I am curious. There are a lot of good starting points for Windows Forensics, but I am having a hard time getting started with Android Forensics. I know ahoog will be putting out a book on Android Forensics sometime in June I believe, and I am SOOO looking forward to that.
In the meantime, can anyone offer any good starting points? For windows you have File System Forensics, Windows Forensics, Registry Forensics, TONS of blogs, etc., but I can' find much of anything for Android even using google. I find the viaForensics blog and that's about it.
I guess I am looking for some help on getting started. Would a book on ext4 be a good start, considering the move to ext4 with Honeycomb. I have been playing with the the Android emulator pulling off some of the com object databases for various apps (Facebook - fb.db), but outside of that I don't really know where to start.
I will be going to SANS FOR408 in March (Orlando, FL), but that's not Mobile (I couldn't justify it because we don't do ANY forensics at my job). I was able to get the training because I can look for reg keys, etc. using our Host Based IDS system, etc.
Anyway, I hope you guys can provide me with a good starting point. i don't want to learn to use a tool. I want to learn how to REALLY do Android forensics.
i don't want to learn to use a tool. I want to learn how to REALLY do Android forensics.
Superb ! A man after my own heart.
The "forensic" path will be difficult largely due to the fundamental information about Android being scattered in different locations and then the various sources needs to be brought together so you can get to where you want. A good place to begin is, funnily enough, at the beginning. To learn how to forensically analyse Android you firstly need to know what is Android and how to gain access. Here is a good place to start
http//developer.android.com/
I would suggest to you do not try and absorb everything straightaway. Select something that gives you a mental hook - choose a particular topic that you feel comfortable - to work with and then work backwards, not forwards.
Also, remember Android is a 'platform' and not a specific mobile phone. Some articles you may read might have you wondering.
The emulator which comes with the SDK is invaluable here - let's you see how the platform operates which you have root access. You can take a look around, install apps, see what artifacts they leave with full access.
The other side is getting that access on an actual handset. You might want to check out some of the research Andrew Hoog has done at Via Forensics - he also runs some excellent training.
The other side is getting that access on an actual handset. You might want to check out some of the research Andrew Hoog has done at Via Forensics - he also runs some excellent training.
Yeah, I grabbed myself a G1 off the Internet (ebay). I'm looking forward to getting that into my hands.
I sent viaforensics an email today asking if they have online training or some kind of self paced option. I can't justify through work going to Android forensics. Heck, we can't even have cell phones in the office I work at. I was hoping there was some kind of self-paced option out there.
http//
Hope this might be of some help.
