The Android Forensics Automator (AnForA): A tool for the Automated Forensic Analysis of Android Applications

Abstract Most of our daily activities are carried out by means of mobile applications, that typically generate and store on the device large sets of data. The forensic analysis of these data thus plays a crucial role during an investigation, as it allows to reconstruct the above activities. Manually analyzing these applications is a long, tedious, and error-prone task. In this paper we present the design, implementation, and evaluation of AnForA , a software tool that automates most of the activities that need to be carried out to forensically analyze Android applications, and that has been designed in such a way to yield various important properties, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality. AnForA is based on a dynamic “black box” approach, in which the application to be analyzed is first installed on a virtualized Android device, and then a set of experiments are carried out, in which actions of interest are automatically performed on the application by emulating a human user that interacts with its interface. During the experiments, the file systems of the device storage are actively monitored, so that the data created or modified by each one of these actions can be located and correlated with that action. We have devised a proof-of-concept implementation of AnForA , that we use to assess its ability in achieving its design goals, by analyzing through it several Android applications already studied in the literature, so that we can compare AnForA ’s results against those reported in these papers. The results of our evaluation confirm that AnForA greatly simplifies the forensic analysis of Android applications, and exhibits all the properties mentioned above, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality, to a higher extent than previous studies published in the literature.

[1]  Cosimo Anglano,et al.  Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones , 2016, Digit. Investig..

[2]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[3]  Mohammad Iftekhar Husain,et al.  iForensics: Forensic Analysis of Instant Messaging on Smart Phones , 2009, ICDF2C.

[4]  Eric Bodden,et al.  Do Android taint analysis tools keep their promises? , 2018, ESEC/SIGSOFT FSE.

[5]  Rohit Tamma,et al.  Practical Mobile Forensics , 2014 .

[6]  Lin Du,et al.  Forensic analysis of WeChat on Android smartphones , 2017, Digit. Investig..

[7]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[8]  Kim M. Hazelwood,et al.  Dynamic program analysis of Microsoft Windows applications , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[9]  Anjana Gosain,et al.  Static Analysis: A Survey of Techniques and Tools , 2015 .

[10]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[11]  Tarun Mehrotra,et al.  Forensic analysis of Wickr application on android devices , 2013, 2013 IEEE International Conference on Computational Intelligence and Computing Research.

[12]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[13]  M. Tahar Kechadi,et al.  Forensics Acquisition and Analysis of Instant Messaging and VoIP Applications , 2014, IWCF.

[14]  Xiaodong Lin,et al.  Automated forensic analysis of mobile applications on Android devices , 2018, Digit. Investig..

[15]  Alfredo Gardel Vicente,et al.  Forensic analysis of Telegram Messenger for Windows Phone , 2017, Digit. Investig..

[16]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[17]  Murray Hill,et al.  Lint, a C Program Checker , 1978 .

[18]  Cosimo Anglano,et al.  Forensic analysis of Telegram Messenger on Android smartphones , 2017, Digit. Investig..

[19]  Kim-Kwang Raymond Choo,et al.  The Role of Mobile Forensics in Terrorism Investigations Involving the Use of Cloud Storage Service and Communication Apps , 2017, Mob. Networks Appl..

[20]  Michael D. Ernst Invited Talk Static and dynamic analysis: synergy and duality , 2004, PASTE '04.

[21]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[22]  Yong Guan,et al.  EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis , 2018, CCS.

[23]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[24]  Patrick Traynor,et al.  *droid , 2016, ACM Comput. Surv..

[25]  Marnix Kaart,et al.  Android forensics: Interpretation of timestamps , 2014, Digit. Investig..

[26]  Anjana Gosain,et al.  A Survey of Dynamic Program Analysis Techniques and Tools , 2014, FICTA.

[27]  Paul H. J. Kelly,et al.  Profiling with AspectJ , 2007, Softw. Pract. Exp..

[28]  Jason Moore,et al.  Network and device forensic analysis of Android social-messaging applications , 2015, Digit. Investig..

[29]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[30]  Cosimo Anglano,et al.  Forensic analysis of WhatsApp Messenger on Android smartphones , 2014, Digit. Investig..

[31]  Eric Bodden,et al.  Aspect-Oriented Race Detection in Java , 2010, IEEE Transactions on Software Engineering.

[32]  Shiuh-Jeng Wang,et al.  iPhone social networking for evidence investigations using iTunes forensics , 2012, ICUIMC.

[33]  Qingzhong Liu,et al.  Digital Forensic Analysis of Instant Messaging Applications on Android Smartphones , 2018, 2018 International Conference on Computing, Networking and Communications (ICNC).

[34]  Gordon Morison,et al.  Forensic analysis of Kik messenger on iOS devices , 2016, Digit. Investig..

[35]  Nick Mitchell,et al.  Visualizing the Execution of Java Programs , 2001, Software Visualization.

[36]  Zhen Xu,et al.  A Dynamic Taint Analysis Tool for Android App Forensics , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[37]  Yingying Wang,et al.  Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe , 2018, ISSTA.