EviHunter: Identifying Digital Forensic Artifacts from Android Apps/Devices via Static & Dynamic Analysis + Android™ App Forensic Artifacts Database

Add to your list(s) Download to your calendar using vCal

• Yong Guan, Iowa State University
• Friday 21 July 2023, 16:00-17:00
• Webinar & FW11, Computer Laboratory, William Gates Building..

If you have a question about this talk, please contact Hridoy Sankar Dutta.

We are seeing the increasing trend of mobile app evidence in reported cases in the US and globally. Our prior study on the global app markets showed that real-world mobile apps have exceeded 8 million, and many apps have been frequently updated. Commercial mobile device forensic toolkits, such as Cellebrite UEFD , can help physically acquire, search, and recover evidence and reporting. However, most crime labs suffer significantly large backlogs due to an overly-long investigation process (often takes one or two days of an investigator’s efforts per device. Average of 40-80 apps on a device). The Lack of expert knowledge on many of these apps has led to the inability to identify and discover evidence, sometimes misunderstanding the evidence, which resulted in error-prone investigations, subsequently contributing to large backlogs in crime labs. Most existing tools demand the investigators to have the expertise and related experience to utilize them, and the investigative results often heavily depend on the experience and knowledge level of the investigator. With the support of NIST , CSAFE, and many crime labs, we have developed EviHunter, a set of toolkits to simplify and automate the mobile device investigation process with better guarantees in terms of completeness and accuracy. EviHunter leverages taint analysis to retrieve the information flow within an app from source APIs to sink APIs to deliver detailed, accurate, and timely findings of digital evidence stored in the local file system or from a third-party cloud server (e.g., Google/Amazon/Microsoft). Our dynamic EviHunter modified the Android OS and forced the system always enter an interpreter mode where we have inserted taint propagation code inside to follow the data flow in an app. We have cross-validated the analysis result from static and dynamic EviHunter, and are building the integrated results into the Android app forensic artifacts database. With it, practitioners can hopefully reduce the investigation of one device to 20 minutes of work with repeatable and verifiable guarantees. At the end of the talk, we will discuss several future directions this line of research can lead to. We also briefly discuss other interesting forensic, security, and privacy research issues and efforts.

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

This talk is part of the Computer Laboratory Security Seminar series.

This talk is included in these lists:

• All Talks (aka the CURE list)
• Cambridge talks
• Computer Laboratory Security Seminar
• Department of Computer Science and Technology talks and seminars
• Interested Talks
• School of Technology
• Security-related talks
• Trust & Technology Initiative - interesting events
• Webinar & FW11, Computer Laboratory, William Gates Building.
• bld31

Note that ex-directory lists are not shown.