Ivo Pooters (Senior Digital Forensic Investigator, Fox-IT)

PRESENTATION TITLE: Turning Android Inside Out

PRESENTATION ABSTRACT:

In 2011 a team of Fox-IT forensic experts won the DFRWS 2011 challenge which focused on advancing forensic analysis of Android mobile devices. This presentation shows how the challenge was completed and discusses some of the results in detail such as carving of SQ lite databases, understanding YAFFS2 file systems and visualization of the facts. The winning submission for the DFRWS2011 Forensics Challenge was created by Ivo Pooters, Steffen Moorrees & Pascal Arends from Fox-IT in the Netherlands and has multiple parts:

o An open source toolkit for extracting and analyzing data stored on Android devices;
o The analysis of the Challenge scenario that addresses the scenario questions;
o Tool output organizing extracted data to facilitate analysis;
o Technical documentation detailing the data structures and low-level analysis required to develop tools.

The submission developed Python utilities for extracting information from the Android data in both scenarios. For the Scenario 1, data structures were carved from the dd image. For the Scenario 2, the YAFFS2 file system was mounted in Linux and information was extracted from files and databases on the system. The report provided a great overall synthesis of evidence and application to the overall scenario, including an analysis of malware installed on one device. The analysis culminated with an impressive visual reconstruction of evidence.

ABOUT IVO POOTERS

Ivo Pooters is a senior digital forensic investigator and trainer at Fox-IT. He graduated from the Technical University of Eindhoven in the area of mobile device forensics on forensic data acquisition from smart phones. Ivo has been in charge of numerous digital investigations and is specialized in the area of mobile device forensics. He has published in the digital investigations magazine and presented at international summits on the topic of digital forensics on Android devices.