Timeline analysis for Android-based systems

Yu Jin

AbstractThe goal of the thesis is to design and implement a timeline analysis framework that can be used to analyse events within the Android operating system, with particular focus on their chronological relations. To achieve this, a study of Android system was taken place prior to the implementation of this framework. After that, a framework that consists of two functional components was implemented, the components are namely extraction component and visualisation component.
The extraction component consists of an Android application and several shell and python scripts, wherein the application and scripts can be used to extract and preserve evidential artefacts from mainly three places in the Android system, namely Logcat logging buffers, Android system files and SQLite database. Apart from that, the visualisation component, mainly a graphical timeline analysis tool was designed and implemented. The tool is powered by modern browsers with novel HTML technologies as well as a web server. This Browser/Server architecture chosen here has mainly three advantages. First, with proper access control on the web server, the evidence can be safely preserved. And which allows multiple investigators to work on the same case simultaneously without replication and distribution of the original evidence. Secondly, the use of the server in the backend makes the framework more scalable in case for bulky analysis demands. Last but not least, the use of browsers and HTML technologies make the analysis tool truly platform independent, the analysis task could even be done in mobile devices. In addition, the graphical presentations of evidence were implemented in the way that users can have full control over what should be displayed on the timeline and which period should be displayed. This feature is of utmost importance as patterns of activities can only be seen in relatively long periods. Whereas coherent activities need to be verified or correlated in manner of seconds.
Lastly, evaluations were carried out to verify the effectiveness of the framework. The results from the evaluations showed that the framework is theoretically effective to locate activity patterns as well as coherent events. However, considering the fact that the Android system evolves very quickly and the techniques used by malicious applications vary a lot, the framework should be considered as a proof of concept. In addition to that, from the experience gained in the development and evaluation processes, it is deemed that the technologies selected for this implementation were suitable for forensic timeline analysis. More importantly, the potential of these technologies can be further explored to make better analysis tools.
TypeMaster's thesis [Academic thesis]
Year2013
PublisherTechnical University of Denmark, DTU Compute, E-mail: compute@compute.dtu.dk
AddressMatematiktorvet, Building 303-B, DK-2800 Kgs. Lyngby, Denmark
SeriesM.Sc.-2013-42
NoteDTU supervisor: Robin Sharp, robs@dtu.dk, DTU Compute
Electronic version(s)[pdf]
Publication linkhttp://www.compute.dtu.dk/English.aspx
BibTeX data [bibtex]
IMM Group(s)Computer Science & Engineering