Proposal / Submission Type
Peer Reviewed Paper
Start Date
17-5-2018 9:20 AM
End Date
17-5-2018 9:55 AM
Abstract
Significant number of mobile device users currently employ anti-forensics applications, also known as vault or locker applications, on their mobile devices in order to hide files such as photos. Because of this, investigators are required to spend a large portion of their time manually looking at the applications installed on the device. Currently, there is no automated method of detecting these anti-forensics applications on an Android device. This work presents the creation and testing of a vault application detection system to be used on Android devices. The main goal of this work is twofold: (i) Detecting and reporting the presence of various vault applications installed on given Android devices, and (ii) recovering the files that are hidden by utilizing these vault applications. The testing of our system was performed on six different devices running different versions of Android and in various states of rootedness. The findings show that with a fairly comprehensive list of known vault applications, it is possible to provide a list of the vault applications installed on the Android device and possibly provide extracted hidden files to the investigator unless they are encrypted. Hence, our work greatly reduces the amount of time that the investigators are required to spend examining the applications on the device.
Scholarly Commons Citation
Duncan, Michaila and Karabiyik, Umit, "Detection and Recovery of Anti-Forensic (VAULT) Applications on Android Devices" (2018). Annual ADFSL Conference on Digital Forensics, Security and Law. 6.
https://commons.erau.edu/adfsl/2018/presentations/6
Final edit - full res
Included in
Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Social Control, Law, Crime, and Deviance Commons
Detection and Recovery of Anti-Forensic (VAULT) Applications on Android Devices
Significant number of mobile device users currently employ anti-forensics applications, also known as vault or locker applications, on their mobile devices in order to hide files such as photos. Because of this, investigators are required to spend a large portion of their time manually looking at the applications installed on the device. Currently, there is no automated method of detecting these anti-forensics applications on an Android device. This work presents the creation and testing of a vault application detection system to be used on Android devices. The main goal of this work is twofold: (i) Detecting and reporting the presence of various vault applications installed on given Android devices, and (ii) recovering the files that are hidden by utilizing these vault applications. The testing of our system was performed on six different devices running different versions of Android and in various states of rootedness. The findings show that with a fairly comprehensive list of known vault applications, it is possible to provide a list of the vault applications installed on the Android device and possibly provide extracted hidden files to the investigator unless they are encrypted. Hence, our work greatly reduces the amount of time that the investigators are required to spend examining the applications on the device.
Comments
Visit the Panel Session page