AusCERT 2013: Low-level analysis can find, map data deleted from Android phones

Android-based smartphones are not only gaining notoriety as being susceptible to malware, but research presented by a Queensland University of Technology (QUT) forensic expert confirms that it’s possible to extract personal information from an Android phone long after that data has been deleted.

Presenting to the AusCERT 2013 security conference today, Dr Bradley Schatz – an IT security specialist with digital-forensics firm Schatz Forensic and an adjunct associate professor at QUT’s Information Security Institute – shared a method of not only extracting deleted or obsolete information from Android phones, but easily identifying it by scouring the extracted data for key ‘landmarks’ representing particular data types.

Because the cells inside NAND flash RAM – built into all modern mobile devices for persistent storage of data – are only rated for a certain number of read/write cycles, many systems aren’t designed to overwrite old data after it has been marked as deleted in the device’s file allocation table. Similarly, when files are updated from old versions, a new version that is smaller will leave fragments of the old version in the memory.

That behaviour leaves all kinds of residual data chunks living in supposedly unused parts of the device’s storage. By considering the low-level structure of various flash-RAM file systems – Microsoft’s exFAT and FAT32 as well as the open-source Yaffs, among others – Dr Schatz has been able to pinpoint the locations of particular types of user information and represent the old data in an accessible, visual way.

“The challenge is understanding how to make a full copy of the NAND flash from these devices, and then to be able to interpret what’s in the flash,” he told CSO Australia. “This enables getting access to the existing files, as well as to the existing components of old versions of those files.”

Schatz used a number of methods to access the data, ranging from using software on a jailbroken phone or using the Joint Test Action Group (JTAG) hardware debugging framework, to physically desoldering and removing the memory for scanning on a different device.

In each case, he has been able to identify the various methods by which the Android operating system reorganises its data. “It’s quite fascinating when you get down to that level,” he said. “By developing a visualisation technique, we’ve been able to identify, visually, aspects of the file system that let you say ‘OK, it looks like the start of the partition is there’ and visually identifying landmarks related to where files and metadata are.”

A diversity of Android variations had shown small variations between different devices and operating-system versions, particularly with some vendors adding their own embellishments and slightly-different flash RAM.

“When that generic Android code base is adopted by a company like HTC or Samsung, they tend to head in their own direction,” Schatz explained. “The design choices they make tend to involve some choices in the code they use, that are a bit different as well.”

By contrast, the homogeneity of Apple’s iOS mobile operating system had made it an easier file system to deal with – although “it’s getting much harder from the perspective of these latest iPhones and iPads, where the cryptographic keys have been moved inside the processors. The methods we’ve been using to date have allowed us to soft jailbreak the phone and break the encryption keys, but at this point there’s not an ability to do that for these [latest models].”

With mobile devices containing ever more-important personal and business data, the ability to recover information from those phones has become an important part of forensic analysis and the use of that analysis in legal proceedings. Those proceedings necessarily demand an understanding of the techniques used to extract data “and any sources of errors or uncertainty that might come along with those,” said Schatz, whose consultancy often sees him providing such evidence in legal proceedings.

Schatz’s success in recovering information from smartphones has taught him one lesson that he’d share with other Android users. “With the rapid rate that everyone has dived into their phones, those phones now contain significant amounts of personal details,” he said.

“These can be extremely useful when it comes to ascertaining what they’ve done in the past, who they’ve spoken with, where they’ve been, what they’re interest in, and more. It’s all sitting there in the phones. [Given his research] I can’t say I would be throwing my phone away; I would be safely destroying it.”

Join the CSO newsletter!

Error: Please check your email address.

Tags QUT#ausert2013securitysmartphonesAndroidnews

More about AppleCSOHTCMicrosoftQueensland University of TechnologyQueensland University of TechnologyQueensland University of Technology (QUT)SamsungTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts