AusCERT 2013: Low-level analysis can find, map data deleted from Android phones

Android-based smartphones are not only gaining notoriety as being susceptible to malware, but research presented by a Queensland University of Technology (QUT) forensic expert confirms that it’s possible to extract personal information from an Android phone long after that data has been deleted.

Presenting to the AusCERT 2013 security conference today, Dr Bradley Schatz – an IT security specialist with digital-forensics firm Schatz Forensic and an adjunct associate professor at QUT’s Information Security Institute – shared a method of not only extracting deleted or obsolete information from Android phones, but easily identifying it by scouring the extracted data for key ‘landmarks’ representing particular data types.

Because the cells inside NAND flash RAM – built into all modern mobile devices for persistent storage of data – are only rated for a certain number of read/write cycles, many systems aren’t designed to overwrite old data after it has been marked as deleted in the device’s file allocation table. Similarly, when files are updated from old versions, a new version that is smaller will leave fragments of the old version in the memory.

That behaviour leaves all kinds of residual data chunks living in supposedly unused parts of the device’s storage. By considering the low-level structure of various flash-RAM file systems – Microsoft’s exFAT and FAT32 as well as the open-source Yaffs, among others – Dr Schatz has been able to pinpoint the locations of particular types of user information and represent the old data in an accessible, visual way.

“The challenge is understanding how to make a full copy of the NAND flash from these devices, and then to be able to interpret what’s in the flash,” he told CSO Australia. “This enables getting access to the existing files, as well as to the existing components of old versions of those files.”

Schatz used a number of methods to access the data, ranging from using software on a jailbroken phone or using the Joint Test Action Group (JTAG) hardware debugging framework, to physically desoldering and removing the memory for scanning on a different device.

In each case, he has been able to identify the various methods by which the Android operating system reorganises its data. “It’s quite fascinating when you get down to that level,” he said. “By developing a visualisation technique, we’ve been able to identify, visually, aspects of the file system that let you say ‘OK, it looks like the start of the partition is there’ and visually identifying landmarks related to where files and metadata are.”

A diversity of Android variations had shown small variations between different devices and operating-system versions, particularly with some vendors adding their own embellishments and slightly-different flash RAM.

“When that generic Android code base is adopted by a company like HTC or Samsung, they tend to head in their own direction,” Schatz explained. “The design choices they make tend to involve some choices in the code they use, that are a bit different as well.”

By contrast, the homogeneity of Apple’s iOS mobile operating system had made it an easier file system to deal with – although “it’s getting much harder from the perspective of these latest iPhones and iPads, where the cryptographic keys have been moved inside the processors. The methods we’ve been using to date have allowed us to soft jailbreak the phone and break the encryption keys, but at this point there’s not an ability to do that for these [latest models].”

With mobile devices containing ever more-important personal and business data, the ability to recover information from those phones has become an important part of forensic analysis and the use of that analysis in legal proceedings. Those proceedings necessarily demand an understanding of the techniques used to extract data “and any sources of errors or uncertainty that might come along with those,” said Schatz, whose consultancy often sees him providing such evidence in legal proceedings.

Schatz’s success in recovering information from smartphones has taught him one lesson that he’d share with other Android users. “With the rapid rate that everyone has dived into their phones, those phones now contain significant amounts of personal details,” he said.

“These can be extremely useful when it comes to ascertaining what they’ve done in the past, who they’ve spoken with, where they’ve been, what they’re interest in, and more. It’s all sitting there in the phones. [Given his research] I can’t say I would be throwing my phone away; I would be safely destroying it.”

Join the CSO newsletter!

Error: Please check your email address.

Tags QUT#ausert2013securitysmartphonesAndroidnews

More about AppleCSOHTCMicrosoftQueensland University of TechnologyQueensland University of TechnologyQueensland University of Technology (QUT)SamsungTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts