I was wondering if anyone could provide some advice. Im trying to learn about the IOS/ANDROID OS and one thing I wanted to understand is what changes do Apps make to the OS upon installation etc. The way I am thinking about testing is by using a clean installation of Android/IOS and then installing a app and then investigating any changes that app made across the Filesystem. Hopefully this will help me understand 1) How the OS's work and 2) How in a forensic examination I could identify apps that may have been previously installed (potentially).
What I am after is a piece of software that could take my fresh image of an Android/IOS filesystem and also the image with a App installed and highlight any changes in the Filesystem whether that be folder creation, file creation or file modification etc and then within the file highlight any differences.
Does anyone know of any freeware/shareware or paid for product that comes close to what I have attempted to explain? oops
One easy suggestion would be to use UFED Physical Analyzer and write a simple Python script that will run and compare the files from 2 or more opened projects and output only the difference.
Actually, this is something that we have in the pipeline.
I love the way people who know coding/programming refer to things as "simple" lol
But I would love to see that kind of functionality on PA )
The way I am thinking about testing is by using a clean installation of Android/IOS and then installing a app and then investigating any changes that app made across the Filesystem.
gilly_uk you may find you get some ideas for your what you may want to compare by looking at what these apps/tools do?
http//
http//
http//
http//
http//
http//
http//
http//
In terms of getting the file extractions, on Android anyway, as long as you're happy to get shell root on the device an ADB pull of the appropriate volumes is straightforward; even easier, download the Android SDK and work from within Emulators - a great way to learn about how Android works.
In terms of file system comparisons, one method for doing quick comparisons of file system extractions I've used before (and I'm now assuming you're on windows, apologies if this isn't the case) is to put the two extractions in folders and use Jesse Kornblum's MD5deep (http//md5deep.sourceforge.net/) to do a recursive hash of the files in all the sub-folders. Pipe the outputs to a text file and then sort and diff (or uniq) the two files. No programming required, just a little Commandline-fu!
Hope that helps, let me know if anything's unclear.
On the iOS platform, with newer OS versions, you may be able to identify the Apps which have previously been installed by looking in the SafeHarbor. Here you will find all of the user specific data from deleted applications, docked in the harbor waiting anxiously for the user to reinstall the application so that the data can be moved back to the Application folder. If I remember correctly there are also plists which contain details of when the data was docked in the harbor, i.e. when the app was uninstalled.
Thanks guys, im going to try each method out and see how well it works. Python one I might personally have to give a miss as I cant program but im sure one of my collegues could do it on my behalf.
You should learn Python. Everyone should. It's a lovely, easy, useful language!
http//