Skip to content

Dynamic Taint Analysis Tool for Android App Forensics

Conference/Workshop:
EEE Symposium on Security and Privacy
Published: 2019
Primary Author: Zhen Xu
Secondary Authors: Chen Shi, Chris Cheng, Neil Zhengqiang Gong, Yong Guan
Research Area: Digital

The plethora of mobile apps introduce critical challenges to digital forensics practitioners, due to the diversity and the large number (millions) of mobile apps available to download from Google play, Apple store, as well as hundreds of other online app stores. Law enforcement investigators often find themselves in a situation that on the seized mobile phone devices, there are many popular and less-popular apps with interface of different languages and functionalities. Investigators would not be able to have sufficient expert-knowledge about every single app, sometimes nor even a very basic understanding about what possible evidentiary data could be discoverable from these mobile devices being investigated. Existing literature in digital forensic field showed that most such investigations still rely on the investigator’s manual analysis using mobile forensic toolkits like Cellebrite and Encase. The problem with such manual approaches is that there is no guarantee on the completeness of such evidence discovery. Our goal is to develop an automated mobile app analysis tool to analyze an app and discover what types of and where forensic evidentiary data that app generate and store locally on the mobile device or remotely on external 3rd-party server(s). With the app analysis tool, we will build a database of mobile apps, and for each app, we will create a list of app-generated evidence in terms of data types, locations (and/or sequence of locations) and data format/syntax. The outcome from this research will help digital forensic practitioners to reduce the complexity of their case investigations and provide a better completeness guarantee of evidence discovery, thereby deliver timely and more complete investigative results, and eventually reduce backlogs at crime labs. In this paper, we will present the main technical approaches for us to implement a dynamic Taint analysis tool for Android apps forensics. With the tool, we have analyzed 2,100 real-world Android apps. For each app, our tool produces the list of evidentiary data (e.g., GPS locations, device ID, contacts, browsing history, and some user inputs) that the app could have collected and stored on the devices’ local storage in the forms of file or SQLite database. We have evaluated our tool using both benchmark apps and real-world apps. Our results demonstrated that the initial success of our tool in accurately discovering the evidentiary data.

Related Resources

Likelihood Ratios for Categorical Evidence With Applications in Digital Evidence

Likelihood Ratios for Categorical Evidence With Applications in Digital Evidence

The following poster was presented at the 74th Annual Scientific Conference of the American Academy of Forensic Sciences (AAFS), Seattle, Washington, February 21-25, 2022.
Score-Based Likelihood Ratios for Camera Device Identification Using Cameras of the Same Brand for the Alternative Device Population

Score-Based Likelihood Ratios for Camera Device Identification Using Cameras of the Same Brand for the Alternative Device Population

Score-based likelihood ratios are a statistical method for quantifying the weight of evidence and have been used in many areas of forensics, including camera device identification1,2,3. Small sensor imperfections caused…
Forensic Analysis on Cryptocurrency Wallet Apps

Forensic Analysis on Cryptocurrency Wallet Apps

The following was presented at the 74th Annual Scientific Conference of the American Academy of Forensic Sciences (AAFS), Seattle, Washington, February 21-25, 2022.
Mobile steganography: Looking to the future

Mobile steganography: Looking to the future

Humans have sent secret messages for millennia. A cousin to cryptography, steganography is the art and science of sending a secret message in the open by camouflaging the message carefully.…