Monday, February 24, 2014

[infosecinstitute] Android Architecture and Forensics

Android is one of the most open, versatile, and customizable mobile operating systems out there. Android is a Linux-based operating system with market share – 79.70% in smart phones. Android is a software stack for mobile devices that includes an operating system, middleware and key applications.

Android Architecture
Android operating system is a stack of software components which is roughly divided into five sections and four main layers, where each layer is a group of several program components. Together it includes operating system, middleware and important applications. Each layer in the architecture provides different services to the layer as shown below in the architecture diagram.
Linux kernel
The architecture is based on the Linux2.6 kernel. Android use Linux kernel as its hardware abstraction layer between the hardware and rest of the software. It also provides memory management, process management, a security model, and networking, a lot of core operating system infrastructures that are robust and have been proven over time
Android’s native libraries.
  • Libc: c standard lib.
  • SSL: Secure Socket Layer
  • SGL: 2D image engine
  • OpenGL|ES: 3D image engine
  • Media Framework: media codecs
  • SQLite: Database engine
  • WebKit: Kernel of web browser
  • FreeType: Bitmap and Vector
  • SufraceManager: Compose window manager with off-screen buffering.
Android Runtime
Android Runtime consists of Dalvik Virtual machine and Core Java libraries.
  • Core Java Libraries: These are different from Java SE and Java ME libraries. However these libraries provide most of the functionalities defined in the Java SE libraries.
  • Dalvik Virtual Machine: It is a type of JVM used in android devices to run apps and is optimized for low processing power and low memory environments. Unlike the JVM, the Dalvik Virtual Machine doesn’t run .class files, instead it runs .dex files. A .dex file is built from .class file at the time of compilation and provides hifger efficiency in low resource environments. The Dalvik VM allows multiple instance of Virtual machine to be created simultaneously providing security, isolation, memory management and threading support. It is developed by Dan Bornstein of Google.
Application Framework
The blocks that our applications directly interact with.
  • Activity Manager: Manages the activity life cycle of applications
  • Content Providers: Manage the data sharing between applications
  • Telephony Manager: Manages all voice calls. We use telephony manager if we want to access voice calls in our application.
  • Location Manager: Location management, using GPS or cell tower
  • Resource Manager: Manage the various types of resources we use in our Application
And the final layer on top is Applications. This is where all the applications get written. It includes the home application, the contacts application, the browser, and your apps. And everything at this layer is, again, using the same app framework provided by the layers below.
Rooting Android Phone
Rooting your phone can give you the opportunity to do so much more than your phone can do out of the box—whether it’s wireless tethering, speeding it up with over clocking, or customizing the look of your phone with themes. By default phones do not allow users root access because the average consumer will not need it.
What is rooting?
That’s essentially what happens if you root your Android device. With root access, you can get around any restrictions that your manufacturer or carrier may have applied. You can run more apps; you can customize your device to a greater degree; and you can potentially speed it up in a variety of ways. It’s similar running programs as administrators in Windows, or running a command with sudo in Linux. With a rooted phone, you can run apps that require access to certain system settings, as well as flash custom ROMs to your phone, which add all sorts of extra features.
The process involves backing up your current software and then flashing (installing) a new custom ROM (modified version of Android).
Steps to be followed
There are several tools for rooting purposes. This time I am using tool named Rescue Root. Steps for rooting android devices are as follow.
  • Download and install Rescue Root on your PC. You can download it from
  • Run the software and connect your Android phone, tablet by USB to your PC. Make sure that your android device is in the USB Debugging Mode.
  • Click on next step to begin. Android device will automatically be identified by the software, and the specific drivers for Android device will be installed on the computer – no hassle searching to find the right drivers, this is all done automatically.
  • Once Android device support is confirmed, Rescue Root will make a full backup of your phone and store it on PC. This will guarantee that all your data, apps, contacts and files are completely safe.
  • A root script specific to your device will be identified, downloaded, and run via USB, rooting your Android without you needing to run any scripts, complex steps, or batch files. The software will then reboot your phone and confirm that it has been rooted.
  • Your device is now successfully rooted.
Advantages of Rooting
  • Running special applications
  • Custom ROM’s-This is the most powerful feature of “rooted” phones. There are hundreds of custom ROM’s that can do anything from speeding up the processing speed of your phone to changing the entire look and feel of your phone.
There are essentially three potential cons to rooting your Android.
  • Voiding your warranty: Some manufacturers or carriers will use rooting as an excuse to void your warranty.
  • Bricking your phone: Whenever you tamper too much, you run at least a small risk of bricking your device. This is the big fear everyone has. The obvious way to avoid it happening is to follow instructions carefully.
  • Security risks: Rooting may introduce some security risks. Depending on what services or apps you use on your device, rooting could create security vulnerability.
Extract data from an Android mobile device.
  • Santoku Linux
  • An Android mobile device with USB debugging on.
Santoku Linux, a custom distribution jam-packed with tools for mobile forensics, mobile malware analysis, and mobile security testing.
Santoku is preconfigured with:
  • AFLogical Opensource Edition
  • Android Brute Forece Encryption
  • iphone Backup Analyzer
  • Libimobiledevice
  • Scalpel
  • Sleuth Kit
  • Exiftool
Steps to be followed
Make sure your device is connected to your machine. If you’re using Santoku in VMWare Player, go to VM then Removable Devices and click “Connect”.
Enable USB debugging on your device. Go to Settings then Developer Options, then check USB debugging.
To check weather santoku is properly communicating with our target device or not we will use adb i.e Android Debug Bridge. We have to make ensure that the USB Debugging is on in our target device.
We will use command adb devices and it should return with a serial number and ‘device’.
If it can’t then it will shows the couple of error massages means it’s not communicating properly.
When the connection is established successfully then first we have to deploy the agent for this we go to Santoku menu -> Device Tools ->SDK Manager ->AFlogical OSE.
After that we execute the script that pushes the agent to the target device we do this by running the command AFLogical-OSE.
Then on the target device we have to open AFLogical-OSE and Select whatever data we want to extract and then click capture.
The data is then extracted from the target device to the SDCard of the Device and after pressing enter on our santoku machine data will be pulled from our SDCard to the Santoku machine
From santoku we can access the data we selected in the clear format.
By using the below command we can uninstall the agent from the target device.
Data Recovery from android
Android phone is turned more like a storage device with lots of snapped pictures, audio & video files, latest exciting apps, mails, messages and so on. In situations like this, losing or accidentally deleting file is a common issue that most of the Android users face.
Wondershare Dr.Fone
Wondershare Dr.Fone Data Recovery software has the following features:
  • Recover lost or deleted SMS text messages and contacts directly from your smart phone.
  • Help you get back photos, video, audio files and document from SD cards inside your device, no matter they are lost because of accidently deleting, factory resetting, flashing ROM, rooting, etc.
  • You are allowed to preview and selectively check to restore messages, contacts and photos.
Steps to be followed
Install and run the program on your computer, and connect your Android phone with computer.
Enable USB debugging on your Android device.
Once you enable USB debugging, the Android recovery software will detect your phone, the next step you can tap on the Start button to analyze the data on your SD card.
After finish scanning the SD card, you will be able to preview found files such as Messages, contacts, photos and videos, so as to check whether your lost files are found or not.
Then select files you want to recover from SD card, and then left click on Recover button.
WhatsApp Forensics
WhatsApp is a widespread instant messaging application for smartphones, available for iOS, Android, BlackBerry, Symbian and Windows Phone. The chance to replace the traditional SMS service avoiding its cost, has allowed this application to gain popularity very quickly. The automatic synchronization of the app to the phone addresses book, the unlimited message length and the possibility to share a high range of multimedia attachments have persuaded many people.
Steps to be followed
WhatsApp stores all its information on a SQLite database: the location and the structure of the database are different from platform to platform.
In android you will be only able to get an encrypted file from the SD card (/sdcard/WhatsApp/Databases/msgstore.db.crypt)
Whatsapp Xtract is an Open Source tool for WhatsApp extraction and analysis. It supports multi platform such as Windows, Linux, and Mac OS X. By now it supports iOS and Android. Download whatsapp xtract and unzip it.
You need Python and for Android msgstore.db.crypt decryption the PyCrypto library. The easiest way is to install ActivePython. Run pyCrypto as an administrator.
Run whatsapp_xtract_console.bat and then manually specify the input file with command -i msgstore.db.crypt.
After pressing enter whatsapp xtract tries to decrypt android database and we will get the extracted message of whatsapp in html format in the same directory.
The resulting file size of the .html file will be slightly bigger than the size of the .db database.
Skype is an IP telephony service provider that offers free calling between subscribers and low-cost calling to people who don’t use the service. In addition to standard telephone calls, Skype enables file transfers, texting, video chat and videoconferencing. The service is available for desktop computers, notebook and tablet computers and other mobile devices, including mobile phones.
Steps to be followed
Skype xtractor is an Open source tool for Skype analysis. It’s available for computer and mobile version. It supports multi platform i.e Windows, Linux
The main.db file is a SQLite database. Using Skype xtractor, you can open the official memory of the Skype program. The information you can retrieve from this file represent the data that has not been deleted or removed by the user.
  • Extract the most important fields for the following tables (of the Skype’s main.db): Accounts, Calls, Chats, Contacts, File Transfers, Group Chat, Voice Mails
  • Extract most of the messages stored in the Chatsync files. (Note: Chatsync files store edited and deleted messages)
  • Reporting in HTML and CSV supported
  • HTML reporting has filters to sort data in the best way.
To use Skype Xtractor simply type the following commands in your shell or cmd:
Python –chatsync /path/of/the/mainDatabase/main.db
After pressing enter it will extract all the tables attached in main.db.
We will get the extracted files of Skype.
Mobile forensics, arguably the fastest growing and evolving digital forensic discipline, offers significant opportunities as well as many challenges. Android forensics involves the analysis of data from devices, it is important to have a broad understanding of both the platform and the tools that will be used throughout the investigation. From this article you will get the idea of android architecture and the some tools used in android forensics.


  1. Nice Article,

    If you want to recover lost photos from the Sony digital camera then download the Sony Photo Recovery Software.

    Thanks for sharing...

  2. Very nice article,keep sharing more posts with us.
    thank you....

    android developer training