Forensic Aspect of Remote Wiping in Android Presented by: Ming Di Leom Supervisor: Dr. Kim-Kwang...
-
Upload
camron-hodge -
Category
Documents
-
view
218 -
download
0
Transcript of Forensic Aspect of Remote Wiping in Android Presented by: Ming Di Leom Supervisor: Dr. Kim-Kwang...
Forensic Aspect of Remote Wiping in Android
Presented by: Ming Di Leom
Supervisor: Dr. Kim-Kwang Raymond Choo
Structure
• Background• Thumbnail recovery• Effectiveness of remote wiping apps• Discussion• Future research
2
Background
• In August 2013, Google announced Android Device Manager (ADM).
• Remotely• Locate• Ring• Erase (factory reset) your Android device
• Available to Android v2.3 (Gingerbread) and above (~99%).
• No setup or installation required.• Automatically installed through Google Play Service.
• Just need Google Account.
• Remote wipe feature is not new in Android.• Previously offered to Google Apps customer, or via
third party app (e.g. anti-virus).
Research motivation
• ADM marks remote wiping as official (built-in) feature in Android.
• This means most Android phone is already equipped with remote wiping capability.
• Previous studies have shown factory reset is ineffective.
Thumbnail recovery
8
Preliminary study
• Repeat the experiment done by previous study (Schwamm 2014).• Using older Android device (Nexus S vs. Samsung S3).• Attempt to recover camera photos.
• Using similar forensic software to recover photos.• Recovery rate is much lower (~50% vs 100%)• Why?• Let’s try to manually recover
Schwamm, R 2014, 'Effectiveness of the factory reset on a mobile device', Master's thesis, Naval Postgraduate School, Monterey, California, USA.
Recovered Original
Fragmentation
• However, not all kind of files are fragmented.• e.g. thumbnail• Smaller version of original picture.• Less likely to be fragmented.
Thumbnail recovery
• Structure of thumbnail cache• Existing (free) file recovery tool can be tweaked to
target thumbnail only.• Reduce false positive
Result*
Thumbnail type Thumbnails recovered Percentage
200 x 200 resolution thumbnail in thumbcache 10/10 100%
VGA resolution thumbnail in thumbcache 3/10 (9/10 if include
fragmented thumbnail)30%
Embedded thumbnail in JPEG file 10/10 100%
(* After factory reset)
Effectiveness of remote wiping/factory resetIn 3rd-party app
15
Effectiveness of remote wiping/factory reset
• Schwamm, (2014) tested default factory reset function.
• 7 apps were tested against the default.• Compare the recovery rate.• 2 apps offer “secure” wiping, which should make the
files unrecoverable.• Test on 3 mobile devices:
• Moto G (< 3 months of usage, using new file system)• Nexus S (> 3 years of usage, older file system)• Nexus 4 (~2 years of usage, most common file system,
test still ongoing)
Results:
• 1 app default wipe method remove almost nothing• Out of 2 apps which offer secure wiping, only 1 is
more effective.• Even with secure wiping, data recovery is still
possible• Almost all apps are similar to default’s.• Very low recovery rate on Moto G (secure wiping or
not)
Discussion
• Data remnant issue can be solved through full-disk encryption• Introduced in Android 4.0 (Ice Cream Sandwich)• Default in Android 5.0 (Lollipop)
• However, 4 months after Android Lollipop release, encryption is back to optional due to performance issue of current hardware.
• Recommendation:• Enable full-disk encryption if possible• Secure wiping, although not very effective, but better than
nothing.
Future research
• Thumbnail recovery• More photo gallery apps• More devices (i.e. camera resolution)
• Effectiveness study• Secure wiping method used.• Which/how factor (usage, file system) affects recovery
rate.
19
Q & A
20