Book Title: Android Forensics
Subtitle: Investigation, Analysis and Mobile Security for Google Android
Author: Andrew Hoog
Publisher: Syngress
Date of Publishing: July 2011
ISBN(13): 9781597496513
Price (UK&US price – full price, not discounted price): £42.99, $69.95
URL of Publisher Site: Syngress
URL of Amazon UK web page: Android Forensics: Investigation, Analysis and Mobile Security for Google Android
URL of Amazon UK (Kindle) web page: Android Forensics: Investigation, Analysis and Mobile Security for Google Android
URL of Amazon US web page: Android Forensics: Investigation, Analysis and Mobile Security for Google Android
URL of Amazon US (Kindle) web page: Android Forensics: Investigation, Analysis and Mobile Security for Google Android
Andrew Hoog’s ‘Android Forensics – Investigation, Analysis and Mobile Security for Google Android’ provides an excellent and comprehensive coverage of the Android platform, including its design, implementation, operation, investigation and analysis. At 364 pages of content, organized over seven chapters, with a focus on the ‘practical’ – demonstrating system design, implementation, operation and investigation, for instance, through hands-on “experiments” – this sizable text will resonate particularly well with readers disposed to activity-centric, learning-by-doing styled narrative. The text is peppered throughout with device and application (GUI) screenshots, as well as command line execution/output and directory listings; all of which encourage and enable the reader to work along with the author in uncovering the design, complexities and nuances that underpin the Android platform. A forty-page opening chapter grounds the reader in the Android space, outlining its history, its relationship with the Linux operating system, the Android Open Source Project (AOSP), and the Android market, before concluding with a brief rationalization of the need for “Android Forensics”. In brief, the author rightly acknowledges that of all the devices an individual might own, one tends to be “more honest with their Smartphone than any other person or device”. As such, a device that blends both personal and corporate data including SMS texts, emails, GPS locations, pictures, browsing, telephony, videos etc…. needs to be fully understood…. and forensically understood. Chapter two extends the background coverage to consider the extensive (and growing) Android hardware platform, and introduces the first of the technical content with a very useful and orienting description of the seven-step Android boot process. Chapter three introduces the Android software development kit (SDK); used not only for application development but also as an assistive technology in the forensic analysis of an Android device. Understanding the SDK is crucial in understanding the device and its data, which in turn allows for more thorough forensic/security analysis. This chapter also provides step by step instructions on how to obtain, install and configure the SDK for your PC, be it Windows, Mac OS X, or Linux based. Once complete, the reader is then in a position to create an Android Virtual Device (AVD); an emulator running on one’s own PC and allowing for the ‘learning by doing’ approach noted earlier. The AVD, for instance, allows one to profile how applications execute on an Android device – clearly very useful to the forensic practitioner. Additionally, the AVD can be used to test and validate the operation of a specific forensic tool. The prospective reader should note that the AVD is resource hungry; a PC with multiple cores (CPUs) will work best, and like most emulators, more RAM will improve performance significantly. Chapter four covers data storage on an Android device, and does so remarkably well in just over 50 pages of rich content. Having an AVD to verify and interact with what one reads in this chapter – to see it for yourself as it were – is particularly useful. This chapter (four), by virtue of the diverse and sometimes complex nature of the detail that it reports on, is likely to be a significant and frequently revisited reference chapter for the Android investigator. For example, how data are stored on a device extends in fact to five separate methods, and their representations vary significantly also; from inter alia primitive data types in an XML format, to files in e.g. a FAT32 file system to SQLite database formats. Chapter four also provides detailed coverage of the file systems underpinning the partitions where user data are stored; EXT, FAT32 and YAFFS2 (yet another flash file system…. version 2 – which plays a key role in the Android system). Chapter five covers Android security from a device, data and apps perspective and considers the Android device as both target of and tool for malicious attacks. I suggest this is a particularly relevant chapter to Android developers; they need to be security conscious from the outset and take responsibility for the protection of user data. Chapter six is the first real look at Forensics in a definitive sense i.e. looking at how to conduct investigations that are forensically sound, and procedural techniques for e.g. handling, securing, and imaging a device and its storage artifacts. This chapter runs to almost 100 pages. The early pages of the chapter set out guiding principles, distinguish among different types of investigations (e.g. inappropriate use of company resources, data theft, child custody cases, estate disputes) as well as differentiating between logical and physical forensic techniques. This is a thoroughly engaging chapter, very focused on the application of techniques for real forensics, with the detailed narrative supported regularly through screen shots and tool reports/outputs as appropriate. Some of the tools covered appear to be only (legitimately) available to law enforcement and government agencies. Nonetheless, the extent of the data retrievable from a device makes for interesting reading and is likely to heighten security and privacy awareness among readers. The final chapter, ‘Android Application and Forensic Analysis,’ in essence applies many of the techniques introduced in the preceding chapter and includes file system forensic analysis, file carving techniques as well as the forensic analysis of many common applications including Messaging, YouTube, Google Maps, Gmail and Facebook using a custom python program. The data trail left by such applications, most of which is retrievable, again highlights the relevance of the Android Smartphone to the digital investigation space, and is demonstrative also – as noted in the introduction – of the significant dependence users have on such devices.
‘Android Forensics’ provides comprehensive coverage of the Android platform, including its design, implementation, operation, investigation and analysis. With a practical focus from the outset that includes how to acquire and install the Android SDK and build an Android Virtual Device (AVD), this text is particularly suited to those disposed to a hands-on approach to learning about the Android platform from a security and investigation perspective
.Marks: 5 out of 5*****