Event / Presentation Title

Detection and Recovery of Anti-Forensic (VAULT) Applications on Android Devices

Proposal / Submission Type

Peer Reviewed Paper

Start Date

17-5-2018 9:20 AM

End Date

17-5-2018 9:55 AM

Abstract

Significant number of mobile device users currently employ anti-forensics applications, also known as vault or locker applications, on their mobile devices in order to hide files such as photos. Because of this, investigators are required to spend a large portion of their time manually looking at the applications installed on the device. Currently, there is no automated method of detecting these anti-forensics applications on an Android device. This work presents the creation and testing of a vault application detection system to be used on Android devices. The main goal of this work is twofold: (i) Detecting and reporting the presence of various vault applications installed on given Android devices, and (ii) recovering the files that are hidden by utilizing these vault applications. The testing of our system was performed on six different devices running different versions of Android and in various states of rootedness. The findings show that with a fairly comprehensive list of known vault applications, it is possible to provide a list of the vault applications installed on the Android device and possibly provide extracted hidden files to the investigator unless they are encrypted. Hence, our work greatly reduces the amount of time that the investigators are required to spend examining the applications on the device.

Comments

Visit the Panel Session page

Share

COinS
 
May 17th, 9:20 AM May 17th, 9:55 AM

Detection and Recovery of Anti-Forensic (VAULT) Applications on Android Devices

Significant number of mobile device users currently employ anti-forensics applications, also known as vault or locker applications, on their mobile devices in order to hide files such as photos. Because of this, investigators are required to spend a large portion of their time manually looking at the applications installed on the device. Currently, there is no automated method of detecting these anti-forensics applications on an Android device. This work presents the creation and testing of a vault application detection system to be used on Android devices. The main goal of this work is twofold: (i) Detecting and reporting the presence of various vault applications installed on given Android devices, and (ii) recovering the files that are hidden by utilizing these vault applications. The testing of our system was performed on six different devices running different versions of Android and in various states of rootedness. The findings show that with a fairly comprehensive list of known vault applications, it is possible to provide a list of the vault applications installed on the Android device and possibly provide extracted hidden files to the investigator unless they are encrypted. Hence, our work greatly reduces the amount of time that the investigators are required to spend examining the applications on the device.