Mobile Phone Forensics And Operating Systems Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


Every day, more and more cell phone models are coming into the market may it be Blackberry, Apple's iPhone, Android etc. This shows that cell phones have become very important to people in their everyday life. It is mostly very necessary for the person who is in move since it is the way he can access email, news, calendaring and other important information which is required. This paper mainly give information about forensics of mobile or cellular phones. It basically focuses on the detection of malicious software in a mobile application. The focus of this paper is only on android operating system.


Currently, the cellular phones, smart phones or PDA's carry the information which is almost equal to the amount of data like desktop computers. This is all possible because of the abundant cloud synchronization applications like Apple MobileMe, Funambol, Microsoft ActiveSync. These features are used in committing crimes such as; wiretapping provides precious benefits to investigations. Due to these reasons, the cellular devices that are involved in networking crimes has increased and gained attention. Hence, the need for digital forensics tools also increased. The cellular phones carry reasonable information which in an experiment might be valuable to show the virtue or fault. Here, the words "reasonable information" means that, data that is related to any race or origin, political values, heath situations, membership of trade union, religious faiths, sexual matters or any criminal actions. All these take in communications log, jobs, appointments, list of contacts, MMS, SMS and etc.

While performing analysis for the cellular device, facts determined that they may be given high importance in the process of investigating a case. In this, the proof is inferred as data which is accumulated from the probable value or the value coming in binary form. In the branch of e-discovery, the concept of digital forensics is explained as a tool that studies how the extraction of the digital information is done while investigating a crime and determining the probable guesses. In some scenarios, like it occurs on the general desktop computers, the illegal people might use cellular applications to implement scams like stealing the home bank and other valuable documents. These type of application tools are normally referred as "malware". Under such scenarios, some proofs and an insight about the fraud are stored in the application tool. Hence, it is very important to determine the crime correctly to collect the data as much as possible.

The solution that is discussed in this paper is regarding the cellular forensics technique, which focuses in determining the application tools by a forensics analyst who deals with the valuable information. In this the data may be doubtful where the information will be improperly associated with the developments in various other application tools which are also fraction of the important dataset of secured applications.

Cellular Forensics

In science, cellular forensics being a part of digital forensics, concentrates mainly on the recovery of the digital information from the cell phones, under the forensics sound situations, where in certain acceptable techniques are used. The procedures and methods are majorly concentrated in three different areas:

(a) Sim card forensics, which targets to extort the information which is stored in sim card and also gives image of that particular data.

(b) Digital information attainment, in which the information extraction is performed by the flash memory of the cellular phone using the file system.

(c) Physical information attainment, which is extorting the complete memory picture bit by bit.

Even though the objectives of the cellular forensics are generally same as that of the computer forensics, the investigators believe that cellular forensics is way more complex. the unique features of the cellular device and its persistent qualities are the challenging problems for the examiners. Every manufacturer of the mobile device will set up an own features that uses specific hardware, software and operating system. Hence, in forensics attaining information from the cellular devices forensically sound procedures is a real challenging issue. There are two major categories in the field of digital forensics:

Post mortem analysis: this is when the cellular phone is in switch off mode.

Live analysis: this is when the cellular phone is in turned on and while certain methods are used.

Conversely, the above mentioned two procedures are pretty much different when many features are compared from the conventional techniques while examining the cellular phone. The former method, post mortem analysis is also referred as offline analysis and is also of a small scale device which makes even more complicated than examining the desktop computer. It is because of the reason that the cellular phones consists of an internal clock that constantly modifies the information which is stored in the flash memory of the cell phone. Hence it is highly impossible to replicate any reliable bit to bit image of the complete memory. Now when the live analysis is considered, the connectivity factor comes into focus. It is very much needed to keep the cellular phone away while analyzing, from any of the networks. Else, this may result in information loss which might be profitable or important for the examination. Anyways, when cellular phones are considered, the requirements that are to be preserved is a complex task due to the fact that connectivity options are expanded where there are chances for the cellular device to access the services on the internet.

Android OS

The operating system of android devices transports an entire set of software that is required for the cell phones which comprises of an operating system, important cell phone applications and the middleware. This facilitates the manufacturer to exploit all the features and the functionalities that are existing in the cellular device in developing new and complicated cellular applications. Dalvik is a process where every android application runs and it is a conventional virtual system that is developed for the fixed use. The android system depends on the changed version, Linux Kernal 2.6 for the systems like security, process management, driver mode, memory management and network stack. Also the java library functions are included which give the features available in the standard programming language like Java, C/C++ libraries that consists of SQLite relational database management system, 3D libraries, Media Libraries etc.

Android Architecture

Android Security Model - A Permission-Based Approach:

The android security model unites both the standard Linux OS features which at process level controls the security and is the authorization dependent technique. The authorization is a feature where the developer has to declare in the application that it has to be interactable to the system or able to access the elements of the other various applications. As every program is implemented as a differentiated procedure, normally applications neither read nor write every other's information or code.

Figure 1: Android Security Architecture

The android security architecture is as shown in Figure 1. The android security model unites both the standard Linux OS features which at process level controls the security and is the authorization dependent technique. The authorization is a feature where the developer has to declare in the application that it has to be interactable to the system or able to access the elements of the other various applications. As every program is implemented as a differentiated procedure, normally applications neither read nor write every other's information or code. Allocation of information among several application platforms should be performed clearly. On the other hand, following permissions request, an application has right of entry to the secured features of Android to that pointing every permission. Permission is commonly an uncomplicated text string allocated to a predefined list of features of the process which includes "network" to connect to the Internet, and so on. Permissions have to be stationary and should be a distinct one in the application package, such that during the operation, a client possibly will contribute them to the application platform, or terminate the procedure. It is exposed an example of a permission to write data to the SD card in following listing:

Listing: An example of Android OS security permission

Each permission contains the following attributes: name, description, label and

the protection level.

Android Threads:

Android is believed as a secured application platform for its being as an open source which depends on the Linux kernel. Regardless of the Android malware market is at rest in early year's stage, exposure of some malfunction on Android Market had confirmed that it can be simply taken as an advantage by attackers.

Lately, a document of SMobile taking into consideration 48,694 applications, established 29 of them to be perhaps spyware accessible in the Android Market, at the same time as for the other 383 it is likely to access authentication credentials stored on the cellular phone. The quoted studies stated that few common features are presented with a case study in the later part of the paper. The document assures that the immediate development of anti-malware systems and their tests, also forensics techniques are needed to be used against the tools that are in trial.

Specifically, it is said that the applications that are declared could possibly be notable, doubtful or spyware for a particular permissions combinations. SMobile technique is completely not revealed; hence an accurate computation along with the proposed technique in this paper cannot be designed. Nevertheless, from the concepts that are disclosed, the SMobile technique is pretty much different when compared with the technique mentioned in this paper. Although, determining the "notable permissions" and their determination in the Android applications are similar to the details of valuable available data that is described later.

"DROID09", is an example of the android application which was developed and introduced into android market in January 2010. This application tool was mentioned to be very useful for the online bank services that connects the client to the desired bank webpage and performs the transactions.

Though, it twisted out that it was only supporting a web browser connection and in fact thieving online bank service credentials of the users. Certainly it is not identified how precisely the application was implementing the scam, how long it has been in Android Market and how many clients downloaded it, until this tool was deleted. On the other hand, in order to increase proficient forensics tools there is need for a plain definition of what kind of application platforms are to be considered as apprehensive in Android. Applications can be considered malware if they have the capability to determine the clients susceptible data in a specific way by confining them and passing it on to the exterior of the local system.


At present, the majority of the cellular operating systems give clients a tool portal in which they can look for applications that are made available by the designers of third party. Although determining new applications is a difficult job, tool portals proffer thousands of tools to clients and they usually need to undergo many tests for the one right application that they desire for. Here helps the AppAware application tool where it helps in tracing out the applications tools that clients are looking for, in an unexpected procedure. This new application confines and distribute the downloads, update the process and deletes the Android softwares.

Threat models

Depending on the threats faced by user of smartphones, we can fragment smartphones users into: lowvalue targets (LVT) and high-value targets (HVT), two populations distinct. HVTs are significantly stunning, physical way in acquired momentarily by means of espionage of individual kind or an additional attacks that necessitate adversaries will mull over to an HVT's phone, core differentiation being with that of LVTs


The principal purpose of the methodology is to detect the mistrustful applications using andriod security permissions, mainly those related to personal information such as credentials, contacts, calendar events, email, SMS/MMS etc. Each application, beforehand, needs to declare specifically the permissions it requires with reference to the operating system and/or the other applications. This particular constraint on security enables to choose between the data that is meant to access and the data that isn't, thus preventing the undesirable access from performing any action. With the definition of profiles related to sensible date access, each of them distinguished by a specific set of permissions, It can be believed that, it is possible to detect whether an application has different set of security requirements with respect to the other applications in the same profile given the reference model of sensible data access profiles. Thus the inconsistencies can be detected by an analyst. Although the method doesn't directly imply the maliciousness of an application, it however, flags the situation that requires additional focus. In this way, this methodology discloses the real face of the applications that are disguised to deceit users into believing they are something else, a game, for instance. This methodology can also be used by standard users in detecting whether the application permission request is consistent with respect to those of direct competitors. However, this advantage is still in consideration and has not been made part of the work.

The downside to this approach is that it is impossible to identify the malicious software that exploits Android vulnerabilities such as Android native code. This setback has been recently demonstrated by basing on the fact that no permission is needed to access internal Android API, which means no methodology based on permission analysis can be proven effective in identifying the mentioned applications.

This method involves the following steps:

Definition of a number of applications' classifications profiles, associated with the manipulation of sensitive data types managed on an Android mobile phone.

Evaluation of the permissions declared by a significant set of application tools.

Analysis of association rules on the basis of the various classification profiles.

Determination of a reference set of permissions for each classified profile.

Before applying this method, a set of classification profiles is described, so as to explain applications that have access to sensible data. This classification is established on the analysis of the default set of Android permissions considering the account features that are connected with each sensible data category profile. Multiple profiles can be considered, to analyze an application provided they are parallel with specific functionalities offered by the application. As second step, a survey was conducted on the permissions requested by the most common application. To be able to follow this step, AppAware was used. In this way, so far the gathered information on 13,098 selected applications (on over 42,000). The dataset among applications were chosen, such that they are not reported to be malicious in clients' comments, and from which we had permissions data. Both the features have been made available by the AppAware. Besides, the chosen applications are distributed worldwide covering the majority of the categories available in the Android Market. This enables to declare that the sample considered is conglomerate enough for almost any purpose.

For each application, the permissions are taken that were declared at the installation on the device of AppAware clients.

The third step was analysis of dataset with the Apriori algorithm with different parameters, so as to categorize the applications on the basis of their congruencies. Apriori is a technique used in association rules of mining, and it is a process of finding out persistent patterns, associations and correlations between sets of items in database.

The rule mining process consists of two basic steps:

A. Detect all frequent item sets. An item set is frequent if its support is greater than the minimum support. The support of an item set is a degree of how frequently the item set occurs in a given set of transactions.

B. Develop and establish the association rules that are of high confidence, from the frequent items sets identified in the first step. Confidence is a degree of how frequently items Y appears in transaction that contain items X.

The "bottom up" approach is used while performing the above two steps by Apriori algorithm, as frequent subsets are extended one item at a time, and classified candidates are tested against the data. The outcome of this step is a list of item sets, categorized by the number of simultaneous attributes. Refer to section 6 for the illustration of the same.

The fourth step involves determining the fitting cluster of applications, based on the support. With this, it is also possible to consider the set of rules that depends directly on the selected clusters as well as to determine that the clusters represent a typical configuration for applications that deal with the specific valuable information profile in consideration.