Android Forensic To...
Clear all

Android Forensic Tool - Compromised Kernel Question  


This comment was received at a project mid defense and I would like to get comments on it. So I am posting it here.

The project is about Android forensic and I claimed that tool does physical acquisition using dd utility and file system partition acquisition too.

The panel said if the target device is compromised, in my method I depend on that compromised kernel. So the output is not trustworthy.

Please comment on this. I need to gather your ideas on the statement.

P.S. The answer I gave at that moment was if we do not depend on those two methods and claim the process is not reliable and should not use, only option is to do a JTAG acqusition. It is expensive and everybody cannot afford such methods. Further it does not suitable for each instances.

Posted : 27/01/2015 10:24 am
Active Member

You need to make them understand the internals of an android OS, and again it depends on the make of the android running mobile.

For example, this is a layout of one android OS phone,

[email protected]/ # cat /proc/emmc
dev size erasesize name
mmcblk0p17 00040000 00000200 "misc"
mmcblk0p21 0087f400 00000200 "recovery" (holds the recovery program (clockworkmod )
mmcblk0p22 00400000 00000200 "boot" (bootloader, kernel)
mmcblk0p25 22dffe00 00000200 "system" operating system goes here
mmcblk0p29 002ffc00 00000200 "local"
mmcblk0p27 090ffe00 00000200 "cache" cached data from OS usage
mmcblk0p26 496ffe00 00000200 "userdata" user applications, data, settings, etc.
mmcblk0p30 014bfe00 00000200 "devlog"
mmcblk0p31 00040000 00000200 "pdata"
mmcblk0p28 09800000 00000200 "lib"

What we present in court most of the time, is the data withing "userdata" and "system".. which has nothing to do with the KERNEL. so you can notice the BOOT is in a different partition which is bassically the KERNEL which is the start up brain of the mobile device that prepares and presents the GUI and functionality of the mobile to the user.

So even if the kernel is compromised, data is still intact as they both are in different partition, same goes to loading a custom ROM which changes the recovery partition.

Posted : 27/01/2015 11:15 am