vital information for android smart phone users. The motive of this research is to examine whether applications encrypt user sensitive information both in the memory and the disk drive. This pose the following questions1. Does user credentials are encrypted on a memory ?2. Among the two method which one is more forensically sound?3. What information could be found in disk drive and not in memory?During the experimental contour of the proposed research certain applications will be examining, such as VOIP applications, social media applications, financial applications and telecom applications. I chose this sample s of android application from various categories. Because these applications are fairly habitual and are used by millions of people around the globe. For each application I will look at how user sensitive data, such as user name, password, date of birth and account number are store both in the disk drive and the memory. 5 P a g eThe rest of the proposed research section is divided into 4 parts First I am going talk about my methodology, next I will present the series of preliminary result both in the memory analysis and disk analysis, third I give the highlight of the expected result and finally, I will discuss about certain obstacles that may arise.METHODOLOGY The method used in carrying out the experiment of the proposed research be of four phases.Phase One Gather the require tool both in term of hardware and software As the proposed research required memory dump and disk drive imaging analysis a physical android phone is needed to conduct our experiment.1. Window Host OS and U buntu invitee OS as our forensic workstation2. Android phone Samsung Galaxy S33. Installing Odin3.-v3 which will allow us to root our android phone4. Install android SDK tool for using ADB(Android Debug Bridge) to get shell access on our android Phone5. Mem application software loaded into our android phone through ADB which allow us to dump the running process from the PhonePhase Two Installation and configuration of experimental environment At this phase all the required tools, such as the hardware and software are installed and configured.Pre-experiment of memory dump and disk imaging is performed, and tools are verified.Phase Three Acquisition of disk image and memory dump At this phase the disk image drive is acquired using dd command tool from the internal memory to internal SDcard of the phone and ADB pull is utilize to pull/ reproduction the disk partitions to our forensic work station. Mem program software is utilize, this allow us to dump the running process. We used ADB t o install mem application into our phone in order to dump the desired running application process.Phase Four Preservation and analysis of acquired data The purpose of this phase is to examine acquired application data both in the memory and disk drive. For example, we will check if the application is encrypting users credential both data at rest and data in transit?MEMORY DUMPING ANALYSIS This section provide detail steps taken to analysis the dumped memory of certain applications selected for this proposed research. The result shows that users credential are not properly handle by the application, which can result in personal data leakage. A program called mem was used to facilities the process dump, ABD was also used to install mem program into our android phone. List the running process and dump them into the internal SDcard and finally pull it to our forensic workstation for further analysis. thread and sqlite3 command were utilized to look for ASCII text format from the dumped memory to understand the output result. pursuanceingly, the result showed that users credential are not encrypted at all.The applications analyse in this proposed research are as followsA) Africallshop App Africallshop is a VOIP application which allows clients to buy quotation online to make national and international calls and send text message worldwide to friends and family at a cheap rate. The application is 6 P a g erated about 4.4 in the android play store and was downloaded by tail fin thousand (5000) customers during the time of this proposed research. The prominent outcome of this application are as followThe username, password, caller id and user account balance are not encrypted.We ran the sqlite3 and power train command on the dumped memory, which produce the result belowsip.africallshop.comXXXXXXX0017802986780CANADA12590xxxxxxxxxyesCADproxy.africallshop.com443574b690276bc5emailprotected0,434B) EHarmony App EHarmony is an online dating site for singles. Those using this app can communicate freely, share picture, video and text. During the time of this proposed research the application was downloaded by five million people and rated 3.1 in the app store. The prominent outcome of this application analysis are as follow The user credential, such as username, password and device information are all in plaintext. The result belowPOST /singles/servlet/login/mobile HTTP/1.1j_username=sdramme1%40student.concordia.ab.caj_password=123qazplatform=androidj0r1D7fg4ArJ2uSVPgSti5zcEnltO919mHUV88E%2FKUWcan9NEMgT820MygiKsWf0Sg1147vdZbXIotLS HTTP/1.1User-Agent eHarmony-Android/3.1 (SGH-I747M Android OS 4.4.2 en_CA id f9d8a2acfec7b901)X-eharmony-device-id f9d8a2acfec7b901X-eharmony-device-os AndroidX-eharmony-device-os-version 19X-eharmony-device-type 1X-eharmony-client eHarmonyX-eharmony-client-version 3.1Accept application/jsonlBxpc_tej_username=sdramme1%40student.concordia.ab.caj_password=123qazplatform=android8KTBstevedocwra on 7 P a g eC) virtuous Mobile My account App Virgin mobile is GSM mobile application that allow user to manage their account features and usage. Users can make payment and add a buddy to their list. This application was downloaded by five hundred thousand (500,000) people during the time of this proposed research and was rated 3.4 in the app store. The prominent outcome of this application are as followSim sequence number, cubicle phone number, UMTS number, activation date, user data of birth, subscribe date, user e-mail address, initial password, pin unlock code and account number. all this information are not encrypted.emailprotected/android-sdk-linux/platform-tools$ strings virginmobile grep emailprotectedWe run the ps and string command on the dumped memory, which produced the result belowimeioriginalnull,simsequenceNumber174392323,esnequipmentTypenull,imeiequipmentTypevalueLTEDevice,codeT,simequipmentTypevalueUSimVal,codeU,telephoneNumber7802356780,networkTypevalueUMTS,code85,languagevalueEN,codeE,isBill Sixtyfalse,isTabfalse,commitmentStartDatenull,commitmentEndDatenull,commitmentTerm0,contractTypevalueOFF_COMMITMENT,codeO,paccPinStatusvalueNOT_ENROLLED,code78,padPinStatusvalueNOT_ENROLLED,code78,initialActivationDate1463112000000,accountCommPrefvalueBILL_INSERTS,code66,isAccountSMSPermtrue,birthDate512197200000,lastUpdateDate1464062400000,lastUpdateStamp9863,lastHardwareUpgradeDatenull,daysSinceLastHWUpgradenull,subscriberEstablishDate1463112000000,daysSinceActivation16,nextTopupDate1465704000000,cancelledSubStatusDate1463371200000,initialPassword5069,isCallDisplayAllowedfalse,pricePlanVHV226,portInidicatornull,primeMateInidicatorvalueUNKNOWN,codeR,primeSubNumbernull,subMarketvalueUAC,codeUAC,telcoIdMOBL,pinUnlockKey36761817,63094923,manitobaIndicatorO,thunderBayIndicatorO,portabilityIndicatorO,serviceAreaN,hasOrderInProgressfalse,isWCoCSubscribertrue,hasDomesticDataServicesfalse,hasRoamingDataServicesfalse,domesticDSBlockedUntilnull,roamingDSBlockedUntilnull,isAccessiblefalse,pro motionGroupCodenull,emailAddressemailprotected,wcoCDate1463112000000,emailAddressemailprotected,arbalancenamehttp//bside.int.bell.ca/customer/profile/typesARBalance,declaredTypejava.lang.Double,scopeca.bell._int.bside.customer.profile.types.MobilityAccountType,value0,nilfalse,globalScopefalse,typeSubstitutedfalse,ebillInfoisEBillEnrolledtrue,isEBillNotifyEnabledtrue,ebillStartDate1463112000000,ebillEndDatenull,siownervalueBELL_MOBILITY,codeMOBL,arpuamount19.13,wirelineAccountsnull,internetAccountsnull,tvaccountsnull,activeHouseholdOrdersnull,emailAddressemailprotected,username7802986780,guidSCP9O0ELLDDUN2J,profileTypeBUP,savedTimeStamp2016-05-29T013038.458-0400,profilebanNumbersaccountTypeLegacy,ban527566075,profileSaveTime1463945744000,accountType,paymentDatapaymentInfoListbillAvailabletrue,lastPaymentAmount40.18,totalAmountDue40.18,lastPaymentDate2016-05-22T000000.000-0400,paymentDueDate2016-06-06T000000.000-0400,billEnddate2016-05-14T000000.000-0400,balanceForward0,bankAccountNum bernull,creditCardNumnull,customerIdnull,ban527566075,mdn52756607UAV580,eligibilityIndYDISK IMAGING ANALYSIS This section provided detail steps taken to conduct traditional forensic technique for non-volatile memory acquisition and analysis. During this phase the acquired memory will be examine and the primary concern will be user data stored, in particular share_pref folder. Share_pref folder is a storage location for key-value in side application database. Android application store user data within /dev/ put off8. With the use of common forensic command, such as dd, will be utilize to image disk drive partition. For this proposed research the following partitions are imaged for analysisSystem fileCache file 8 P a g eUser dataPersistBut our proposed research experiment will be focus on user data folder, as it is consider to be the storage location for application data. To image disk drive, shell access is need through android SDK, we then look for mount file on the disk drive befo re executing dd commands to copy the partition from the internal memory to internal SDcard and finally pulling it to our forensic work station using adb pull command.1. Checking the mounted file on the disk drivemount/dev/block/platform/msm_sdcc.1/by-name/userdata/dev/block/platform/msm_sdcc.1/by-name/cache/dev/block/platform/msm_sdcc.1/by-name/system/dev/block/platform/msm_sdcc.1/by-name/persist2. Copying the user date partition and pull it to forensic work stationdd if=/dev/block/platform/msm_sdcc.1/by-name/userdata of=/mnt/sdcard/test117399538+0 records in17399537+0 records out8908562944 bytes transferred in 1934.464 secs (4605184 bytes/sec)adb pull /mnt/sdcard/test13. imaging the cache partition to internal SDcarddd if=/dev/block/platform/msm_sdcc.1/by-name/cache of=/mnt/sdcard/cachefile1.img 1720320+0 records in1720320+0 records out880803840 bytes transferred in 118.669 secs (7422358 bytes/sec)4. Copying the system partitiondd if=/dev/block/platform/msm_sdcc.1/by-name/system o f=/mnt/sdcard/systemfile.img3072000+0 records in3072000+0 records out1572864000 bytes transferred in 255.874 secs (6147025 bytes/sec)emailprotected/ 5. Copying the persist partitiondd if=/dev/block/platform/msm_sdcc.1/by-name/persist of=/mnt/sdcard/persist.img16384+0 records in16384+0 records out8388608 bytes transferred in 0.865 secs (9697812 bytes/sec)The above command will image each partition of the mounted file of dev/block with the default block size of 512 byte during bit-by-bit copy of the file and direct the output file to internal SDcard. Finally, copy it to our forensic workstation, Which can be analysis using forensic tool called AccessData FTK imager version 3.4.2. FTK is recommended forensic tool for disk image analysis by both forensic and legal community for its powerful carving capability, stability and tranquillity of use.AccessData FTK ANALYSIS 1. PayPal App PayPal is an online payment system that allows its member to transfer funds locally and globally. Members can receive, send money and buy or pay for goods and services online. The application was downloaded by 10 million people at the time of this research and rated as a good app in the app store. We added evidence item to 9 P a g eFTK navigate to data and com.paypal.android.p2pmobile then share_pref folder. The folder share_pref/PresentationAccount.RememberedUsersta../ reveal user data information such as user first and last name, cell phone number, and email address.2. AfricallShop App Africallshop is a VOIP application that allow the users to make cheap international call worldwide, user can purchase credit online to communicate with peer by text message and voice call. After adding user data partition to FTK imager, navigate to com.v2.africallshop folder, expand the folder view share_pref folder. In sher_pref folder an xml file called com.v2.africallshop-prefrences.xml was view and contain user sensitive data such as app domain name, caller ID, country, ID, user password, username and account balance all in plain text. 10 P a g e3. Keku App Keku is a VOIP application which facilitate call or text through Wi-Fi or mobile data. User buy credit online to make local and internationally calls. The package of the application contain probative information about the user. App database store was reveal through FTK analysis and the share_pref folder contain sensitive information about the user. In share_pref folder a file called Org.keku_preferences.xml, this file contain users sensitive data and device information such as, password, username, device-mac address and user phone number. 11 P a g eEXPECTED RESULTS During the experimental phase of the proposed research, aim and objective of the experiment is to demonstrate or show that users personnel data information are at risk during application data process in transit and at rest. The research has observe the dumped process and disk drive imaged to reveal personal data leakage and has successfully uncover vital info rmation about App users, such as username, password, date of birth etc. OBSTACLE The obstacles encountered during the experimental phase of the proposed research as follow1) Lack of enough worldly regarding android forensic as the field is immature2) Unable to image the whole memory of the actual phone, as the system configuration file is missing and couldnt be found to compile it with LiMe in order to acquire the whole memory.3) Lack of enough analysis tool to cross examine or evaluate both the dumped and disk drive memory, Ubuntu Linux tool was used to do our analysis.CONTRIBUTION TO KNOWLEDGE The proposed research show that application developers are far slight careful with user sensitive data when it being stored both in the disk drive and memory in running applications. Using very sincere forensic investigation techniques running strings and sqlite3 on dumped memory and disk drive imaging analysis on FTK show quite a bent of private information.OUTLINE OF FINAL RESEARCH PA PER ISSM 580/581 The final research document will be structure as follows 9 Section 1, will be the abstract then the Introduction to the paper. Section 2, will discuss memory analysis technique. Section 3, will discuss disk imaging analysis 12 P a g etechnique. Section 4, will discusses the forensic artifacts unveil during the analysis . Section 5, related work. Section 6, the result summary. Section 7 conclusion and future work..RESEARCH DELIVERABLES This research will be conduct in Fall Semester 2016, from September 2016 to December 2016. Nevertheless, some major preliminary steps have already being taken. Most of the required tools both hardware and software for the proposed research have already being obtained and implemented. Spring 2016 April Researching the Topic of InterestWeek 1 2 Finalize the Topic with Primary AdvisorWeek 3 4 Read the Area/Topic of Interestwhitethorn Week 1 2 Read relevant Journal or Article related to the topic of interestWeek 3 4 group and install ation of test Environment, Conducting and Experiment.June Week 1 Writing First Draft proposal and submitWeek 2 -3 Edit and Improve proposal based on advisor guidance, Further Experiment and literature review read.Week 4 Final Proposal and Submit.