Friday, November 21, 2014

Some artifacts in the /data/system/ directory

A few nice artifacts

All blog posts to date

In a previous post, I demonstrated how to image an Android device and then I made two different posts on how to examine the image.  You can see by examining an image that your device is divided into partitions.

Android devices are partitioned, and the following partitions should be in every image:

  • data - the partition with user-related data, which may also include a directory representing an SD card
  • system - pre-loaded apps, libraries, settings, images, and more
  • boot - the Android system kernel
  • recovery - the Android recovery kernel

And other devices may have all kinds of other partitions.  Try imaging a Galaxy S4 and see how many partitions FTK Imager and Autopsy recognize.

As you may have reasoned, the data partition is where an investigator will be examining the most.  This partition contains data about the user.  Within the data partition will be a few directories of note:

  • data - data related to installed apps, including the user's text message history, web browsing history, call logs, contacts, Facebook messages, calendar events, etc.
  • app - apps which the user installed.  This directory will contain the actual apk files which the user downloaded or sideloaded and installed
  • media - older devices may not have this directory, but newer Android devices will contain the media directory, which represents an SD card.  This directory will contain photos, unless there is an external SD card in the device, and may contain all kinds of user files.  This directory also includes files the user downloaded using a web browser.

As you also may have reasoned, the data directory is where an investigator will be spending a lot of time.

This post focuses on another directory within the data partition.  This directory is system, which contains more information about user behavior.  This directory contains useful logs that the user is unlikely aware of yet can say a good amount about the user.  I will detail just a few artifacts.  There are far more artifacts than these, but I will detail some useful ones and can field questions about others.

To get to these artifacts, you'll either need to have an image of the device, or you will  need root access.  Non-root users cannot access these files through a shell.

List of installed apps
Check out the file /data/system/packages.xml.  (Note:  The device I used here runs Lollipop, or a newer version of Android.  The packages.xml may contain different data for older versions of the operating system, like Gingerbread and older.)  This file contains a list of all apps installed, plus some extra information about each app.  Here is the entry for ES File Explorer in my /data/system/packages.xml file.

<package name="" codePath="/data/app/" nativeLibraryPath="/data/app-lib/" flags="4767300" ft="146b6659890" it="14346b1705b" ut="146b665d076" version="212" userId="10109" installer="">
    <sigs count="1">
        <cert index="77" key="3082(bunch of hex ...)733f" />
        <item name="android.permission.READ_EXTERNAL_STORAGE" />
        <item name="" />
        <item name="android.permission.CHANGE_WIFI_MULTICAST_STATE" />
        <item name="android.permission.SET_WALLPAPER" />
        <item name="android.permission.WRITE_EXTERNAL_STORAGE" />
        <item name="android.permission.ACCESS_WIFI_STATE" />
        <item name="" />
        <item name="android.permission.READ_PHONE_STATE" />
        <item name="android.permission.ACCESS_SUPERUSER" />
        <item name="android.permission.BLUETOOTH" />
        <item name="android.permission.INTERNET" />
        <item name="android.permission.WRITE_SETTINGS" />
        <item name="android.permission.CHANGE_WIFI_STATE" />
        <item name="android.permission.VIBRATE" />
        <item name="android.permission.BLUETOOTH_ADMIN" />
        <item name="android.permission.WAKE_LOCK" />
        <item name="android.permission.ACCESS_NETWORK_STATE" />
    <signing-keyset identifier="3" />
    <signing-keyset identifier="5" />
    <signing-keyset identifier="4" />
    <signing-keyset identifier="2" />
    <signing-keyset identifier="1" />
    <signing-keyset identifier="6" />

There will be such an entry for every installed app.  I'll go over what some of these entries mean.

  • package name="" - This is the package name of the app.  Here is quick documentation on what the package name is. 
  • codePath="/data/app/" - This is the path to the APK, or the application install file.  If you need to investigate an app, or reverse engineer the app, here is the file you should be examining.
  • nativeLibraryPath="/data/app-lib/" - This is the path to a directory containing native libraries which the app uses.  In my phone, the directory /data/app-lib/ contains two native library files.  If you are interested in reversing native executables, you can reverse these files and examine.
  • <item name="android.permission.READ_EXTERNAL_STORAGE" (and a bunch more) /> - There are a bunch of entries of Android permissions.  This app contains 17 permissions, ranging from reading and writing to external storage to Internet access to using the vibrate function.  If you ever browse through the packages.xml file and find an app with an extraordinary amount of permissions or some permissions that just seem odd, like a game that has the permission to send and receive SMS, then you might want to take a close look.

The packages.xml file is a useful file to see what all files the user has installed on the device.  This file also lists associated permissions with each app which can be a useful hint to malicious apps, and each app entry also includes a path to the actual APK file so you can reverse the app if you need.

Log of last usage of an app
Next, look at the file usagestats/usage-history.xml.  This file contains log entries with the last time a user used an app.  Here is the entry in my phone for the Chrome app.  Note: I imaged my phone in late October 2014.

<pkg name="">
    <comp name="" lrt="1414545913713" />
    <comp name="" lrt="1398440159237" />
    <comp name="" lrt="1391453561436" />
    <comp name="" lrt="1414545745091" />

What you see here are four different activities within the app. Activities, in Android lingo, are basically different screens allowing for user activity.  Each activity above also contains a timestamp in Epoch time of the last time the activity ran.  Here's a handy writeup on Epoch time, in case you are unfamiliar, and here is a nifty Epoch converter.

Based on the log, here is the last time I used each of these activities before I imaged the phone:

  • Wed, 29 Oct 2014 01:25:13 GMT
  • Fri, 25 Apr 2014 15:35:59 GMT
  • Mon, 03 Feb 2014 18:52:41 GMT
  • Wed, 29 Oct 2014 01:22:25 GMT

Apparently I do not use bookmarks very often!  Note, these timestamps are all in GMT.  You'll need to convert this timestamp to the local timezone.

The usage-history.xml file is a useful file.  It will not let the investigator know the complete history for an app, but it will indicate the last time each activity was used.  If a user indicates that he/she has never used an app yet the usage-history.xml file indicates that the app was used yesterday, you may want to investigate some.

Database of accounts on the device
Finally, open the file system/users/0/accounts.db in a SQLite browser.  (I intend to at some point do a post on SQLite databases but have not yet.  If you're not sure how to open a SQLite database file, contact me and I'll help you out.)  Here's what the "accounts" table of my accounts.db file looks like in a SQLite browser (with personal information blacked out):

This database file includes a table called "accounts", which is a list of accounts associated with the device.  The three accounts seen above are a Google account, a Facebook account, and a LinkedIn account.

Each entry has three columns of data: name, type, and password.  Name is the username associated with the account, and in all three cases above the username is an email address.  The type is the account provider.  You can see above that my accounts are clearly Google, Facebook, and LinkedIn.  And the password contains a hashed version of the password.  The actual password in plaintext is not included.

This file is a useful list to see what services a user frequently uses.  I can't say I am on LinkedIn all that frequently, but I use Google and Facebook frequently.

Other artifacts
There are all kinds of other useful artifacts - battery stats, process states, network states, the wallpaper image, and some more.  If you are an Android enthusiast, I highly enjoy exploring the /data/system directory further.  You may find some more useful artifacts.

Finally, do you have some insights into useful artifacts in /data/system?  If so, comment below.  I'd be happy to field questions and I also am always eager to learn more.

Forensic 4Cast awards
I would be humbled and honored if you would consider nominating my blog, Free Android Forensics, for the award "Digital Forensic Blog of the Year" presented by Forensic 4Cast.

Forensic 4Cast is an excellent resource for all things digital forensics. They run an annual awards ceremony for digital forensics achievements for the year.

2017 was a banner year for Free Android Forensics. From imaging an Android car stereo to studying the Waze app to imaging newer devices and some other fun topics, there was a lot to cover last year. I continually hope to serve the forensic community well by providing interesting topics.

As always, I thank you for reading. If you found my content useful, insightful, interesting, or maybe even funny, please consider nominating Free Android Forensics for Digital Forensic Blog of the Year.

  • The /data/system directory includes useful logs about the user and user behavior
  • The file /data/system/packages.xml contains a list of installed apps including the APK path and a list of permissions
  • The file /data/system/usagestats/usage-history.xml contains logs of the last time a user used an app
  • The file /data/system/users/0/accounts.db contains a list of accounts and associated usernames and service providers
Questions, comments, suggestions, or experiences?  Leave a comment below, or send me an email.

Thursday, November 6, 2014

Using Autopsy to examine an Android image

A solid, open source tool

All blog posts to date

Autopsy is an open source digital forensics tool by Basis Technologies.  This is a powerful free tool with many of the same capabilities as the expensive tools (FTK, EnCase).  Some people in the digital forensics community will debate until they are blue in the face over whether open source forensics software is better or if paid software is better.  This is a debate from which I will spare my readers, but I'll say this: Autopsy is a fantastic tool.

I've had all kinds of success with Autopsy before.  There have been several times where FTK Imager did not properly load an image.  Errors included not recognizing the image as an image or missing partitions.  In all cases where FTK Imager has made these sorts of mistakes, Autopsy has come through for me.

And on top of the above statement, I was using an old version of Autopsy which did not include specific Android functionality.  I was using a version of Autopsy which was reading a disk image as a disk image, not as specifically an Android image.  Autopsy's file system engine does an incredible job at identifying partitions and file systems.  This has been a tool which I have used with all kinds of success.

In this post, I will load an image of my personal Nexus 5 into Autopsy and will show some of the useful functionality for investigations.  I created the image using the same method in my post on live imaging an Android device.

Getting started
Download and install the newest version of Autopsy from this link.  (Note: the downloads are for Windows.  You can download the source for Autopsy and compile it for Linux.  I have not done this yet but intend to soon.)

Once the software is installed, open Autopsy and create a new case.  Fill in the basic info.  The entry for "Base Directory" is where you intend to store data related to cases.  This directory is not necessarily where you store an image you intend to examine and analyze, but it stores information and analyses about the image.  Be advised, this directory can get filled up quickly.  My phone is 32 gigabytes, and my base directory now contains 7 gigabytes of data.

Next, add your Data Source, or your image.

Autopsy has several "ingest modules" built in for analysis.  These ingest modules identify files and extract known data as records, such as emails or time-based data.  You can select or deselect whatever modules you want.  The more ingest modules you select, the more time and disk space the analysis will take, but you also may find more insight about the image with more modules.  Do be sure to select the "Android Analyzer" module when analyzing an Android image.

You can also optionally give a case number or an investigator name.  Yes, you are an investigator, so take credit.

Once the case is created, you can see the main Autopsy interface.

At this point, analysis will be ongoing.  The ingest modules each pass through the image to find relevant data.  In the bottom right corner there is a status bar which you can click on to see analysis status.  In the below shot, there are three different ingest modules working simultaneously.

Depending upon how big the image is, how many files are in the image, how many modules you select, how much disk storage space you have, how fast your computer's processor is, and how much RAM you have, analysis may take a while.  I'm running Autopsy on a Windows netbook and analyzing an image of a 32 gigabyte phone took around an hour.  You can browse around the image and do some investigation before the ingest modules are done, but you will be viewing incomplete results.  For example, there is a great tool for timeline analysis which I will show later in this post.  If you try to do a timeline analysis before the modules are complete, there will be evidence missing from the timeline.

You also can always wait for the analysis to complete before getting started.

Android Analyzer module
I indicated above to enable the Android Analyzer module.  This module will identify files containing contact data and communications records.  I said above that ingest modules will extract records and present them to the investigator.  The below screenshot indicates that Autopsy identified Call Logs, Contacts, and more.  I can tell you that the Android Analyzer ingest module is to credit for these finds.  You can click each of these and see what data was collected.

Android by default stores your text messages in a SQLite database in the file /data/data/, and you can load this file into a SQLite database viewer to see the SMS.(Note:  one of these days I intend to do a post on viewing SQLite database files.  The long and short of it is Android apps, including SMS and phone dialer and contacts, use SQLite databases to store data.  The apps present data in their own ways, such as SMS conversations, but you can always view the raw data stored as it is stored in a SQLite database viewer.)

Below is how Autopsy presents SMS.

(Black boxes inserted for privacy.)


Here is the call log ...

... and here is the contacts list.

Browsing the image
Autopsy allows you to browse through the image.  The below screenshot shows all of the partitions which Autopsy identified.  You can see the userdata partition, which will store most of the data about the user.

And then you can browse through the individual partitions.

You can view individual files as text or hex.  You can also see extracted strings and metadata about the file.  And picture files load as pictures.

One of Autopsy's best features is the timeline.  Autopsy will find events associated with a date and time, such as text messages or call logs or any other time-based events, and make a timeline of events.  As an investigator, I always like to create a timeline of events which a digital device has recorded because all of these events ultimately tell the story about a person using the device.

To create a timeline, go to Tools -> Timeline.  (Wait for all ingest modules to finish first.)  Then wait for a bit, and when the timeline is ready it opens in a new window.

The timeline clearly indicates a lot of activity in 2013-2014.  But you may also see a weird anomaly around 1970.  Do not worry about those or the odd 2008 files as those are Linux and Android artifacts, respectively, and they deal with "Unix time" or "epoch time."  For a quick explanation on how Linux keeps time, check out this Wikipedia page.

You can zoom in to see detailed events.  The following is my phone events from October 10-23 2014.

The bar colors represent different events as seen in the legend on the timeline.

You can choose to view "Details" instead of "Counts" which allows you to see what events occurred.

And then you can also zoom in for more details.  I see that there is an SMS event, so I chose to see details of the event.  (SMS message blacked out for privacy.)

The timeline is just an incredibly useful tool.  And it is a tool that the more you use it, the more uses you find with it.

More features
Autopsy has many more features which I'll let you explore.  But just to list a few that I've used before:

  • Plugins
    • You can download plugins to act as further ingest modules or even develop your own
  • Extract files
    • You can extract files to analyze them with other tools, such as a hex editor of choice or an advanced media file analysis tool
  • Report
    • Like with other forensic tools, you can tag files of interest and generate a report highlighting important files and other findings
  • Known hashes
    • If you have a list of hashes of known files you are interested in finding, you can load this hash set into Autopsy and it will let you know if it found these files
  • Carving
    • Autopsy includes Scalpel for data carving

Forensic 4Cast awards
I would be humbled and honored if you would consider nominating my blog, Free Android Forensics, for the award "Digital Forensic Blog of the Year" presented by Forensic 4Cast.

Forensic 4Cast is an excellent resource for all things digital forensics. They run an annual awards ceremony for digital forensics achievements for the year.

2017 was a banner year for Free Android Forensics. From imaging an Android car stereo to studying the Waze app to imaging newer devices and some other fun topics, there was a lot to cover last year. I continually hope to serve the forensic community well by providing interesting topics.

As always, I thank you for reading. If you found my content useful, insightful, interesting, or maybe even funny, please consider nominating Free Android Forensics for Digital Forensic Blog of the Year.

  • Autopsy is an awesome tool.  This point deserves an individual bullet
  • You can browse an image like in FTK Imager but I've had cases where FTK Imager fails to load an image properly and Autopsy has correctly loaded the image
  • Ingest modules process through evidence and extract useful records
  • The Android Analyzer ingest module can extract contacts, SMS, Calls, and more
  • Autopsy's timeline tool is incredibly useful in investigations
Questions, comments, suggestions, or experiences?  Open source vs paid forensic software debate? Leave a comment below, or send me an email.