Presentation Material
Abstract
Videos are listed below
Smartphones can be used in cyber crimes like shooting illegal videos, sexual harassment cases, used by terrorists or for financial crimes. Talk starts with brief introduction of Android internals i.e. Dalvik VM, SQLite database, underlying Kernel. Presentation covers the steps of cyber forensics in context of Android:
Seizing the phone and maintaining its state so that we don’t lose any important data Taking image of the phone memory and memory card. In case of Android, we need to ROOT the device first to take the bit by bit image. Recovering useful data from the image. Device memory can contain extremely valuable data including contact list, call logs, sms, emails, passwords, application data, phone data etc. Analyzing the data to discover evidences. It will cover decrypting the encrypted files, cracking the passwords, recovering deleted files etc. Chain of custody to preserve evidences so that they can be presented in a court of law. The presentation also demonstrates:
- Rooting Android Phone
- Taking image and Discovering evidences
Takeaway for the audience:
- Insights to the Android System
- Techniques and concepts to recover and analyse evidences from Android phone
- Live Forensics for Android System.
AI Generated Summary
The talk presented an overview of forensic procedures for Android devices in cybercrime investigations. It emphasized Android’s market dominance and its role as a repository for diverse sensitive data, including financial transactions, communications, and location history, making it critical in cases ranging from software theft and terrorism to harassment and murder.
Key technical techniques focused on the forensic imaging process. For external memory cards, using a write-blocker and the open-source tool VNX to create a bit-by-bit DD image was demonstrated, ensuring a complete, forensically sound copy including deleted data. Hashing (MD5/SHA) both the original and image was stressed to verify integrity and establish the chain of custody. Imaging the internal Android device was noted as more complex due to its proprietary file system (YAFFS2/ext4) and permission restrictions. Rooting the device—gaining superuser access via tools like CF-Root kernel and Odin—was identified as necessary to access system directories and deleted artifacts, though this process inherently alters the device, potentially compromising admissibility in court. Consequently, the speaker distinguished between corporate forensics, where open-source tools and rooting may be acceptable, and legal proceedings, which require validated commercial forensic toolkits that can acquire images without modification.
Practical takeaways included strict seizure protocols: preserving the device’s power state, photographing the scene and display, and collecting all associated media. The separation of analysis for the handset and memory card was highlighted. The presentation underscored that while open-source tools are useful for learning and internal investigations, maintaining evidentiary standards for legal contexts demands licensed tools and methods that avoid altering the original evidence.