In this mobility age, users have become more dependent on mobile devices for personal and professional work. This dependency and Smartphone’s extensive accessibility & availability have also given rise to criminal activities where Android phones are involved. Android phones are encircled with several security risks of becoming a digital crime victim or to be used as a mediator for digital offense. With an extensive usage of mobile devices, data stored on the mobile devices like call logs, call histories, apps usage, contacts, messages, messenger apps data, emails, browser histories, etc. can be analyzed for forensics examination. Forensics experts face this challenge to perform extraction of data from Android smartphones. Along with the extraction, experts also have to take care of making the extracted data to be presentable in the court. This blog discusses about details of the android SQLite database Forensics
Android OS is developed by Open Handset Alliance (OHA) and this Operating System is a Linux-based Operating System, which mainly uses SQLite databases for saving the information and the data. The Android runtime system uses Dalvik virtual machine, allowing many applications to be run simultaneously. While analyzing the Android data, the main focus for investigators is towards Libraries, especially SQLite databases. These database files can be stored on either removable Secure Digital (SD) card or the device internal storage memory. But why Android SQLite database forensics is so difficult? The answer lies under its Operating System’s architecture. Due to VM trait of Android, each of the individual applications runs on its own process and by default none of the application running can view another application’s details. For this type of arrangement Android applies high security at process-level, which is permissions-based. It also assigns user/group identifiers for the applications and explicit permissions are needed for any intrusive access. Such kind of security mechanism applied to the Operating System and the apps makes the investigation even difficult.
Android Directory Structure: In order to perform the investigation, it is important to know about the file systems and directory structure of the Android OS. Android directory structure can be viewed and analyzed using “adb.shell”. Directory structure of the Android device can be viewed using DDMS. This will display many files and folders available on the added device amongst which only few are forensically important including; /system, /sdcard, /data, /ext_card.
/system: This will comprise of the OS-specific data. It comprises of various sub directories embedding information about several elements like; fonts, system apps, libraries, etc.
/data: This file comprises of the user-specific data like the data stored the SMS application. Executable files of the applications which are installed in the device can be viewed from
“/data/app” directory. This however needs root privileges and investigators cannot view directory content without rooting device.
/sdcard and /ext_card: SD card and ext_card can be used for internal and external storage. This will comprise of images, videos, etc.
Android File Systems: Android OS supports several File Systems and investigators must be aware of all these File Systems. The main partition of the Android file system is YAFFS2 (Yet Another Flash File System) which is purposely designed for embedded systems like mobile devices. Below mentioned command can be used on “adb shell” for listing the file systems of Android device.
“cat /proc/filesystems”
This will list several file systems like; sysfs, rootfs, bdev, proc, cgroup, tmpfs, debugfs, sockfs, pipefs, etc. The term “nodev” resembles that there is no physical device attached to that particular file system. Android supports ext2, ext3, and ext4 file systems which are also used by Linux and along with this, vfat file system is also used which is used by Windows-based system. YAFFS and YAFFS2 are also used by Android system.
There are various types of data acquisition methods which includes; manual, physical and logical data acquisition methods. Manual and Physical examination can be done to acquire images of the screen along with the copy of complete file system. Logical acquisition includes usage of equipment application programming interface in order to link the phone elements and information with the system.
Some of the databases acquired can be extremely crucial for investigators. These databases are available as SQLite databases as. SQLite or .db files. These files can be viewed and analyzed to retrieve information about the specific application or other data.
Contacts: /data/data/com.android.providers.contacts/databases/contacts.db can be acquired for analyzing the contacts of any Android device.
Browser: The database file /data/data/com.android.browser/databases/browser.db can be utilized to analyze Android browser. It is integrated with details like; usernames, URLs, search history, web history, passwords (plaintext), etc.
GPS: One more file which can be relevant for investigators is /data/data/com.android.browser/gears/geolocation.db. This database stores the last known location also.
Google Maps: Google Maps database is stored at /data/data/com.google.android.apps.maps/databases/search_history.db location. This file comprises of history saved for searches made by users in the Google Maps application.
Google Applications: This file:/data/data/com.google.android.googleapps/databases/accounts.db comprises of the Google apps account details which includes the username and also the passwords in encrypted format.
Telephony: The information regarding the messaging apps including the text message data and the pictures shared can be analyzed form the /data/data/com.android.providers.telephony/databases/directory.
Call History: Android Phones comprises of call history and other information. All this data can be acquired from /data/data/com.android.providers.contacts/databases/contacts.db database.
Mobile phones have triggered technology is both productive and destructive manner. Law enforcement, investigating teams, need to analyze the loopholes of Android devices so that the devices can be examined acutely. New forensic methodologies can be utilized for enhancing the investigations. For instance, the SQLite databases acquired cannot be accessed directly and in order to analyze these databases, commercial software applications like SQLite Viewer can be used for viewing these Android databases. A thorough analysis can be done using this professional software on the SQLite databases acquired as this application also supports the damaged databases. Android is futile, powerful and equally complex. There is an extreme urge to adapt new techniques in order to perform productive investigations.