Skip to content

LogExtractor: Extracting Digital Evidence from Android Log Messages via String and Taint Analysis

Journal: Forensic Science International: Digital Investigation
Published: 2021
Primary Author: Chris Chao-Chun
Secondary Authors: Chen Shi, Neil Zhenqiang Gong, Yong Guan
Research Area: Digital

Mobile devices are increasingly involved in crimes. Therefore, digital evidence on mobile devices plays a more and more important role in crime investigations. Existing studies have designed tools to identify and/or extract digital evidence in the main memory or the file system of a mobile device. However, identifying and extracting digital evidence from the logging system of a mobile device is largely unexplored.

In this work, we aim to bridge this gap.Specifically, we design, prototype, and evaluate LogExtractor, the first tool to automatically identify and extract digital evidence from log messages on an Android device. Given a log message, LogExtractor first determines whether the log message contains a given type of evidentiary data (e.g., GPS coordinates) and then further extracts the value of the evidentiary data if the log message contains it.

Specifically, LogExtractor takes an offline-online approach. In the offline phase, LogExtractor builds an App Log Evidence Database (ALED) for a large number of apps via combining string and taint analysis to analyze the apps’ code. Specifically, each record in the ALED contains 1) the string pattern of a log message that an app may write to the logging system, 2) the types of evidentiary data that the log message includes, and 3) the segment(s) of the string pattern that contains the value of a certain type of evidentiary data, where we represent a string pattern using a deterministic finite-state automaton. In the online phase, given a log message from a suspect’s Android device, we match the log message against the string patterns in the ALED and extract evidentiary data from it if the matching succeeds. We evaluate LogExtractor on 65 benchmark apps from DroidBench and 12.1 K real-world apps. Our results show that a large number of apps write a diverse set of data to the logging system and LogExtractor can accurately extract them.

Related Resources

Tutorial on Likelihood Ratios with Applications in Digital Forensics

Tutorial on Likelihood Ratios with Applications in Digital Forensics

This CSAFE webinar was held on September 15, 2022. Presenters: Rachel Longjohn PhD Student – Department of Statistics, University of California, Irvine Dr. Padhraic Smyth Chancellor’s Professor – Departments of…
Likelihood Ratios for Categorical Evidence With Applications in Digital Evidence

Likelihood Ratios for Categorical Evidence With Applications in Digital Evidence

The following poster was presented at the 74th Annual Scientific Conference of the American Academy of Forensic Sciences (AAFS), Seattle, Washington, February 21-25, 2022.
Score-Based Likelihood Ratios for Camera Device Identification Using Cameras of the Same Brand for the Alternative Device Population

Score-Based Likelihood Ratios for Camera Device Identification Using Cameras of the Same Brand for the Alternative Device Population

Score-based likelihood ratios are a statistical method for quantifying the weight of evidence and have been used in many areas of forensics, including camera device identification1,2,3. Small sensor imperfections caused…
Forensic Analysis on Cryptocurrency Wallet Apps

Forensic Analysis on Cryptocurrency Wallet Apps

The following was presented at the 74th Annual Scientific Conference of the American Academy of Forensic Sciences (AAFS), Seattle, Washington, February 21-25, 2022.