A Dynamic Taint Analysis Tool for Android App Forensics

dc.contributor.author Xu, Zhen
dc.contributor.author Shi, Chen
dc.contributor.author Cheng, Chris
dc.contributor.author Gong, Neil
dc.contributor.author Guan, Yong
dc.contributor.department Center for Statistics and Applications in Forensic Evidence
dc.contributor.department Electrical and Computer Engineering
dc.date 2020-08-07T13:45:51.000
dc.date.accessioned 2021-02-25T00:40:46Z
dc.date.available 2021-02-25T00:40:46Z
dc.date.copyright Mon Jan 01 00:00:00 UTC 2018
dc.date.embargo 2020-08-07
dc.date.issued 2018-01-01
dc.description.abstract <p>The plethora of mobile apps introduce critical challenges to digital forensics practitioners, due to the diversity and the large number (millions) of mobile apps available to download from Google play, Apple store, as well as hundreds of other online app stores. Law enforcement investigators often find themselves in a situation that on the seized mobile phone devices, there are many popular and less-popular apps with interface of different languages and functionalities. Investigators would not be able to have sufficient expert-knowledge about every single app, sometimes nor even a very basic understanding about what possible evidentiary data could be discoverable from these mobile devices being investigated. Existing literature in digital forensic field showed that most such investigations still rely on the investigator's manual analysis using mobile forensic toolkits like Cellebrite and Encase. The problem with such manual approaches is that there is no guarantee on the completeness of such evidence discovery. Our goal is to develop an automated mobile app analysis tool to analyze an app and discover what types of and where forensic evidentiary data that app generate and store locally on the mobile device or remotely on external 3rd-party server(s). With the app analysis tool, we will build a database of mobile apps, and for each app, we will create a list of app-generated evidence in terms of data types, locations (and/or sequence of locations) and data format/syntax. The outcome from this research will help digital forensic practitioners to reduce the complexity of their case investigations and provide a better completeness guarantee of evidence discovery, thereby deliver timely and more complete investigative results, and eventually reduce backlogs at crime labs. In this paper, we will present the main technical approaches for us to implement a dynamic Taint analysis tool for Android apps forensics. With the tool, we have analyzed 2,100 real-world Android apps. For each app, our tool produces the list of evidentiary data (e.g., GPS locations, device ID, contacts, browsing history, and some user inputs) that the app could have collected and stored on the devices' local storage in the forms of file or SQLite database. We have evaluated our tool using both benchmark apps and real-world apps. Our results demonstrated that the initial success of our tool in accurately discovering the evidentiary data.</p>
dc.description.comments <p>This is an manuscript of a proceeding published as Xu, Zhen, Chen Shi, Chris Chao-Chun Cheng, Neil Zhengqiang Gong, and Yong Guan. "A dynamic taint analysis tool for android app forensics." In <em>2018 IEEE Security and Privacy Workshops (SPW)</em>, pp. 160-169. IEEE, 2018. Posted with permission of CSAFE.</p>
dc.format.mimetype application/pdf
dc.identifier archive/lib.dr.iastate.edu/csafe_conf/66/
dc.identifier.articleid 1065
dc.identifier.contextkey 18817932
dc.identifier.s3bucket isulib-bepress-aws-west
dc.identifier.submissionpath csafe_conf/66
dc.identifier.uri https://dr.lib.iastate.edu/handle/20.500.12876/93853
dc.language.iso en
dc.source.bitstream archive/lib.dr.iastate.edu/csafe_conf/66/Xu__2018__IEEE_Symposium.pdf|||Sat Jan 15 01:25:42 UTC 2022
dc.source.uri 10.1109/SPW.2018.00031
dc.subject.disciplines Electrical and Computer Engineering
dc.title A Dynamic Taint Analysis Tool for Android App Forensics
dc.type article
dc.type.genre conference
dspace.entity.type Publication
relation.isOrgUnitOfPublication d8a3c72b-850f-40f6-87c4-8812547080c7
relation.isOrgUnitOfPublication a75a044c-d11e-44cd-af4f-dab1d83339ff
Original bundle
Now showing 1 - 1 of 1
No Thumbnail Available
1.7 MB
Adobe Portable Document Format