Research On Android Mobile Forensics

Research on digital forensics, over the past decade, has been influencing and covering more aspects in modern society. As more products have been digitized, people are surrounded with variety of digital devices. Information stored on these devices can represent individual’s life and living activities. For example, the location where they had been to, their leaving address, bank accounts, passcodes etc.For most of the individuals, the most common used digital device is mobile device, especially smart phones. Besides, Android operating system, according to incomplete statistics, exists in over 1.4 billion smart phones in the market. Therefore, how to apply digital forensic approaches on Android devices is significantly important for fighting against the digital crimes.But unfortunately, current digital forensics are still in the emerging state in both of China and the U.S. Especially in Chinese industries and governments, the lack of experience and competence on digital forensics has already led serious problems. For instance, on January 7, 2016, a real case of "Qvod" has been getting social broad attention. In this case, the prosecutor did not process digital evidence under any provable forensic standards, which caused that all the digital evidence obtained had been involved into defendant’s serious question. Similarly, the same problem could occur on mobile devices.In this article, we focus on several intensive research questions of digital forensics on Android mobile devices. First, we presented a digital forensic architecture because the current architecture can not meet the requirement for mobile forensics which needs to handle different platforms, different types of devices, forensic work under the large amount of data etc. Comparing to existing researches, the new one we presented is a modular digital forensics framework and is proper to mobile forensics.Second, this article also described the approaches for data acquisition on Androidsmart phones. Besides the traditional ones, the latest improvement in this area is able to obtain the physical dump of the target Android devices without gaining any system privilege, making changes on the system image in recovery mode or utilizing any system vulnerabilities etc. as long as the firmware updating program released by smart phone developers is dissembled.Besides, in order to forensically extract important information from Android applications, we presented a Rapid Android Parser for Investigating DEX files(RAPID). Our experiments reveal that RAPID outperforms existing approaches in terms of runtime efficiency, provides better robustness and can support dynamic analysis by finding critical offsets. Notably, the processing time for our sample set of 22.35 GB was only 1.5 hours with our approach while the traditional approaches needed about 23 hours.In addition, we have presented approaches on malware detection on Android applications. In this part we introduced a novel approach that applied machine learning on classifying malware and benign applications. The experimental result showed that our approach obtained an accuracy of over 98% in the sample set of 12,428 applications(11,700 benign; 1,258 malicious) which is higher than existing approaches. And we also compared our approach and the current most effective approaches with different machine learning algorithms. The result also showed positive on our approach.In general, the contributions in this article are:1. A new architecture is presented, which is more property for mobile forensics.2. An approach acquiring the dump of the targeted device is introduced.3. An improved method for extracting information from Android applications is presented and developed as an open source tool.4. A new approach for Malware detection on Android applications is presented.In conclusion, this article introduced different approaches and some of the achievements for improving the mobile forensics according to different phase of the forensic works. In terms of the contribution, this article can help analysts getting familiar with this research area by steps and to gain the ability of acquiring, extractingand analyzing information in mobile devices in real cases.