Logo
RSS Feed

👈🏞 Back to
ðŸ—ģ Evidence Collection And Preservation

ðŸĪ– Android Evidence Collection


Created: 12.10.2020

File System

Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files. Imaging - bit-by-bit copy. Should not be used on a live system!

Obtain and image or physical evidence to work with. For Android, to see installed apps and recent activity:

  • packages.list
  • packages.xml - to see permissions for all applications in one place. For example, if this application has a SMS or messaging permission, you’ll know to look. Or, for example, I need all applications that have chat permissions or access to camera.
  • com.vending.adnroid
  • usagestats
  • usage history
  • battery stats
  • recent images
  • snapshots

tccb on iOS?

Chromebook - extension preferences file.

Run commercial tools to parse the info. If not, then try to find some specific parser, may be for similar app and try.

Create profiles and you any real data for generation.

Fake data - mockaroo and generatedata.com

  1. take the snapshot of the system state before populating with data
  2. Write a script-plan
  3. take notes
  4. perform actions 1 min apart
  5. scrrencap actions
  6. document them (log with script)
  7. compare with the the baseline “snapshot” from step 1.

https://blog.d204n6.com/2020/08/setting-up-testing-lab-of-ios-and.html

https://www.mac4n6.com/blog/2020/8/23/step-by-step-iphone-setup-for-ios-research-via-bizzybarney

https://www.mac4n6.com/blog/2020/8/13/step-by-step-macos-setup-for-ios-research-via-bizzybarney

Do not make assumptions before testing! For example, a QuizUp game folder contained some usernames and pictures and the assumption would be that this person was in touch with the suspect. However, testing revealed that when you choose to randomly find you a rival from around the globe 🌎, QuizUp automatically adds them to the player’s contacts.

Jessica advices to use appropriate view-managers for specific files, but I would also recommend to check these files in hex as well. There was once a case when I performed vulnerability assessment of a mobile application and I got a SQLite DB, opened it in SQLite Browser DB and couldn’t find the data I was looking for. However grep command showed that this data was in the DB. I opened it in hex and noticed that it might have been damaged because there was an amount of data almoust the same size as the visible one, that was not shown in the viewer. Perhaps that were some deleted rows or the DB was damaged indeed.

Applications of different versions or platforms may have different data structure. For example, iOS QuizUp had a geolocation field, while Android didn’t at that point in time. [1]