ANDROID FORENSICS FOR CYBERCRIME INVESTIGATION IN MYANMAR

Abstract

Mobile phone technology is changing rapidly, and there are a growing number of different device models with different operating systems around the world. In particular, Android mobile devices are becoming much more attractive than any other platforms, not only in Myanmar's mobile market but also in other developing countries. It can offer flexibility and convenience for communication, entertainments, sharing and storing data, using social media network, and others. People use smartphones for different purposes, such as for their personality and business. On the other hand, if the smartphones were involved in a crime, the evidence data may be on devices. In such cases, investigators should have adequate investigation processes, procedures, frameworks, and forensics tools to obtain evidence data. In this dissertation, the workable process flow has been proposed for the forensics investigation on Android devices which consists of seven stages. They are (1) Preparation, (2) Determine Scope of Crime Scene, (3) Secure Evidence Devices Collection, (4) Documentation and Preservation, (5) Examination and Analysis, (6) Presentation and (7) Review. A detailed analysis framework has also been proposed for Examination and Analysis stage. It is divided into two main parts – Live Forensics and Static Forensics because if the investigator does not notice the Live Forensics, the data on memory can be easily lost. Finally, an applicable tool (ANDROSICS) with many useful features has been proposed that would support the analysis framework. It consists of five main parts – (i) data acquisition and collection, (ii) examination and analysis (iii) Bruteforcing (iv) reporting, and (v) management process. In data acquisition and collection stage, it provides to extract both volatile and non-volatile data on Android devices. This stage generates the four types of data such as Portable Network Graphics (.png) file from the screenshot, Android Backup (.ab) file from backup process, ANDROSICS file (.andro6) from volatile data and Image file (.img) file from non-volatile data. In the examination and analysis phase, it can check the integrity of all collected data in prior stages. Afterwards, the investigator can analyze the device information, corrupted files, potential data in SQLite database files on and on. In Bruteforcing, it can crack the password of device screen locks, zip files, Microsoft Office files and pdf files. Investigator can also create custom wordlist with many rules in this stage. In the reporting stage, it supports to generate the report files for all data in investigation processes. As the management process, it protects the tampering of authorized users, Login access for authorized users and Logs for all activities. Besides, the data collection process was evaluated and implemented on some popular brands of android devices in Myanmar. They are Huawei, Samsung and Oppo devices with different versions. And the ANDROSICS tool is compared with some other opensource tools and overview research work comparison is based on the related papers. In any case, since this research work is dedicated to our country, it is hoped that it will be useful for android forensics investigation because well-defined process flow, framework, localization tool is not available in our country yet.