LogExtractor: Extracting digital evidence from android log messages via string and taint analysis

Thumbnail Image
Cheng, Chris Chao-Chun
Shi, Chen
Gong, Neil Zhenqiang
Major Professor
Committee Member
Journal Title
Journal ISSN
Volume Title
Copyright 2021, The Authors
Guan, Yong
Research Projects
Organizational Units
Organizational Unit
Center for Statistics and Applications in Forensic Evidence
The Center for Statistics and Applications in Forensic Evidence (CSAFE) carries out research on the scientific foundations of forensic methods, develops novel statistical methods and transfers knowledge and technological innovations to the forensic science community. We collaborate with more than 80 researchers and across six universities to drive solutions to support our forensic community partners with accessible tools, open-source databases and educational opportunities.
Organizational Unit
Electrical and Computer Engineering

The Department of Electrical and Computer Engineering (ECpE) contains two focuses. The focus on Electrical Engineering teaches students in the fields of control systems, electromagnetics and non-destructive evaluation, microelectronics, electric power & energy systems, and the like. The Computer Engineering focus teaches in the fields of software systems, embedded systems, networking, information security, computer architecture, etc.

The Department of Electrical Engineering was formed in 1909 from the division of the Department of Physics and Electrical Engineering. In 1985 its name changed to Department of Electrical Engineering and Computer Engineering. In 1995 it became the Department of Electrical and Computer Engineering.

Dates of Existence

Historical Names

  • Department of Electrical Engineering (1909-1985)
  • Department of Electrical Engineering and Computer Engineering (1985-1995)

Related Units

Journal Issue
Is Version Of
Mobile devices are increasingly involved in crimes. Therefore, digital evidence on mobile devices plays a more and more important role in crime investigations. Existing studies have designed tools to identify and/or extract digital evidence in the main memory or the file system of a mobile device. However, identifying and extracting digital evidence from the logging system of a mobile device is largely unexplored. In this work, we aim to bridge this gap.Specifically, we design, prototype, and evaluate LogExtractor, the first tool to automatically identify and extract digital evidence from log messages on an Android device. Given a log message, LogExtractor first determines whether the log message contains a given type of evidentiary data (e.g., GPS coordinates) and then further extracts the value of the evidentiary data if the log message contains it. Specifically, LogExtractor takes an offline-online approach. In the offline phase, LogExtractor builds an App Log Evidence Database (ALED) for a large number of apps via combining string and taint analysis to analyze the apps' code. Specifically, each record in the ALED contains 1) the string pattern of a log message that an app may write to the logging system, 2) the types of evidentiary data that the log message includes, and 3) the segment(s) of the string pattern that contains the value of a certain type of evidentiary data, where we represent a string pattern using a deterministic finite-state automaton. In the online phase, given a log message from a suspect's Android device, we match the log message against the string patterns in the ALED and extract evidentiary data from it if the matching succeeds. We evaluate LogExtractor on 65 benchmark apps from DroidBench and 12.1 K real-world apps. Our results show that a large number of apps write a diverse set of data to the logging system and LogExtractor can accurately extract them.
The following article is published as Cheng, Chris Chao-Chun, Chen Shi, Neil Zhenqiang Gong, and Yong Guan. "LogExtractor: Extracting digital evidence from android log messages via string and taint analysis." Forensic Science International: Digital Investigation 37 (2021): 301193. Posted with permission of CSAFE.