Android forensics: Interpretation of timestamps

Interpretation of traces found on Android devices is an important aspect of mobile forensics. This is especially true for timestamps encountered on the device under investigation. In the presence of both naive and UTC timestamps, some form of timestamp normalisation is required. In addition, the investigator needs to gain some understanding of potential clock skew that may exist, especially when evidence from the device under investigation has to be correlated to real world events or evidence from other devices. A case study is presented where the time zone on the Android device was set incorrectly, while the clock was set to correspond to the time zone where the device was actually located. Initially, the fact that both time zones enforced daylight saving time (DST) at different periods was expected to complicate the timestamps normalisation. However, it was found that the version of the Time Zone Database on the device was outdated and did not correspond to the actual time zone rules for the given period. After the case study, the results of experiments on a broader range of devices are presented. Among other things, these results demonstrate a method to detect clock skew based on the mmssms.db database. However, it was also found that the applicability of this method is highly dependent on specific implementation choices made by different vendors.

[1]  Stefan Br,et al.  Analysis of the Android Architecture , 2010 .

[2]  Florian P. Buchholz,et al.  A brief study of time , 2007 .

[3]  Aditya Mahajan,et al.  Forensic Analysis of Instant Messenger Applications on Android Devices , 2013, ArXiv.

[4]  Andrew Hunt,et al.  Automated identification of installed malicious Android applications , 2013, Digit. Investig..

[5]  David L. Mills,et al.  Internet Engineering Task Force (ietf) Network Time Protocol Version 4: Protocol and Algorithms Specification , 2010 .

[6]  Ibrahim Baggili,et al.  Forensic analysis of social networking applications on mobile devices , 2012, Digit. Investig..

[7]  Andrew Hoog Android and mobile forensics , 2011 .

[8]  Sangjin Lee,et al.  Digital forensic investigation of cloud storage services , 2012, Digit. Investig..

[9]  Sangjin Lee,et al.  A study of user data integrity during acquisition of Android devices , 2013, Digit. Investig..

[10]  Andrew Hoog Android forensics : investigation, analysis, and mobile security for Google Android / Andrew Hoog ; John McCash, technical editor. , 2011 .

[11]  Georgios Kambourakis,et al.  A critical review of 7 years of Mobile Device Forensics , 2013, Digit. Investig..

[12]  Sethi Ashish Kumar,et al.  Android Operating System , 2012 .

[13]  Vrizlynn L. L. Thing,et al.  Live memory forensics of mobile phones , 2010, Digit. Investig..

[14]  Darren Quick,et al.  Forensic analysis of the android file system YAFFS2 , 2011 .

[15]  Gary C. Kessler,et al.  Android forensics: Simplifying cell phone examinations , 2010 .

[16]  Kevin D. Fairbanks An analysis of Ext4 for digital forensics , 2012 .

[17]  Rafael Timóteo de Sousa Júnior,et al.  Acquisition and Analysis of Digital Evidence in Android Smartphones , 2011 .

[18]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[19]  Jason Moore,et al.  Network and device forensic analysis of Android social-messaging applications , 2015, Digit. Investig..

[20]  Nicolas Christin,et al.  Toward a general collection methodology for Android devices , 2011, Digit. Investig..

[21]  Cosimo Anglano,et al.  Forensic analysis of WhatsApp Messenger on Android smartphones , 2014, Digit. Investig..

[22]  C. Racioppo,et al.  Android Forensics: A Case Study of the "HTC Incredible" Phone , 2012 .

[23]  Nedaa Al Barghouthy,et al.  Social Networks IM Forensics: Encryption Analysis , 2013, J. Commun..

[24]  Yitao Yang,et al.  Dump and analysis of Android volatile memory on Wechat , 2015, 2015 IEEE International Conference on Communications (ICC).

[25]  Golden G. Richard,et al.  Acquisition and analysis of volatile memory from android devices , 2012, Digit. Investig..

[26]  Shashikala Tapaswi,et al.  Logical acquisition and analysis of data from android mobile devices , 2015, Inf. Comput. Secur..

[27]  Ibrahim M. Baggili,et al.  WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages , 2015, Digit. Investig..

[28]  Pete Forster,et al.  Time and date issues in forensic computing - a case study , 2004, Digit. Investig..

[29]  Taejoo Chang,et al.  New acquisition method based on firmware update protocols for Android smartphones , 2015, Digit. Investig..