Every Step You Take: Application and Network Usage in Android

Similar documents
Getting Started What s included Setting up Fitbit One on a computer Mac & PC Requirements... 2

Digging Deeper into Safety and Injury Prevention Data

Personalised icalendar Teaching Timetable Feed for Staff and Students

Store & Share Quick Start

How do I Configure my bmail Account on Outlook 2013 Using the Google Apps Sync Tool?

To Install EdiView IP camera utility on Android device, follow the following instructions:

Discovering Computers

Cloud Hosted Data in Digital Forensics

Fitbit Zip Product Manual

How To Sync Google Drive On A Mac Computer With A Gmail Account On A Gcd (For A Student) On A Pc Or Mac Or Mac (For An Older Person) On An Ipad Or Ipad (For Older People) On

START HERE THE BASICS TIPS + TRICKS ADDITIONAL HELP. quick start THREE SIMPLE STEPS TO SET UP IN UNDER 5 MINUTES

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

Cisco Events Mobile Application

NAS 242 Using AiMaster on Your Mobile Devices

IONU BETA USER MANUAL IONU Security, Inc.

E21 Mobile Users Guide

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

User Manual. NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134, USA. December

User Manual for HOT SmartWatch Mobile Application

Privacy Policy Version 1.0, 1 st of May 2016

How to Remotely Access the C&CDHB Network from a Personal Device

HomeBudget Anishu, Inc.

AUT OneDrive for Business. Instructions for Using OneDrive on Windows Platform

Recovering Digital Evidence in a Cloud Computing Paradigm. Jad Saliba Founder and CTO

Remote Desktop Web Access. Using Remote Desktop Web Access

Using Devices. Chapter 3

RESPONSEWARE FOR ANDROID PARTICIPANTS

USER GUIDE. PowerMailChimp CRM 2011

Seagate Access for Personal Cloud User Manual

Device Enrollment Guide

PARK UNIVERSITY. Information Technology Services. VDI In-A-Box Virtual Desktop. Version 1.1

AdRadionet to IBM Bluemix Connectivity Quickstart User Guide

How other retailers use Online Survey. And how their experience can help you.

Deltek Touch Time & Expense for GovCon. User Guide for Triumph

Mobile Banking. Click To Begin

CareSentinel Set Up Guide for Android Devices

Intermedia Cloud Softphone. User Guide

DIGITAL FORENSIC INVESTIGATION OF CLOUD STORAGE SERVICES

ReadyNAS Replicate. User Manual. July East Plumeria Drive San Jose, CA USA

Frequently Asked Questions

A Sales Strategy to Increase Function Bookings

Seagate Business Storage 8-bay Rackmount NAS Reviewer s Guide

Recover a CounterPoint Database

Online Banking User Guide

Pendragon Forms Industrial

Helpdesk Ticketing User Guide

Throughout this document, you will be instructed to log in as user Ann, or as user Julia. Log in using the user name assigned to you.

Modern Manufacturing in the Cloud

easy-to-use platform. Our solution offers the best video, audio and screen-sharing quality across Window, Mac, ios, Android

Blackberry Forensics. Shafik G. Punja Cindy Murphy. SANS DFIR Summit 2014 Austin TX. June-9-14 Copyright QuByte Logic Ltd

Checklist: 5 Essential BaaS Features Every Mobile App Needs

IONU PRO Product Overview

FREQUENTLY ASKED QUESTIONS Capital City Bank Mobile Deposit

ACCESSING MICROSOFT OFFICE 365 FREE STUDENT RESOURCES

Your Mission: Use F-Response Cloud Connector to access Google Apps for Business Drive Cloud Storage

Cisco Video Surveillance Operations Manager Mobile App User Guide

Step by Step Guide for Upgrading Your NetCamPro Camera to Cloud Mode Using an Android Device

Get In, Get Unpacked, Get Connected.

ASUS WebStorage Client-based for Windows [Advanced] User Manual

DroboAccess User Manual

Introduction to Stanford Box

Seagate NAS OS 4 Reviewers Guide: NAS / NAS Pro / Business Storage Rackmounts

AT&T Toggle. 4/23/2014 Page i

This section will focus on basic operation of the interface including pan/tilt, video, audio, etc.

Hello. If you have any questions that aren t addressed here, feel free to contact our support staff.

MAXPRO. Cloud CLOUD HOSTED VIDEO SERVICES TO PROTECT YOUR BUSINESS. Video Anytime, Anywhere

PolyU Connect Mobile Connection. Setup Guide

Table of Contents. 3 Setup 6 Home Screen 8 Modes 12 Watch Live & Timeline 17 HomeHealth Technology 21 Emergency Options 24 Settings 26 Plans 28 Help

How To Use Textbuster On Android (For Free) On A Cell Phone

For Use with QR Code Scanner / Reader Enabled Applications

Student Microsoft Office 365

FP Desktop Professional Software

How to fill every seat in the house. An event manager s guide to SMS Marketing

Google Apps Deployment Guide

platforms Android BlackBerry OS ios Windows Phone NOTE: apps But not all apps are safe! malware essential

Frequently Asked Questions for logging in to Online Banking

3CX IP PBX with Twilio Elastic SIP Trunking Interconnection Guide

Seagate Dashboard User Guide

IOS EYE4 APP User Manual

Google Cloud Print Administrator Configuration Guide

Xline Web App Documentation

Working with Databases

SoftNAS Application Guide: In-Flight Encryption 12/7/2015 SOFTNAS LLC

Symbian User Guide for Cisco AnyConnect Secure Mobility Client, Release 2.4

SAGE Secure Browser Frequently Asked Questions

Wzzard Sensing Platform Bluetooth App User Manual

Names of Parts. English. Mic. Record Button. Status Indicator Micro SD Card Slot Speaker Micro USB Port Strap Hook

TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT

one Managing your PBX Administrator ACCESSING YOUR PBX ACCOUNT CHECKING ACCOUNT ACTIVITY

ALIBI Witness and ALIBI Witness HD Apps for Android - Quick Start Guide

Transcription:

Jessica Hyde

Every Step You Take: Application and Network Usage in Android Jessica Hyde Director of Forensics Magnet Forensics Adjunct Professor George Mason University June 8, 2018

Jessica Director Forensics, Magnet Forensics Adjunct Professor, George Mason University Previous: Basis Technology Ernst and Young American Systems United States Marine Corps

Traditional Mobile Analysis Focus on App analysis Artifacts First Web Browsers Chat App Email

Traditional Mobile Analysis Digging for Application Data Taught in courses, ie FOR585 Methodology for unsupported app data Discover Test Find Parse Script

Why Android Application Usage Analysis We do this for computer investigations! OS Artifacts Why don t we apply this concept to our Android applications? Why would it be useful?

Using Application Analysis Pattern of Life Analysis

Using Application Analysis Pattern of Life Analysis Showing a lack of a particular usage SANS DFIR Summit 2018

Using Application Analysis Pattern of Life Analysis Showing a lack of a particular usage Supporting artifacts for sync d data

com.vending.android

com.vending.android Tracks purchases BUT It LIES! Multi-user Second Device \data\com.android.vending\databases\library.db

Android Usagestats Tells you what file was in the foreground, background, etc. \data\system\usagestats\0\..\daily, \monthly. \weekly, \yearly.xml file named as epoch timestamp

Android Usage History https://developer.android.com/reference/and roid/app/usage/usageevents.event User Interaction Move to Foreground Move to Background Configuration Change

Android Usagestats

Android Usagestats

Battery Status Monitors Battery usage system\batterystats-daily.xml \data\data\com.google.androi d.gms\shared_prefs\batterysta ts.xml Think of this as SRUM for Android

Battery Status \data\data\com.google.android.gms\shared_ prefs\batterystats.xml

BatterystatsDumpsysTask \data\data\com.google.android.gms\files \BatterystatsDumpsysTask.gz

BatterystatsDumpsysTask

BatterystatsDumpsysTask

Recent Images \system_ce\0\recent_images

Recent Images \system_ce\0\recent_images

Recent Images

Recent Tasks \system_ce\0\recent_tasks

Recent Tasks \system_ce\0\recent_tasks

Recent Tasks

Recent Tasks

Recent Tasks

Recent Tasks

Recent Tasks

Recent Tasks task_id - 244 effective_uid = 10103 first active time = 1526045035484 May 11, 2018 1:23:55:484 PM last active time = 1526045600000 May 11, 2018 1:33:20 PM last time moved = 1526045563392 May 11, 2018 1:32:43:392

Snapshots \system_ce\0\shortcut_service\ snapshots

Snapshots

Snapshots

Snapshots

3rd Party com.cleanmaster.security On lots of devices Logs battery usage Logs application usage

Cheetah Mobile Apps media\0\android\data\com.cleanmaster.se curity\files\logs\

Cheetah Mobile Apps media\0\android\data\com.cleanmaster.security \files\logs\applocklog

Cheetah Mobile Apps

Cheetah Mobile Apps

Cheetah Mobile Apps media\0\android\data\com.cleanmaster.security \files\logs\perfmetricsreport

Cheetah Mobile Apps

Cheetah Mobile Apps

Google Cloud Activity Takeout Download My Activity from https://takeout.google.com/u/1/setting s/takeout with credentials

Google Cloud Activity

Google Cloud Activity

Google Cloud Activity

Google Cloud Activity

Google Cloud Activity

Putting it all together Artifact Task ID Effective UID app Event UNIX Timestamp Time Date com.vending.android com.twitter.android Purchase 1524064586032 4/18/18 3:16 PM uid stats 10103 com.twitter.android UID Stats Twitter Cell 1526040000 5/11/18 12:00 PM recent tasks 244 10103 com.twitter.android first active time 1526045035484 5/11/18 1:23 PM snapshots 244 Twitter jpg of @CollinRusty twitterpage snapshots 244 Twitter reduced.jpg of @CollinRusty 5/11/18 1:25 PM 5/11/18 1:25 PM recent tasks 244 10103 com.twitter.android last time moved 1526045563392 5/11/18 1:32 PM snapshots 244 Twitter.proto file 5/11/18 1:32 PM recent tasks 244 10103 com.twitter.android last active time 1526045600000 5/11/18 1:33 PM uid netstats 10103 com.twitter.android UID Stats Twitter Cell 1526040000 5/11/18 2:00 PM

Founded in 2007 Headquartered in San Francisco, California, USA On December 7, 2016, Fitbit officially announced that they acquired assets from Pebble January 2017, Fitbit acquired Romania-based smartwatch startup Vector Watch SRL June 2011: Fitbit criticized for its website's default activity-sharing settings, which made users' manually-entered physical activities available for public viewing Some users were including details about their sex lives in their daily exercise logs, and this information was, by default, publicly available

Fitbit as evidence in investigations: Woman s fitness watch disproved rape report http://abc27.com/2015/06/19/police-womans-fitness-watch-disproved-rape-report/ http://fusion.net/story/158292/fitbit-data-just-undermined-a-womans-rape-claim/ When Fitbit Is the Expert Witness (personal trainer civil case) https://www.theatlantic.com/technology/archive/2014/11/when-fitbit-is-the-expertwitness/382936/ http://theconversation.com/how-your-fitbit-data-can-and-will-be-used-against-you-in-acourt-of-law-34580

Fitbit as evidence in investigations: Big Brother was definitely watching as George Burch killed Nicole VanderHyden https://www.greenbaypressgazette.com/story/news/2018/03/04/big-brother-phonegeorge-burch-nicole-vanderheyden-murder-trial-gps-fitbit-snapshot-google/390236002/

Profiles

Profiles

Fitbit Profiles

Fitbit Profiles

Profiles How this could help Name associated to User ID Personal info / profile pic Stride length could come in handy depending on your case

Profiles Caveats Stride length calculated by using your gender and height (user entered) Can be adjusted https://help.fitbit.com/arti cles/en_us/help_article/ 1135

Steps Steps

Steps Steps

Fitbit Steps

Steps How this could help Great evidence to show a person s level of activity, time of activity, and amount at a particular time Ties back to the false rape case Presence/lack of movement during a crime

Floors Climbed Floors Climbed

Floors Climbed

Fitbit Floors Climbed

Floors Climbed How this could help Indicates overall activity for the day Can show a trend of activity over a number of days

Heart Rate Heart Rate

Heart Rate

Fitbit Heart Rate

Heart Rate How this could help Great indicator of the user s physical exertion at points in time (5 min segments) Can especially help if graphed over time Why was there a spike at specific time? (e.g. time crime committed)

Sleep Sleep

Sleep Sleep

Fitbit - Sleep

Sleep How this could help Another very helpful indicator Remember the false rape case mentioned earlier Place someone at specific times Some questions around time awake/time asleep numbers

Questions? Jessica Hyde Twitter: @B1N2H3X Email: Jessica.hyde@magnetforensics.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information