Objectives:         Explore options for mobile extractions.
Explore options for mobile analysis

Perform an Android backup analysis

Preparation:  Be sure to view to the presentations in Canvas before beginning the lab. The presentation will show you how we got here.

Overview:

There are several avenues we can take to access mobile data. Sometimes the device is the hardest way. Passcodes, PINS and today’s encryption technologies make smart phone access very, very difficult. For this reason, we often find it simpler to locate a backup on the suspect’s computer or in the cloud. With automated backups being so common, people often destroy their physical devices but forget the backup exists in one or more places.  In this lab, we will examine a backup of Norm’s tablet.

Lab Resources:   

  • Magnet Axiom software
  • Android phone Image

Scenario:  On the tablet recovered from Norm’s house we were able to access the cloud backup of his Android mobile phone. You are tasked with finding evidence on the mobile image provided to you that may tie Norm to stealing the OWAT code.

PART 1: Get ready!

  1. Review Power Point presentation on Android file structure.
  2. Extract the mobile image provided in the zip file that was posted.
  3. Open the mobile image within Axiom.

Part 2:  Answer the following questions regarding android file structure:

  1. To start acquiring evidence from an Android device, there are many requirements that must be done on the mobile device when plugged into the host machine first before Axiom will be able to examine evidence on the device. What are the top three most important requirements before being able to acquire evidence from an android device?
  2. There are multiple areas on an android device that are important artifacts. Please list below five important areas where artifacts can be found, and what can be found in those directories.
  3. Android devices pertain a decent amount of partitions on the system as there is usually no limit to the amount of partitions can be found on the device. List below five of some of the most common partitions on android devices.
  4. One of the most important artifacts on mobile devices can be email artifacts such as the Gmail app on android devices. Where on the android device are Gmail’s artifacts stored? I am looking for the full path to these artifacts, and the partition they rely in.
  5. Answer:
  6. Path:
  7. Partition:
  8. Text messages are a very important artifact when it comes to mobile forensics. Where on android devices are text messages logs stored? Please give the full path, and the .db file associated with where the log is written to.
  9. Answer:
  10. Path:
  11. File name:

Par 3:  Answer the following questions regarding Axiom software:

  1. In Axiom, there are several tabs in the navigation pane off to the left side of the screen. What are at least 3 of these tab names? (Hint: Look at the video, and look off to the left under “All Evidence”)
  2. What are at least 3 of the different “views” that Axiom can display for the analyst? (Hint: In the top right-hand corner of Axiom, there is a dropdown with the different types of views)
  3. Next to the button in Axiom, there is a dropdown bar with a few other options to explore and see evidence in a different way compared to “Artifact view”. What is name of the tab that allows an analyst to see the actual system view of the mobile device like how FTK imager shows the contents of an HDD?
  4. Underneath of the “Operating System” Tab in the navigation pane, there is a sub section called “Android Device Information”, and in that section, what is one piece of evidence that Axiom can provide for the analyst that may be useful off a mobile device?

Part 4:  Answer the following questions about Norm’s mobile phone backup:

  1. Where and what time did Rebecca and Norman have their meeting scheduled for? Provide a path of where you found the artifact, and a screenshot of the artifact.

Answer:

Path:

Screenshot:

  1. What is Norman’s email address? Provide a path of where you found the artifact, and a screenshot of the artifact.

Answer:

Path:

Screenshot:

  1. Did Norman connect to the Wi-Fi provided at the meeting place Rebecca and Norman scheduled to meet? Provide a path of where you found the artifact, and a screenshot of the artifact.

Answer:

Path:

Screenshot:

  1. What is the password to the encrypted file located on the mobile device? Provide a path of where you found the artifact, and a screenshot of the artifact.

Answer:

Path:

Screenshot:

  1. Inside of the encrypted file, there is an image that does not appear to be an actual image, and it may require some further analysis to discover what the original extension was. What was the original extension of the file, and what is the name of said file with the changed extension? Provide a path of where you found the artifact, and a screenshot of the artifact.

Answer:

Path:

Screenshot:

  1. Finally, provide proof of the OWAT code on Norman’s device, and provide a path of where you found the artifact, and a screenshot of the artifact.

Answer:

Path:

Screenshot: