Skip to content

Dynamic Taint Analysis Tool for Android App Forensics

Journal: 40th IEEE Symposium on Security and Privacy
Published: 2018
Primary Author: Zhen Xu
Secondary Authors: Chen Shi, Chris Cheng, Neil Zhengqiang Gong, Yong Guan
Research Area: Digital

The plethora of mobile apps introduce critical challenges to digital forensics practitioners, due to the diversity and the large number (millions) of mobile apps available to download from Google play, Apple store, as well as hundreds of other online app stores. Law enforcement investigators often find themselves in a situation that on the seized mobile phone devices, there are many popular and less-popular apps with interface of different languages and functionalities. Investigators would not be able to have sufficient expert-knowledge about every single app, sometimes nor even a very basic understanding about what possible evidentiary data could be discoverable from these mobile devices being investigated. Existing literature in digital forensic field showed that most such investigations still rely on the investigator’s manual analysis using mobile forensic toolkits like Cellebrite and Encase. The problem with such manual approaches is that there is no guarantee on the completeness of such evidence discovery. Our goal is to develop an automated mobile app analysis tool to analyze an app and discover what types of and where forensic evidentiary data that app generate and store locally on the mobile device or remotely on external 3rd-party server(s). With the app analysis tool, we will build a database of mobile apps, and for each app, we will create a list of app-generated evidence in terms of data types, locations (and/or sequence of locations) and data format/syntax. The outcome from this research will help digital forensic practitioners to reduce the complexity of their case investigations and provide a better completeness guarantee of evidence discovery, thereby deliver timely and more complete investigative results, and eventually reduce backlogs at crime labs. In this paper, we will present the main technical approaches for us to implement a dynamic Taint analysis tool for Android apps forensics. With the tool, we have analyzed 2,100 real-world Android apps. For each app, our tool produces the list of evidentiary data (e.g., GPS locations, device ID, contacts, browsing history, and some user inputs) that the app could have collected and stored on the devices’ local storage in the forms of file or SQLite database. We have evaluated our tool using both benchmark apps and real-world apps. Our results demonstrated that the initial success of our tool in accurately discovering the evidentiary data.

Related Resources

Likelihood ratios for categorical count data with applications in digital forensics

Likelihood ratios for categorical count data with applications in digital forensics

We consider the forensic context in which the goal is to assess whether two sets of observed data came from the same source or from different sources. In particular, we…
CSAFE Project Update & ASCLD FRC Collaboration

CSAFE Project Update & ASCLD FRC Collaboration

This presentation highlighted CSAFE’s collaboration with the ASCLD FRC Collaboration Hub.
Forensic Analysis on Android Social Networking Applications

Forensic Analysis on Android Social Networking Applications

This presentation is from the 75th Anniversary Conference of the American Academy of Forensic Sciences, Orlando, Florida, February 13-18, 2023. Posted with permission of CSAFE.
Source Camera Identification on Multi-Camera Phones

Source Camera Identification on Multi-Camera Phones

Camera identification addresses the scenario where an investigator has a questioned digital image from an unknown camera. The investigator wants to know whether the questioned image was taken by a…