Enhancing digital forensics: artifact analysis tools for Android

August 29, 2023

Android is primarily developed for touchscreen mobile devices like smartphones and tablets, serving as a mobile operating system. Android has maintained its position as the best-selling operating system for smartphones globally since 2012[1]. It has also been the leading operating system for tablets since 2013[2]. As of January 2022, Android boasted more than three billion monthly active users[3]. Additionally, as of March 2023, the Google Play Store hosted an extensive collection of over 2.6 million applications[4].

Understanding artifact analysis tools for Android

Artifacts are residual data traces created during the device’s normal operation, encompassing a wide range of information, such as application data, system logs, deleted files, cache, and metadata.

While Android devices continue to dominate the mobile market, they have also become a crucial source of digital evidence in criminal investigations and corporate incidents. Artifact analysis tools for Android have emerged as essential instruments for digital forensics experts. They are specialized software applications designed to identify, extract, and interpret artifacts left behind by various applications and the operating system. These digital breadcrumbs hold valuable clues about the device’s usage history, user behavior, communication patterns, and more.

Usage of artifact analysis tools for Android

Digital Forensics Investigations: Artifact analysis tools are fundamental to digital forensics investigations involving Android devices. Artifact analysis tools offer an in-depth examination of Android devices, uncovering hidden data traces that are not easily accessible through traditional data extraction methods. This includes details of deleted files, application usage, internet activity, and more. Digital forensics experts utilize these tools to reconstruct timelines, understand user actions, and uncover evidence related to crimes, and other illicit activities.

Incident Response: During incident response procedures, artifact analysis tools help cybersecurity professionals identify indicators of compromise (IOCs), track the attacker’s actions, and assess the extent of the breach or attack.

E-Discovery and Litigation Support: In legal cases, artifact analysis tools play a pivotal role in e-discovery and litigation support, assisting legal teams in retrieving and analyzing electronic evidence to build a compelling case.

Compliance Audits: Organizations use artifact analysis tools to perform compliance audits and ensure employees adhere to data handling policies and regulations.

Challenges and limitations

While artifact analysis tools offer valuable benefits, they also encounter some challenges:

Fragmentation and Incompatibility: Android’s vast ecosystem and frequent OS updates can lead to fragmentation issues, making some artifact analysis tools incompatible with certain device models or OS versions.

Resource Intensiveness: Artifact analysis can be resource-intensive, requiring significant computational power and storage space for analyzing large amounts of data.

Encryption and Protection Mechanisms: Strong encryption and security measures implemented by some applications may hinder access to certain artifacts, making their analysis challenging. Over the years, encryption enabled Android devices and applications have been used by criminals to carry out illegal activities or to cover their traces, making it difficult for forensic investigations to search for digital evidence. As such, encryption has become an increasing concern for LEAs and a wide range of encryption bypassing tools had to be developed to perform investigations on evidence found in crime scenes.

The need for free and easy to use tools

CYBERSPACE will develop a tool with Android encryption bypassing capabilities offering logical extraction analysis and decryption of multiple widely used Android applications by consolidating known exploits and techniques.

Encryption does not always ensure the invincibility of sensitive data as in many cases it is not properly implemented or configured. At the same time, successful encryption bypassing is not always effective. It depends on conditions related to the inner encryption implementation of the system and actions that were performed by the user prior to the acquisition of the evidence.

Some common encryption failures found in popular applications include:

Passwords saved as easy to brute-force hashes
Encryption keys saved in unprotected local files
Encryption keys hardcoded in application code
Encryption keys or other credentials remaining in memory after use
Sensitive values weakly encoded, instead of properly encrypted
Unencrypted copies of encrypted files residing in the device or the cloud
Third party libraries containing insecure cryptographic implementations are used

During the course of the project, we have gathered and documented a wide range of encryption bypassing techniques and assembled them in a tool, which can be used either for educational purposes or as an addition in the toolchain of a forensic investigator. Furthermore, we document the capabilities and shortcomings of each of the techniques implemented in the tool, while also listing the improvements developers could use to fortify their applications and the habits users should follow to protect their data stored in Android devices and applications.

Conclusion

Artifact analysis tools for Android have emerged as essential components of modern digital forensics investigations. By unveiling the digital breadcrumbs left behind by various applications and the operating system, these tools help investigators extract valuable insights, detect anomalies, and reconstruct timelines critical for building strong cases. As the Android OS continues to evolve, artifact analysis tools targeting Android will play a crucial role in navigating the intricacies of digital evidence contained in Android devices, providing essential support in law enforcement, cybersecurity, and compliance efforts. Embracing these tools and understanding their capabilities will be paramount for digital forensics experts to unlock Android’s secrets and bring justice to the digital realm.

Author: Skerdi Basha, Foundation for Research and Technology – Hellas (FORTH)

[1] https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009

[2] https://www.statista.com/statistics/276635/market-share-held-by-tablet-vendors

[3] https://www.businessofapps.com/data/android-statistics

[4] https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.