Forensic Aspect of Remote Wiping in Android

Presented by: Ming Di Leom

Supervisor: Dr. Kim-Kwang Raymond Choo

Structure

• Background• Thumbnail recovery• Effectiveness of remote wiping apps• Discussion• Future research

2

Background

• In August 2013, Google announced Android Device Manager (ADM).

• Remotely• Locate• Ring• Erase (factory reset) your Android device

• Available to Android v2.3 (Gingerbread) and above (~99%).

• No setup or installation required.• Automatically installed through Google Play Service.

• Just need Google Account.

• Remote wipe feature is not new in Android.• Previously offered to Google Apps customer, or via

third party app (e.g. anti-virus).

Research motivation

• ADM marks remote wiping as official (built-in) feature in Android.

• This means most Android phone is already equipped with remote wiping capability.

• Previous studies have shown factory reset is ineffective.

Thumbnail recovery

8

Preliminary study

• Repeat the experiment done by previous study (Schwamm 2014).• Using older Android device (Nexus S vs. Samsung S3).• Attempt to recover camera photos.

• Using similar forensic software to recover photos.• Recovery rate is much lower (~50% vs 100%)• Why?• Let’s try to manually recover

Schwamm, R 2014, 'Effectiveness of the factory reset on a mobile device', Master's thesis, Naval Postgraduate School, Monterey, California, USA.

Recovered Original

Fragmentation

• However, not all kind of files are fragmented.• e.g. thumbnail• Smaller version of original picture.• Less likely to be fragmented.

Thumbnail recovery

• Structure of thumbnail cache• Existing (free) file recovery tool can be tweaked to

target thumbnail only.• Reduce false positive

Result*

Thumbnail type Thumbnails recovered Percentage

200 x 200 resolution thumbnail in thumbcache 10/10 100%

VGA resolution thumbnail in thumbcache 3/10 (9/10 if include

fragmented thumbnail)30%

Embedded thumbnail in JPEG file 10/10 100%

(* After factory reset)

Effectiveness of remote wiping/factory resetIn 3rd-party app

15

Effectiveness of remote wiping/factory reset

• Schwamm, (2014) tested default factory reset function.

• 7 apps were tested against the default.• Compare the recovery rate.• 2 apps offer “secure” wiping, which should make the

files unrecoverable.• Test on 3 mobile devices:

• Moto G (< 3 months of usage, using new file system)• Nexus S (> 3 years of usage, older file system)• Nexus 4 (~2 years of usage, most common file system,

test still ongoing)

Results:

• 1 app default wipe method remove almost nothing• Out of 2 apps which offer secure wiping, only 1 is

more effective.• Even with secure wiping, data recovery is still

possible• Almost all apps are similar to default’s.• Very low recovery rate on Moto G (secure wiping or

not)

Discussion

• Data remnant issue can be solved through full-disk encryption• Introduced in Android 4.0 (Ice Cream Sandwich)• Default in Android 5.0 (Lollipop)

• However, 4 months after Android Lollipop release, encryption is back to optional due to performance issue of current hardware.

• Recommendation:• Enable full-disk encryption if possible• Secure wiping, although not very effective, but better than

nothing.

Future research

• Thumbnail recovery• More photo gallery apps• More devices (i.e. camera resolution)

• Effectiveness study• Secure wiping method used.• Which/how factor (usage, file system) affects recovery

rate.

19

Q & A

20