Forensic Analysis of Personal Data Leakage on Android Phone

rhetorical Analysis of Personal Data Leakage on Android Ph wholenessSheriff DrammehRESEARCH STATEMENT The proposed investigate forget look individual(prenominal) information spring on the mechanical man unst fitted screening chopine by means of rhetorical analytic thinking of volatile and non-volatile remembrance.PROPOSAL thickset The proposed investigate lead employ some(prenominal) volatile recollection rhetorical techniques and traditional magnetic disc forensic techniques to the humanoid political platform in run to identify privacy breaches primarily in android sprightly practises 1. The proposed inquiry in like manner aims to demonstrate that forensic artifacts understructure be plunge two in the phonograph recording toil (non-volatile) and retention (volatile).AIMS AND OBJECTIVES OF THE PROPOSED RESEARCH 1. Acquire non-volatile entropy from an android blind utilise the traditional forensic approach and the repositing dump, analyse the ho ldd information for any forensic artifacts and suck a relative abbreviation of twain approaches. This will be bring home the bacon by conducting an selective information- base simulation of both approaches.2. Develop an effective mannerology to improve the spying of personal information leakages and highly in the buff information from android roving practical diligences.RESOURCES The major(ip) part of this proposed research will be conducting an experiment, hence few equipments argon essential to be in place in order to drool f e very verboten the experiment. The proposed research is mainly retrospection fling and disk case imagination for forensic epitome. Some open kickoff instruments will be highly utilize during the course of this proposed research, such(prenominal) as android studio SDK, Odin, ADB and mem. Additionally, books on android forensics, mobile forensics, journals and YouTube video tutorials will also be utilize. As the research progresses mor e resources might be needed. The pursuance is a non-exhaustive list of resources currently available for use- Window 10 OS with butt onor Intel (R) Core(TM)i7, lay in depot of 16.0GB is the host operating corpse and forensic becomestation for disk image analysis- Linux Ubuntu 15.10 x32 with kernel v2.6 is our forensic workstation for retrospection analysis- VMw ar Virtual Machine v11.1.2 Will be apply to lay lymph node operating system- Physical android echo Samsung galaxy S3 Is the beat of the experiment- Android SDK developer beam of light for Linux x32 Is a softw are development spear used for application development and analysis.- mem is an open source tool for dumping rivulet process on android phone- Odin3.-v3.10 is open source tool that enable us to rooted android phone- Samsung usb drive for mobile phone used to enable debugging bridge between android phone and forensic workstation- CF-Auto-Root-2d buns-2dvl-sghi747m is used to up interlocking firmware during rooting process. AccessData Forensic tool kit version 3.4.2 ( Download FTK Imager 3.4.2) is forensic parcel tool used to analysis disk image file3 P a g eCONNECTION TO THE COURSES OF MISSM PROGRAM This proposed research is about related to Digital forensic course (ISSM536), which is one of the course we had cover in our Information Systems and Security Management design. The proposed research used the techniques wise(p) from this class and applied them in the android environment to reveal several(prenominal) types of personal information such as drug exploitername, password, ascertain of birth, postal addresses contact, photos, floor depend, substances etc. The comparative analysis method used covers the principles of digital secern collection learned in Information Technology Security Laws and ethics course (ISSM561). The proposed research has a beginning and ending, as a end point it need to be managed in order to deliver the end event. Therefore, the friendship l earned from (ISSM545) System Development and Project Management.REVIEW OF RELATED RESEARCHS Fuchs, et al., 2 presented the commencement ceremony analysis tool for android called SCanDroid, a framework for Android to perpetrate information flow analysis on applications in order to get a line the flow of information from one component to an opposite component. Consider a case where an application request leave to access multiple information stores i.e., usual selective information store and private information store. The application requires permission for reading the info from the private store and writing information to the public store. SCanDriod analyzes the information flow of the application and reports whether the application will transfer the information in the private store to the public store or not. However, SCanDroid also suffers from the same limitation of security policy expressibility. In order to handle some information flow to be dangerous, the policy writer s must fructify certain constraints prior to executing the policy. Similarly, if an information flow is not explicitly added to the set of constraints the framework will consider it to be safe.In 2012, C. Gibler, et al., presented AndroidLeaks, a dormant analysis framework for automatically finding potential leaks of sensitive information in Android applications on a massive scale4. It communicate the drug drug substance abuser if applications are leaking their personal information. AndroidLeaks drastically reduces the number of applications and the number of traces that a security auditor has to verify manually. To secure privacy information, they set up a mappings between Android API methods and the required permissions as the sources and sinks of private entropy for selective information flow analysis. However, AndroidLeaks does not yet analyze Android-specific control and entropy flows. This includes Intents, which are used for communication between Android and applicatio n components, and means providers, which provide access to database-like structures managed by other components.Sasa Mrdovic et al., 3 proposed a combination of static and live analysis for memory image, which is captureed by hibernation mode (power management shoot a line that exists in most portable computers). After they obtained the somatic memory image, they used it to boot the investigated system in the virtual machine (live view) to resume the system to the same state before it went into hibernation mode. Their proposal of using hibernating feature was to obtain the memory contents without violating the evidence integrity, but during their analysis they found out that they lost all the information about meshing connections because hibernation mode terminates the network connections before it starts in Windows environment.As one of best well-known analysis approaches, Taint Droid detects privacy leaks using dynamic demoralise tracking 5. Enck et al. make a modified And roid operating system to add taint tracking information to data from privacy-sensitive sources. They track private data as it propagates done applications during execution. If private data is leaked from the phone, the taint tracker records the event in a log which can be audited by the user. In 2015,Young ho Kim et al., proposed a methodology and an architecture for measuring user awareness of sensitive data leakage, which features runtime application analysis over timing distance between the user input event and substantial privacy data leak6. 4 P a g eNai-Wei Lo, Kuo-Hui Yeh, and Chuan-Yen Fan present a user privacy analysis framework called LRPdroid7. LRPdroid has been proposed for an Android platform to offer a user privacy management model. In the LRPdroid framework, they defined required models to achieve user privacy management App execution data flow, user perception, leakage awareness, information leakage detection, privacy disclosure evaluation, and privacy risk assess ment. To give the proposed privacy analysis model, two information capture modules for LRPdroid were designed to acquire incoming data inputted by a mobile user and outgo data transmitted from a targeted App. A system prototype based on the LRPdroid framework was developed to evaluate the feasibility and practicability of LRPdroid. both general App usage scenarios were adopted during the usage of Line App to evaluate the military strength of LRPdroid on user privacy disclosure by social plan attack, user information leakage from normal operations of a runway App, and privacy risk assessment of targeted outpouring App.In 201510, Pasquale Stirparo, Igor Nai Fovino, and Ioannis Kounelis developed a novel methodology called MobiLeak, for analysis of security and privacy level of mobile applications, which focuses more on user data instead of application law and its architecture. Their research work addressed and solved the problems related to the following terzetto research qu estions for mobile environment and applications (1)what are data and where can such data exist? (2) How is personal data handled? (3)How can one right on assess the security and privacy of mobile applications? They start their research work with a fundamental prerequisite in order to be able to mightily treat them, which is studying and identifying every possibility state at which data can exist. After this step, they analyzed how real life mobile applications and operating systems handle users personal data for each of the states previously identified. base on these steps they developed MobiLeak, which also combined concepts and principles from the digital forensics discipline. description OF PROPOSED RESEARCH THE FOCUS OF THE RESEARCH The aim of this proposed research is to examine user data storage mechanism on a mobile application in a context of android platform. Analyzing mobile application for personal data leakage require extensive analysis and in-depth understanding of b oth the OS and application architecture. The analysis is expected to be conduct to data at rest and data in motion. The result of this proposed research will help to create awareness to both application developers and the android connection that users personal data information such as username, password and other sensitive information are at risk both in volatile and non-volatile memory.Finding user sensitive data on android smart phone could be in three (3) billets disk drive, memory and app server. Our research is limited to two out of the three application data store which is disk drive and memory, both storage areas could prove strategical locations for finding vital information for android smart phone users. The motor of this research is to examine whether applications encrypt user sensitive information both in the memory and the disk drive. This pose the following questions1. Does user enfranchisement are encrypted on a memory ?2. Among the two method which one is more fo rensically sound?3. What information could be found in disk drive and not in memory?During the experimental word form of the proposed research certain applications will be examining, such as VOIP applications, social media applications, pecuniary applications and telecom applications. I chose this samples of android application from various categories. Because these applications are middling popular and are used by megs of people around the globe. For each application I will look at how user sensitive data, such as user name, password, date of birth and account number are store both in the disk drive and the memory. 5 P a g eThe rest of the proposed research arm is divided into 4 parts First I am passing play talk about my methodology, next I will present the serial publication of preliminary result both in the memory analysis and disk analysis, third I give the highlight of the expected result and finally, I will treat about certain obstacles that may arise.METHODOLOGY The method used in carrying out the experiment of the proposed research consist of quadruplet phases.Phase One Gather the require tool both in term of hardware and software As the proposed research required memory dump and disk drive imaging analysis a physical android phone is needed to conduct our experiment.1. Window Host OS and Ubuntu Guest OS as our forensic workstation2. Android phone Samsung wandflower S33. Installing Odin3.-v3 which will allow us to root our android phone4. Install android SDK tool for using ADB(Android Debug Bridge) to get scale of measurement access on our android Phone5. Mem application software oppressed into our android phone through ADB which allow us to dump the running process from the PhonePhase Two Installation and configuration of experimental environment At this phase all the required tools, such as the hardware and software are installed and configured.Pre-experiment of memory dump and disk imaging is performed, and tools are verified.Phase Thr ee Acquisition of disk image and memory dump At this phase the disk image drive is acquired using dd didactics tool from the intimate memory to internal SDcard of the phone and ADB clear is utilize to pull/copy the disk divides to our forensic work station. Mem program software is utilize, this allow us to dump the running process. We used ADB to install mem application into our phone in order to dump the desired running application process.Phase Four Preservation and analysis of acquired data The utilisation of this phase is to examine acquired application data both in the memory and disk drive. For example, we will check if the application is encrypting users credential both data at rest and data in transit?MEMORY dispose abbreviation This section provide detail steps taken to analysis the dumped memory of certain applications selected for this proposed research. The result shows that users credential are not properly handle by the application, which can result in personal data leakage. A program called mem was used to facilities the process dump, ABD was also used to install mem program into our android phone. List the running process and dump them into the internal SDcard and finally pull it to our forensic workstation for further analysis. Strings and sqlite3 command were use to look for ASCII text format from the dumped memory to understand the output result. provokeingly, the result showed that users credential are not encrypted at all.The applications analyse in this proposed research are as followsA) Africallshop App Africallshop is a VOIP application which allows customers to buy credit online to make national and international calls and confide text message worldwide to friends and family at a cheap rate. The application is 6 P a g erated about 4.4 in the android play store and was downloaded by five thousand (5000) customers during the time of this proposed research. The prominent outcome of this application are as followThe username, pa ssword, caller id and user account balance are not encrypted.We ran the sqlite3 and tie command on the dumped memory, which produce the result at a lower placesip.africallshop.comXXXXXXX0017802986780CANADA12590xxxxxxxxxyesCADproxy.africallshop.com443574b690276bc5emailprotected0,434B) EHarmony App EHarmony is an online dating site for singles. Those using this app can communicate freely, look at picture, video and text. During the time of this proposed research the application was downloaded by five million people and rated 3.1 in the app store. The prominent outcome of this application analysis are as follow The user credential, such as username, password and device information are all in plaintext. The result below trademark /singles/servlet/login/mobile HTTP/1.1j_username=sdramme1%40student.concordia.ab.caj_password=123qazplatform=androidj0r1D7fg4ArJ2uSVPgSti5zcEnltO919mHUV88E%2FKUWcan9NEMgT820MygiKsWf0Sg1147vdZbXIotLS HTTP/1.1substance abuser-Agent eHarmony-Android/3.1 (SGH-I 747M Android OS 4.4.2 en_CA id f9d8a2acfec7b901)X-eharmony-device-id f9d8a2acfec7b901X-eharmony-device-os AndroidX-eharmony-device-os-version 19X-eharmony-device-type 1X-eharmony-client eHarmonyX-eharmony-client-version 3.1Accept application/jsonlBxpc_tej_username=sdramme1%40student.concordia.ab.caj_password=123qazplatform=android8KTBstevedocwra on 7 P a g eC) Virgin Mobile My account App Virgin mobile is GSM mobile application that allow user to manage their account features and usage. Users can make retribution and add a buddy to their list. This application was downloaded by five hundred thousand (500,000) people during the time of this proposed research and was rated 3.4 in the app store. The prominent outcome of this application are as followSim episode number, cell phone number, UMTS number, activation date, user data of birth, subscribe date, user e-mail address, initial password, pin unlock code and account number. all this information are not encrypted.emailprotected/and roid-sdk-linux/platform-tools$ strings virginmobile grep emailprotectedWe run the ps and string command on the dumped memory, which produced the result belowimeioriginal worth little,simsequenceNumber174392323,esnequipmentTypenull,imeiequipmentType abide byLTEDevice,codeT,simequipmentType mensurateUSimVal,codeU,telephoneNumber7802356780,networkTypevalueUMTS,code85,languagevalueEN,codeE,isBillSixtyfalse,isTabfalse,commitmentStartDatenull,commitmentEndDatenull,commitmentTerm0,contractTypevalueOFF_COMMITMENT,codeO,paccPinStatusvalueNOT_ENROLLED,code78,padPinStatusvalueNOT_ENROLLED,code78,initialActivationDate1463112000000,accountCommPrefvalueBILL_INSERTS,code66,isAccountSMSPermtrue,birthDate512197200000,lastUpdateDate1464062400000,lastUpdateStamp9863,lastHardwareUpgradeDatenull,daysSinceLastHWUpgradenull,subscriberEstablishDate1463112000000,daysSinceActivation16,nextTopupDate1465704000000,cancelledSubStatusDate1463371200000,initialPassword5069,isCallDisplayAllowedfalse,pricePlanVHV226 ,portInidicatornull,primeMateInidicatorvalueUNKNOWN,codeR,primeSubNumbernull,subMarketvalueUAC,codeUAC,telcoIdMOBL,pinUnlockKey36761817,63094923,manitobaIndicatorO,thunderBayIndicatorO,portabilityIndicatorO,serviceAreaN,hasOrderInProgressfalse,isWCoCSubscribertrue,hasDomesticDataServicesfalse,hasRoamingDataServicesfalse,domesticDSBlockedUntilnull,roamingDSBlockedUntilnull,isAccessiblefalse,promotionGroupCodenull,emailAddressemailprotected,wcoCDate1463112000000,emailAddressemailprotected,arbalancenamehttp//bside.int.bell.ca/customer/profile/typesARBalance,declaredTypejava.lang.Double,scopeca.bell._int.bside.customer.profile.types.MobilityAccountType,value0,nilfalse,globalScopefalse,typeSubstitutedfalse,ebillInfoisEBillEnrolledtrue,isEBillNotifyEnabledtrue,ebillStartDate1463112000000,ebillEndDatenull,siownervalueBELL_MOBILITY,codeMOBL,arpua get along19.13,wirelineAccountsnull,internetAccountsnull,tvaccountsnull,activeHouseholdOrdersnull,emailAddressemailprotected,username7802986780,gu idSCP9O0ELLDDUN2J,profileTypeBUP,savedTimeStamp2016-05-29T013038.458-0400,profilebanNumbersaccountTypeLegacy,ban527566075,profileSaveTime1463945744000,accountType,paymentDatapaymentInfoListbillAvailabletrue,lastPaymentAmount40.18,totalAmountDue40.18,lastPaymentDate2016-05-22T000000.000-0400,paymentDueDate2016-06-06T000000.000-0400,billEnddate2016-05-14T000000.000-0400,balanceForward0,bankAccountNumbernull,creditCardNumnull,customerIdnull,ban527566075,mdn52756607UAV580,eligibilityIndYDISK IMAGING ANALYSIS This section provided detail steps taken to conduct traditional forensic technique for non-volatile memory acquisition and analysis. During this phase the acquired memory will be examine and the primary concern will be user data stored, in particular share_pref brochure. Share_pref folder is a storage location for key-value in side application database. Android application store user data within /dev/ occlusive8. With the use of common forensic command, such as dd, will be utilize to image disk drive partition. For this proposed research the following partitions are imaged for analysisSystem fileCache file 8 P a g eUser data endureBut our proposed research experiment will be focus on user data folder, as it is consider to be the storage location for application data. To image disk drive, shell access is need through android SDK, we then look for mount file on the disk drive before executing dd commands to copy the partition from the internal memory to internal SDcard and finally pulling it to our forensic work station using adb pull command.1. Checking the mounted file on the disk drivemount/dev/block/platform/msm_sdcc.1/by-name/userdata/dev/block/platform/msm_sdcc.1/by-name/cache/dev/block/platform/msm_sdcc.1/by-name/system/dev/block/platform/msm_sdcc.1/by-name/ hold2. Copying the user date partition and pull it to forensic work stationdd if=/dev/block/platform/msm_sdcc.1/by-name/userdata of=/mnt/sdcard/test117399538+0 records in17399537+0 records out890856 2944 bytes transferred in 1934.464 secs (4605184 bytes/sec)adb pull /mnt/sdcard/test13. visualise the cache partition to internal SDcarddd if=/dev/block/platform/msm_sdcc.1/by-name/cache of=/mnt/sdcard/cachefile1.img 1720320+0 records in1720320+0 records out880803840 bytes transferred in 118.669 secs (7422358 bytes/sec)4. Copying the system partitiondd if=/dev/block/platform/msm_sdcc.1/by-name/system of=/mnt/sdcard/systemfile.img3072000+0 records in3072000+0 records out1572864000 bytes transferred in 255.874 secs (6147025 bytes/sec)emailprotected/ 5. Copying the persist partitiondd if=/dev/block/platform/msm_sdcc.1/by-name/persist of=/mnt/sdcard/persist.img16384+0 records in16384+0 records out8388608 bytes transferred in 0.865 secs (9697812 bytes/sec)The above command will image each partition of the mounted file of dev/block with the default block size of 512 byte during bit-by-bit copy of the file and localise the output file to internal SDcard. Finally, copy it to our forensic workstation, Which can be analysis using forensic tool called AccessData FTK imager version 3.4.2. FTK is recommended forensic tool for disk image analysis by both forensic and efficacious community for its powerful carving capability, stability and ease of use.AccessData FTK ANALYSIS 1. PayPal App PayPal is an online payment system that allows its member to transfer funds locally and globally. Members can receive, send money and buy or pay for goods and services online. The application was downloaded by 10 million people at the time of this research and rated as a good app in the app store. We added evidence item to 9 P a g eFTK navigate to data and com.paypal.android.p2pmobile then share_pref folder. The folder share_pref/PresentationAccount.RememberedUsersta../ reveal user data information such as user first and last name, cell phone number, and email address.2. AfricallShop App Africallshop is a VOIP application that allow the users to make cheap international call worldwide, user can purchase credit online to communicate with peer by text message and voice call. After adding user data partition to FTK imager, navigate to com.v2.africallshop folder, embroider the folder view share_pref folder. In sher_pref folder an xml file called com.v2.africallshop-prefrences.xml was view and kibosh user sensitive data such as app domain name, caller ID, country, ID, user password, username and account balance all in plain text. 10 P a g e3. Keku App Keku is a VOIP application which despatch call or text through Wi-Fi or mobile data. User buy credit online to make local and internationally calls. The package of the application contain probative information about the user. App database store was reveal through FTK analysis and the share_pref folder contain sensitive information about the user. In share_pref folder a file called Org.keku_preferences.xml, this file contain users sensitive data and device information such as, password, username, device-mac address and user phone number. 11 P a g eEXPECTED RESULTS During the experimental phase of the proposed research, aim and objective of the experiment is to demonstrate or show that users forcefulness data information are at risk during application data process in transit and at rest. The research has observe the dumped process and disk drive imaged to reveal personal data leakage and has successfully uncover vital information about App users, such as username, password, date of birth etc. OBSTACLE The obstacles encountered during the experimental phase of the proposed research as follow1) lack of enough material regarding android forensic as the field is immature2) Unable to image the whole memory of the actual phone, as the system configuration file is missing and couldnt be found to compile it with LiMe in order to acquire the whole memory.3) Lack of enough analysis tool to cross examine or evaluate both the dumped and disk drive memory, Ubuntu Linux tool was used to do our analysis. divi sion TO KNOWLEDGE The proposed research show that application developers are far less careful with user sensitive data when it being stored both in the disk drive and memory in running applications. Using very simple forensic investigation techniques running strings and sqlite3 on dumped memory and disk drive imaging analysis on FTK show sort of a lot of private information.OUTLINE OF FINAL RESEARCH idea ISSM 580/581 The final research document will be structure as follows 9 segment 1, will be the abstract then the Introduction to the paper. fraction 2, will discuss memory analysis technique. Section 3, will discuss disk imaging analysis 12 P a g etechnique. Section 4, will discusses the forensic artifacts unveil during the analysis . Section 5, related work. Section 6, the result summary. Section 7 conclusion and early work..RESEARCH DELIVERABLES This research will be conduct in hang up Semester 2016, from September 2016 to December 2016. Nevertheless, some major preliminary steps realize already being taken. Most of the required tools both hardware and software for the proposed research have already being obtained and implemented. Spring 2016 April Researching the Topic of come toWeek 1 2 Finalize the Topic with Primary consultantWeek 3 4 Read the Area/Topic of InterestMay Week 1 2 Read relevant diary or Article related to the topic of interestWeek 3 4 Gathering and installation of test Environment, Conducting and investigate.June Week 1 piece of music First Draft proposal and submitWeek 2 -3 cut back and Improve proposal based on advisor guidance, Further Experiment and literature review read.Week 4 Final Proposal and Submit.