Mobile devices hold a trove a data that could be crucial to criminal cases, and they also can play a key role in accident reconstructions, IP theft investigations and more. It’s not just investigators who care about examining a mobile device – so do those interested in application research and data, and enterprises who rely on smartphones and tablets to perform work tasks, engage with customers and deliver new services.
Effectively accessing and testing smartphones requires an optimal application toolbox, and the chops to use it. Listen to this webinar that details how to build your Android application testing toolbox to ensure you’re set up to successfully access and examine the information you need from Android mobile phones.
SANS instructor Domenica Crognale, who is one of the course co-authors of SANS FOR585: Advanced Smart Phone Forensics, and who teaches the course as well, details why testing of mobile phone applications is critical – especially given the fact that Android apps change weekly and even daily. It is becoming more common for application developers to restrict very important user artifacts from being accessed from these Android devices. This most often includes the SQLite databases, which likely contain the information that examiners are after. It’s not just commercially available applications you have to consider. Often, custom-built apps aren’t parsed by commercial tools, so you’ll need to know how to access and parse any data stored on the device.
During the webinar, Domenica talks about the importance of rooting Android devices as well as ways to access and parse the data. She explains how to do this using utilities that exist on the SIFT workstation or that can be downloaded for free from the SANS website.
This webcast explores topics such as:
- Choosing the best test device
During a forensics acquisition, many tools will apply a soft root onto the phone that is then removed once the data is obtained. But a full physical acquisition is not always necessary for application testing. Ideally, we want a test phone that is always rooted, whether or not the device loses power, because the root basically unlocks access to the core of the device’s operating system so you can access, add, remove or tweak anything inside the phone.
- Rooting your Android
During the webinar, Domenica walks through a demo of a root, how to locate the root and share information on free and publicly-available root tools.
- Utilizing File Browsers for quick file/folder access
Sometimes a file browser is all you really need to get to the data you’re after. Domenica shares her favorite third-party applications for accessing the file system.
- Examining application directories of interest
Once you have access to the files you need, utilize tools available on the SIFT workstation to view the contents of SQLite databases.
Listen to the recording, “Building your Android application testing toolbox” webcast now. And check out our FOR585: Advanced Smartphone Forensics, a week-long course that teaches you how to find key evidence on a smartphone, how to recover deleted mobile device data that forensic tools miss, advanced acquisition terminology and free techniques to gain access to data on smartphones, how to handle locked or encrypted devices, applications, and containers, and much more
Domenica will be teaching FOR585: Advanced Smartphone Forensics at SANS Cyber Defense Initiative Dec 11-18. Register to attend live here: sans.org/u/JGl or to try it from home via Simulcast register here: sans.org/u/JGq
For additional course runs log in here