CCF project proposal: Android Wear Forensics

CCF project proposal:
Android Wear Forensics
Thijs Houtenbos
[email protected]
Joey Dreijer
[email protected]
April 13, 2015
Figure 1: LG G Watch running Android Wear
1
1
Introduction
Android Wear is a specialized version of the Android operating system for use
on wearables. Different vendors (LG, Samsung, Sony etc) released different
wearables in the past (smartwatches to be specific) with either a custom OS or
a forked version of the ’regular’ Android Operating system. Android Wear is (or
aims to be be) the first widely accepted operating system for smartwatches that
is (going to be) supported by multiple vendors and thus creating a standardized
platform for wearables the same way Android did for smart phones.
2
Goals
2.1
Research question
The main goal of our research is to identify forensic data (data that can proof
that individual performed a specific activity) on an Android Wear device. A testdevice will be used to generate behavioural data (such as phone calls, navigation,
phone coupling) that are also created during realistic real-life scenarios. These
scenarios will be documented in the form of storylines which we will try to
confirm or deny by using the logs found on the Android Wear device. We aim
to gather the data stored on an Android Wear device using non-destructive
forensic methods. In short, our main research question can be formulated as
follows:
What (forensic) data can be gathered from an
Android Wear device using non-destructive
forensic methods?
2.2
Research question components
• Can the Android Wear memory be dumped?
• Can the Android Wear file-system be dumped?
• Which actions are logged by default on Android Wear?
• Can this data all be accessed without (destructive) modifications?
• What additional data can be retrieved with modifications?
• Can (already existing) automated forensics applications for mobile phones
be used?
• How could the encountered data alternatively be found on the device?
2
2.3
Questions/goals that are out of scope
• Hardware modifications (e.g. desoldering flash).
• can wireless interception or probing be used to obtain data.
3
Ethical implications
There are no apparent ethical implications since user data collection is not
required. The device used will be brand new and should not contain any user
data. When privacy sensitive data is inadvertently collected the data will be
deleted in accordance with OS3 ethics and privacy policies and mores.
4
Requirements
We require an Android Wear smart watch, preferably an LG G watch since this
is the cheapest available model which can perform the functions required[1]. If
deemed possible (related to our research question), we will attempt to forensically dump Android Wear data via dedicated Forensic hardware. To accomplish
this, we will attempt to make arrangements to borrow a XRY-field kit from an
external party.
5
Previous Research
Since the release of Android Wear in 2014, no previous research regarding forensic capabilities have been performed. However, there are different studies that
researched forensic methods on the ’default’ Android operating system. There
are a large amount of reports publicly available explaining how to dump an Android phone’s data and memory using Open Source tools. An example report
is written by Garry Kessler from the University of Champlain
6
Planning
Week
1
2
3
4
5
Topic
Reading previous Android (Mobile) forensic research, setup of Android Wear
Documenting stories/scenarios and generating test data
Analysing Android Wear log capabilities
Analysing and performing different methods for data retrieval
Analysing the testdata and performing preferred forensic data retrieval method
Preparation of research paper and presentation
3
References
[1] The LG G Watch Review - Android
androidcentral.com/lg-g-watch-review
Central
http://www.
[2] The XRAY Field Kit product page - MSAB.com https://www.msab.com/
products/field-version/
[3] Android Forensics: Simplyfind Cell Phone Examinations - Jeff lessard,
Gary C. kessler http://www.garykessler.net/library/SSDDFJ_V4_1_
Lessard_Kessler.pdf
4