ANDROPHSY Forensic Framework for Android

Abstract

The major objective of the study is to implement a user friendly, feature rich mobile forensic framework for Android platform that supports every phase of a digital forensic investigation using existing opensource utilities. A digital forensic investigation consists of four major phases. They are preservations, data acquisition, examination and analysis and reporting gathered evidence to the interested audience. Android is the dominant smartphone operating system at the time of study. Market research predicts Android will continue to be the dominant smartphone operating system over coming years. Android forensic is still a very young phenomenon. Without proper forensic tools carrying out a successful forensic investigation on an Android device is a tedious task. There is a gap of open source Android forensic tools in digital forensic arena. Almost all of the feature rich mobile Android forensic tools are commercial expensive. Cellebrite forensic kit cost nearly fifty thousand US Dollars in year 2010 January. Forensic investigators especially from developing countries like SriLanka cannot afford such exorbitant prices. The outcome of the project is “ANDROPHSY”. There is no universal Android forensic tool supports every permutation of smartphone model, manufacturer, Android version and kernel version. ANDROPHSY supports a subset of Android smartphones currently in use. Design and implementation of ANDROPHSY was based on two assumptions. They are device is not screen locked at the time of seizure and target device internal memory is not encrypted. ANDROPHSY features include preserve forensic value and credibility of evidences through data authenticity and integrity, forensic case handling, raw evidence collection, comprehensive and meaningful evidence extraction from raw evidence, and efficient report generation. Many precautions such as user control, integrity checking are included in the solution to preserve credibility and confidentiality of evidence extracted by the tool. Implementation was done in Ubuntu virtual machine using java programming language and scripting languages. The tool was evaluated against Via Forensic Extract Community Edition free version and Oxygen forensic suite 2014 standard edition free version. The results prove ANDROPHSY provide more flexible, rich set of features in a user friendly manner than other free versions.