Book Review
Android Forensics (Investigation, Analysis and Mobile Security for Google
Android)
ISBN(13): 978-1-59749-651-3
Reviewed by: Sean Duignan (GMIT)
Andrew Hoog’s ‘Android Forensics – Investigation, Analysis
and Mobile Security for Google Android’ provides an excellent and
comprehensive coverage of the Android platform, including its design,
implementation, operation, investigation and analysis. At 364 pages of content, organized over seven
chapters, and with a focus on the
‘practical’ – demonstrating system design, implementation, operation and
investigation, for instance, through hands-on “experiments” – this sizable text
will resonate particularly well with readers disposed to activity centric,
learning-by-doing styled narrative. The
text is peppered throughout with device and application (GUI) screen shots, as
well as command line execution / output and directory listings; all of which
encourage and enable the reader to work along with the author in uncovering the
design, complexities and nuances that underpin the Android platform. A forty page opening chapter grounds the
reader in the Android space, outlining its history, its relationship with the
Linux operating system, the Android Open Source Project (AOSP), and the Android
market, before concluding with a brief rationalization of the need for “Android
Forensics”.
In brief, the author rightly
acknowledges that of all the devices an individual might own, one tends to be “more honest with their Smartphone than any
other person or device”. As such, a
device that blends both personal and corporate data including SMS texts,
emails, GPS locations, pictures, browsing, telephony, videos etc…. needs to be
fully understood…. forensically understood.
Chapter two extends the background coverage to consider the extensive
(and growing) Android hardware platform, and introduces the first of the
technical content with a very useful and orienting description of the seven
step Android boot process.
Chapter three
introduces the Android software development kit (SDK); used not only for
application development but also as an assistive technology in the forensic
analysis of an Android device.
Understanding the SDK is crucial in understanding the device and its
data, which in turn allows for more thorough forensic / security analysis. This chapter also provides step by step
instructions on how to obtain, install and configure the SDK for your PC, be it
Windows, Mac (OSX) or Linux based. Once
complete, the reader is then in a position to create an Android Virtual Device
(AVD); an emulator running on one’s own PC and allowing for the ‘learning by
doing’ approach noted earlier. The AVD
for instance allows one to profile how applications execute on an Android
device – clearly very useful to the forensic practitioner. Additionally, the AVD can be used to test and
validate the operation of a specific forensic tool. The prospective reader should note that the
AVD is resource hungry; a PC with multiple cores (CPUs) will work best, and
like most emulators, more RAM will improve performance significantly too.
Chapter four covers data storage on an
Android device, and does so remarkably well in a shade over 50 pages of rich
content. Having an AVD to verify and
interact with what one reads in this chapter – to see it for yourself as it
were – is particularly useful. This
chapter (four), by virtue of the diverse and sometimes complex nature of the
detail that it reports on, is likely to be a significant and frequently
revisited reference chapter for the Android investigator. For example, how data are stored on a device
extends in fact to five separate methods, and their representations vary
significantly also; from inter alia
primitive data types in an XML format, to files in e.g. a FAT32 file system to SQLite database formats. Chapter four also provides detailed coverage
of the file systems underpinning the partitions where user data are stored;
EXT, FAT32 and YAFFS2 (yet another flash file system…. version 2 – which plays
a key role in the Android system).
Chapter five covers Android security from a device, data and apps
perspective and considers the Android device as both target of and tool for
malicious attacks. I suggest this is a
particularly relevant chapter to Android developers; they need to be security
conscious from the outset and take responsibility for the protection of user
data.
Chapter six is the first real look
at Forensics in a definitive sense i.e. looking at how to conduct
investigations that are forensically sound, and procedural techniques for e.g. handling, securing, and imaging a
device and its storage artifacts. This
chapter runs to almost 100 pages. The
early pages of the chapter set out guiding principles, distinguish among
different types of investigations (e.g.
inappropriate use of company resources, data theft, child custody cases, estate
disputes) as well as differentiating between logical and physical forensic
techniques. This is a thoroughly
engaging chapter, very focused on the application of techniques for real
forensics, with the detailed narrative supported regularly through screen shots
and tool reports / outputs as appropriate.
Some of the tools covered appear to be only (legitimately) available to
law enforcement and government agencies.
Nonetheless, the extent of the data retrievable from a device makes for
interesting reading and is likely to heighten security and privacy awareness
among readers.
The final chapter ‘Android Application and Forensic Analysis’
in essence applies many of the techniques introduced in the preceding chapter
and includes file system forensic analysis, file carving techniques as well as
the forensic analysis of many common applications including Messaging, YouTube,
Google Maps, Gmail and Facebook using a custom python program. The data trail left by such applications,
most of which is retrievable, again highlights the relevance of the Android
Smartphone to the digital investigation space, and is demonstrative also – as
noted in the introduction – of the significant dependence users have on such
devices.