Kexiong (Curtis) Zeng,Shinan Liu,Yuanchao Shu,Dong Wang,Haoyu Li,Yanzhi Dou,Gang Wang,Yaling Yang

2018-01-01

Abstract:Mobile navigation services are used by billions of users around globe today. While GPS spoofing is a known threat, it is not yet clear if spoofing attacks can truly manipulate road navigation systems. Existing works primarily focus on simple attacks by randomly setting user locations, which can easily trigger a routing instruction that contradicts with the physical road condition (i.e., easily noticeable). In this paper, we explore the feasibility of a stealthy manipulation attack against road navigation systems. The goal is to trigger the fake turn-by-turn navigation to guide the victim to a wrong destination without being noticed. Our key idea is to slightly shift the GPS location so that the fake navigation route matches the shape of the actual roads and trigger physically possible instructions. To demonstrate the feasibility, we first perform controlled measurements by implementing a portable GPS spoofer and testing on real cars. Then, we design a searching algorithm to compute the GPS shift and the victim routes in real time. We perform extensive evaluations using a trace-driven simulation (600 taxi traces in Manhattan and Boston), and then validate the complete attack via real-world driving tests (attacking our own car). Finally, we conduct deceptive user studies using a driving simulator in both the US and China. We show that 95% of the participants follow the navigation to the wrong destination without recognizing the attack. We use the results to discuss countermeasures moving forward.

Kexiong (Curtis) Zeng,Yuanchao Shu,Shinan Liu,Yanzhi Dou,Yaling Yang

DOI: https://doi.org/10.1145/3032970.3032983

2017-01-01

Abstract:High value of GPS location information and easy availability of portable GPS signal spoofing devices incentivize attackers to launch GPS spoofing attacks against location-based applications. In this paper, we propose an attack model in road navigation scenario, and develop a complete framework to analyze, simulate and evaluate the spoofing attacks under practical constraints. To launch an attack, the framework first constructs a road network, and then searches for an attack route that smoothly diverts a victim without his awareness. In extensive data-driven simulations in College Point, New York City, we managed to navigate a victim to locations 1km away from his original destination.

Jason Bays,Umit Karabiyik

DOI: https://doi.org/10.48550/arXiv.1907.00074

2019-06-29

Abstract:Location sharing applications are becoming increasingly common. These applications allow users to share their own locations and view contacts' current locations on a map. Location applications are commonly used by friends and family members to view Global Positioning System (GPS) location of an individual, but valuable forensic evidence may exist in this data when stored locally on smartphones. This paper aims to discover forensic artifacts from two popular third-party location sharing applications on iOS and Android devices. Industry standard mobile forensic suites are utilized to discover if any locally stored data could be used to assist investigations reliant on knowing the past location of a suspect. Security issues raised regarding the artifacts found during our analysis is also discussed.

Cryptography and Security

Xiaodong Lin,Ting Chen,Tong Zhu,Kun Yang,Fengguo Wei

DOI: https://doi.org/10.1016/j.diin.2018.04.012

2018-01-01

Digital Investigation

Abstract:It is not uncommon that mobile phones are involved in criminal activities, e.g., the surreptitious collection of credit card information. Forensic analysis of mobile applications plays a crucial part in order to gather evidences against criminals. However, traditional forensic approaches, which are based on manual investigation, are not scalable to the large number of mobile applications. On the other hand, dynamic analysis is hard to automate due to the burden of setting up the proper runtime environment to accommodate OS differences and dependent libraries and activate all feasible program paths. We propose a fully automated tool, Fordroid for the forensic analysis of mobile applications on Android. Fordroid conducts inter-component static analysis on Android APKs and builds control flow and data dependency graphs. Furthermore, Fordroid identifies what and where information written in local storage with taint analysis. Data is located by traversing the graphs. This addresses several technique challenges, which include inter-component string propagation, string operations (e.g., append) and API invocations. Also, Fordroid identifies how the information is stored by parsing SQL commands, i.e., the structure of database tables. Finally, we selected 100 random Android applications consisting of 2841 components from four categories for evaluation. Analysis of all apps took 64 h. Fordroid discovered 469 paths in 36 applications that wrote sensitive information (e.g., GPS) to local storage. Furthermore, Fordroid successfully located where the information was written for 458 (98%) paths and identified the structure of all (22) database tables.

Lauren R. Pace,LaSean A. Salmon,Christopher J. Bowen,Ibrahim Baggili,Golden G. Richard

DOI: https://doi.org/10.1016/j.fsidi.2023.301559

2023-07-01

Abstract:The rise in popularity of personal Bluetooth trackers has incited a need for forensic analysis tools that aid law enforcement in artifact recovery. With 40 million Tile devices reportedly sold at the time of writing, Tile trackers are one of the most popular personal Bluetooth trackers. This growth has not been without consequence, as reports of Bluetooth trackers being used for malicious activities have also escalated. Our work presents a forensic analysis of the Tile ecosystem and the Tile application on iOS, Android, and Windows. This analysis revealed valuable forensic artifacts that contained a diverse set of sensitive user data, including SQLite databases, XML files, cache files, and event logs. This data included information such as geolocation coordinates from the previous 30 days. As part of our analysis process, we developed an open-source tool capable of parsing these forensic artifacts from the Tile application: Tile Artifact Parser (TAP). TAP parses SQLite databases and virtual memory files, mapping geolocation coordinates and linking them according to timestamps. The ability to quickly and efficiently parse and map these location points provides valuable information in an investigation. TAP also aids investigators by detecting potentially spoofed data and flagging it. The robustness of TAP was tested to ensure its effectiveness and behavior in cases of incomplete or missing data.

computer science, information systems, interdisciplinary applications

Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

Ben Martini,Quang Do,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00015-X

2015-06-18

Abstract:Using the evidence collection and analysis methodology for Android devices proposed by Martini, Do and Choo, we examined and analyzed seven popular Android cloud-based apps. Firstly, we analyzed each app in order to see what information could be obtained from their private app storage and SD card directories. We collated the information and used it to aid our investigation of each app database files and AccountManager data. To complete our understanding of the forensic artefacts stored by apps we analyzed, we performed further analysis on the apps to determine if the user authentication credentials could be collected for each app based on the information gained in the initial analysis stages. The contributions of this research include a detailed description of artefacts, which are of general forensic interest, for each app analyzed.

Computers and Society,Cryptography and Security

Abdullah Azfar,Kim-Kwang Raymond Choo,Lin Liu

DOI: https://doi.org/10.48550/arXiv.1505.02905

2015-05-12

Abstract:Mobile health applications (or mHealth apps, as they are commonly known) are increasingly popular with both individual end users and user groups such as physicians. Due to their ability to access, store and transmit personally identifiable and sensitive information (e.g. geolocation information and personal details), they are potentially an important source of evidentiary materials in digital investigations. In this paper, we examine 40 popular Android mHealth apps. Based on our findings, we propose a taxonomy incorporating artefacts of forensic interest to facilitate the timely collection and analysis of evidentiary materials from mobile devices involving the use of such apps. Artefacts of forensic interest recovered include user details and email addresses, chronology of user locations and food habits. We are also able to recover user credentials (e.g. user password and four-digit app login PIN number), locate user profile pictures and identify timestamp associated with the location of a user.

Computers and Society

Claudinei Morin da Silveira,Rafael T. de Sousa,Robson de Oliveira Albuquerque,Georges D. Amvame Nze,Gildásio Antonio de Oliveira Júnior,Ana Lucila Sandoval Orozco,Luis Javier García Villalba,Rafael T. de Sousa Jr

DOI: https://doi.org/10.3390/app10124231

2020-06-20

Applied Sciences

Abstract:This paper proposes a new forensic analysis methodology that combines processes, techniques, and tools for physical and logical data acquisition from mobile devices. The proposed methodology allows an overview of the use of the In-System Programming (ISP) technique with the usage of Combination Firmware, aligned with specific collection and analysis processes. The carried out experiments show that the proposed methodology is convenient and practical and provides new possibilities for data acquisition on devices that run the Android Operating System with advanced protection mechanisms. The methodology is also feasible in devices compatible with the usage of Joint Test Action Group (JTAG) techniques and which use Embedded Multimedia Card (eMMC) or Embedded Multi-Chip Package (eMCP) as main memory. The techniques included in the methodology are effective on encrypted devices, in which the JTAG and Chip-Off techniques prove to be ineffective, especially on those that have an unauthorized access protection mechanism enabled, such as lock screen password, blocked bootloader, and Factory Reset Protection (FRP) active. Studies also demonstrate that data preservation and integrity are maintained, which is critical to a digital forensic process.

Tooska Dargahi,Ali Dehghantanha,Mauro Conti

DOI: https://doi.org/10.1016/B978-0-12-805303-4.00002-2

2017-09-16

Abstract:Voice over Internet Protocol (VoIP) applications (apps) provide convenient and low cost means for users to communicate and share information with each other in real-time. Day by day, the popularity of such apps is increasing, and people produce and share a huge amount of data, including their personal and sensitive information. This might lead to several privacy issues, such as revealing user contacts, private messages or personal photos. Therefore, having an up-to-date forensic understanding of these apps is necessary. This chapter presents analysis of forensically valuable remnants of three popular Mobile VoIP (mVoIP) apps on Google Play store, namely: Viber, Skype, and WhatsApp Messenger, in order to figure out to what extent these apps reveal forensically valuable information about the users activities. We performed a thorough investigative study of these three mVoIP apps on smartphone devices. Our experimental results show that several artefacts, such as messages, contact details, phone numbers, images, and video files, are recoverable from the smartphone device that is equipped with these mVoIP apps.

Cryptography and Security

Li Cheng,Lin Jiang,Mengfei He

DOI: https://doi.org/10.3969/j.issn.1003-0972.2014.04.028

2014-01-01

Abstract:MTK-based pirated phone with NAND flash was analyzed and the related forensics techniques were studied. The physical storage format of two key digital evidences ( call record and web history) in pirated phone was analyzed and parsed using reverse engineering. Based on this, the storage mechanism and forensics techniques for the two digital evidences with complicated operations were studied. The results showed that purposely deleting operation could be detected by analyzing low-level binary image. Furthermore, some of the records could be successfully re-trieved.

Nishchal Soni,Manpreet Kaur,Vishwas Bhardwaj

DOI: https://doi.org/10.1016/j.fsidi.2024.301695

IF: 1.805

2024-02-08

Forensic Science International Digital Investigation

Abstract:This study delves into a forensic analysis of the AnyDesk Remote Access application, focusing prominently on disk forensic acquisitions. We aim to assess the security and privacy features of AnyDesk, uncovering insights vital for forensic investigators and potential adversaries. The recovery of artifacts from Android Mobile and Window-based PC devices, employing acquisition techniques, plays a pivotal role in forensic analysis. The study underscores the significance of log files, housing crucial details like user IDs, dates, transfer times, and file movements. Manual scrutiny of the extracted data establishes user connections and reveals user-centric information, encompassing wallpapers, chat logs, AnyDesk-IDs, and transferred files. As the data lacks encryption, artifacts are easily comprehensible and interlinked. AnyDesk-related files, including session recordings, media files, and documents, undergo successful extraction via forensic methods. Root permissions on the Android phone emerge as a critical asset, facilitating the identification of more reliable and concealed data. In contrast, on the PC, all files related to AnyDesk were identified through a combination of automatic and manual examination. In essence, this study provides profound insights into AnyDesk's security and privacy features, underscored by the instrumental role of forensic acquisitions in pinpointing and extracting pertinent data.

computer science, information systems, interdisciplinary applications

Raffaele Cuomo,Davide D'Agostino,Mario Ianulardo

DOI: https://doi.org/10.3390/s22187096

2022-09-19

Abstract:This paper presents several scenarios where digital evidence can be collected from mobile devices, their legal value keeping untouched. The paper describes a robust methodology for mobile forensics developed through on-field experiences directly gained by the authors over the last 10 years and many real court cases. The results show that mobile forensics, digital analysis of smartphone Android or iOS can be obtained in two ways: on the one hand, data extraction must follow the best practice of the repeatability procedure; on the other hand, the extraction of the data must follow the best practice of the non-repeatability procedure. The laboratory study of the two methods for extracting digital data from mobile phones, for use as evidence in court trials, has shown that the same evidence can be obtained even when the procedure of unavailability of file mining activities has been adopted. Indeed, thanks to laboratory tests, the existence of multiple files frequently and continuously subjected to changes generated by the presence of several hashes found at forensic extractions conducted in very short moments of time (sometimes not exceeding 15 min) has been proven. If, on the other hand, the examination of a device is entrusted to a judicial police officer in order to conduct a forensic analysis to acquire data produced and managed by the user (such as images, audio, video, documents, SMS, MMS, chat conversations, address book content, etc.) we have sufficient grounds to believe that such examination can be organized according to the system of repeatable technical assessments.

Rob Witteman,Arjen Meijer,M-T. Kechadi,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1609.02953

2016-09-09

Cryptography and Security

Abstract:Today, a mobile phone is not just a phone but it is a computer that you can also use for calling someone. Besides, in criminal investigations the importance of evidence from the mobile phone is increasing as more and more phones are seized at the Digital Forensic Department of the police. Indeed, the amount of memory cards of these mobile phones that need to be investigated separately is also increasing. Possible reasons are that the mobile phone investigation software does not support the specific mobile phone or the specific, for that investigation, artefacts. Sometimes the software investigates just the internal memory of the mobile phone and not the data which is written on the memory card. Fact is also that although the mobile phone was investigated by the dedicated software, the possibility that the associated memory card contains additional important information is evident. The current procedure to get all of the usable information from a memory card of a mobile phone is very time-consuming process and not user friendly. In this paper, we present a new single tool to simplify the investigation of a memory card from a mobile phone. We also test our tool with WhatsApp application installed on the memory card from different mobile phones.

Julian Geus,Jenny Ottmann,Felix Freiling

2024-04-19

Abstract:Due to the increasing security standards of modern smartphones, forensic data acquisition from such devices is a growing challenge. One rather generic way to access data on smartphones in practice is to use the local backup mechanism offered by the mobile operating systems. We study the suitability of such mechanisms for forensic data acquisition by performing a thorough evaluation of iOS's and Android's local backup mechanisms on two mobile devices. Based on a systematic and generic evaluation procedure comparing the contents of local backup to the original storage, we show that in our exemplary practical evaluations, in most cases (but not all) local backup actually yields a correct copy of the original data from storage. Our study also highlights corner cases, such as database files with pending changes, that need to be considered when assessing the integrity and authenticity of evidence acquired through local backup.

Cryptography and Security

Nghi Hoang Khoa,Phan The Duy,Hien Do Hoang,Do Thi Thu Hien,Van-Hau Pham

DOI: https://doi.org/10.1109/rivf48685.2020.9140739

2020-10-01

Abstract:Emerging with highlight features as a global phenomenon, TikTok - the international version of Douyin application in China market, is a social media video app for creating and sharing short lip-syncing. This social video platform has seen astounding growth by reaching 1.5 billion users in 2019 by capturing the cultural zeitgeist among teenage smartphone owners in unprecedented fashion. However, criminals have been paid attention to this platform where young users become the target of abusers or predators. In this paper, we introduce the forensic analysis of the artifacts left on Android phones by TikTok application. In more detail, we indicate a complete description of all the artifacts obtained in TikTok. Furthermore, by using the results discussed in the paper, an investigator can rebuild the list of followers, searching keywords, favorites, messages that have been exchanged by users. It is helpful to examine and determine which artifacts could be considered as evidence for criminal investigation on popular social networking application.

Lin Sun,Daqing Zhang,Chao Chen,Pablo Samuel Castro,Shijian Li,Zonghui Wang

DOI: https://doi.org/10.1007/s11036-012-0417-8

2012-01-01

Mobile Networks and Applications

Abstract:GPS-equipped taxis can be considered as pervasive sensors and the large-scale digital traces produced allow us to reveal many hidden facts about the city dynamics and human behaviors. In this paper we present a novel GPS-based taxi system which can detect ongoing anomalous passenger delivery behaviors leveraging our proposed iBOAT method. To achieve real time monitoring, we reduce the response time of iBOAT by more than five times with an inverted index mechanism adopted. We evaluate the effectiveness of the system with large scale real life taxi GPS records while serving 200,000 taxis. With this system, we obtain about 0.44 million anomalous trajectories out of 7.35 million taxi delivery trips, which correspond to 7600 taxis’ GPS records in one month time in the city of Hangzhou, China. Through further analysis of these anomalous trajectories, we observe that: (1) Over 60 % of the anomalous trajectories are “detours” that travel longer distances and time than normal trajectories; (2) The average trip length of drivers with high-detour tendency is 20 % longer than that of normal drivers; (3) The length of anomalous sub-trajectories is usually less than a third of the entire trip, and they tend to begin in the first two thirds of the journey; (4) Although longer distance results in a greater taxi fare, a higher tendency to take anomalous detours does not result in higher monthly revenue; and (5) Taxis with a higher income usually spend less time finding new passengers and deliver them in faster speed.

Xabiel G. Pañeda,David Melendi,Víctor Corcoba,Alejandro G. Pañeda,Roberto García,Dan García

DOI: https://doi.org/10.3390/electronics13081429

IF: 2.9

2024-04-11

Electronics

Abstract:The use of remote desktop applications has increased greatly in recent years, mainly because of the generalization of telecommuting due to the COVID-19 pandemic. This process has been carried out in a very controlled manner in some companies, but in other organizations it has been introduced in a more anarchic way. The direct use of on-premises company computers and resources from the internet without the necessary protection mechanisms, including VPNs, has increased the risk of data exfiltration. Apart from other types of data exfiltration, there are cases in which employees transfer files using encrypted communications, consciously or unconsciously, producing a leak of information undetected by data loss prevention systems. In this paper we analyse the question of whether a forensic investigation may answer questions about data exfiltrations; questions such as those regarding the when, what and who (or to whom) and the use of application logs and other available tools. The answers to these questions may form the basis of solid digital evidence for legal purposes, though they may only deliver a partial response to said questions. Other complementary sources are necessary to build a complete answer and accurate digital evidence. Nevertheless, we have identified and analysed several use cases that may help to raise an early alarm that can offer warning about certain behaviours in encrypted traffic that may be detected via network monitoring.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jiamin Zheng,Yu-An Tan,Xiaosong Zhang,Chen Liang,Changyou Zhang,Jun Zheng

DOI: https://doi.org/10.1109/cse-euc.2017.45

2017-01-01

Abstract:Mobile device forensics is an interdisciplinary field consisting of techniques applied to a wide range of computing devices. Android devices are among the most disruptive technologies of the last years, gaining even more diffusion and success in the daily life of a wide range of people categories. Android devices became even more important in the forensic field due to the rich amount of personal information they store. However, the forensics tools are often used to acquire privacy information by attackers. This papar presents an anti-forensics approach for Android devices which protects AES keys from being acquired by forensics tools. The keys are stored in the special memory space where the data will be covered when android reboots, thus attackers can not steal the privacy information.

Juanru Li,Dawu Gu,Yuhao Luo

DOI: https://doi.org/10.1109/ICDCSW.2012.33

2012-01-01

Abstract:Smart mobile devices have been widely used and the contained sensitive information is endangered by malwares. The malicious events caused by malwares are crucial evidences for digital forensic analysis, and the main task of mobile forensic analysis is to reconstruct these events. However, the reconstruction heavily relies on the code analysis of the malware. The difficulties and challenges include how to quickly identify the suspicious programs, how to defeat the anti-forensics tricks of malicious code, and how to deduce the malicious behaviors according to the code. To address this issue, we propose systematic procedures of analyzing typical malware behaviors on the popular mobile operating system Android. Based on the procedures we discuss the deduction of Android malicious events. We also give a real malware forensic case as a reference.