Our latest artifact update for IEF includes support for native Android applications. As the mobile market continues to narrow-in on two primary operating systems – Android and iOS – it’s becoming increasingly important for investigators to recover data from these built-in system apps. In February, we added support for a similar set of native iOS apps, and saw a need to do the same for Android. IEF will now recover evidence from Android native apps, including Device and Account Information, Saved WiFi Profiles, Saved Bluetooth Connections, Deleted Contacts, Deleted Call Logs, and Calendar Events.
Let’s take a closer look at the artifacts now supported for Android devices:
IEF will now list the installed apps on any Android device, providing investigators with a good overview of the various apps a user may be accessing. Investigators can recover package name, display name, platform, category, as well as both the internal and display versions for the application. While often the same, the versions can differ if the app developers choose to version their apps differently for public release.
Device details, including hardware information, SIM number, IMEI and/or IMSI, can now be recovered using IEF. It also includes the Bluetooth MAC address and Google ID.
IEF will recover account information from applications installed on the Android device. Items such as user identifier, application package name, and application password can be extracted. This can be valuable if you are investigating several devices and need to determine which device is associated with which user in their cases.
Saved Wi-Fi Profiles
Android devices store Wi-Fi profiles so they can automatically reconnect when within range of the Wi-Fi router. Investigators are able to recover the SSID, network name, security mode, network password, username, WEP key and MAC address of the router. Investigators can use this data to help determine where a suspect may have been, since this data is stored indefinitely until the profile is deleted or the phone is wiped.
Saved Bluetooth Devices
Android devices keep a list of any saved Bluetooth devices that were connected to the Android device. IEF will recover the MAC address, device name, device class, last seen date and timestamp. These profiles can be useful if an investigator is looking for evidence found on other connected devices, such as another computer or car.
IEF will recover deleted address book contacts from Android devices, including any details that might be included in their contact profile such as contact name, account type, phone number, and email address, as well as the number of times the contact was contacted and the last contacted date and time. Investigators can use this data to correlate call logs and other details with potential suspects or victims.
Deleted Call Logs
IEF can now carve and recover deleted call log entries, which can help investigators who are trying to identify calls from individuals that a suspect may be denying involvement with. This will also assist in trying to correlate any call logs provided by a service provider, if available for the investigation. IEF will report the following fields: phone number, name, date and time of the phone call, and duration.
Android calendar events can contain a lot of valuable data for investigators. IEF will recover all the necessary calendar details, which is stored in a SQLite database, from an Android smartphone. Relevant fields include event summary, event description, calendar name, attendees, start and end date, and time zone.
The user dictionary on Android devices will store and keep track of words that are frequently used by the user. Information such as the shortcut sequence for the word, as well as the actual word used, are recovered. As we’ve mentioned in the past, this data can help investigators identify common terms or slang used by a suspect.
To access the latest artifact update, users can log onto the Customer Portal or download directly from IEF (if your computer is connected to the Internet).
As we continue to release artifacts on a more frequent basis, we welcome feedback from our users on the types of evidence they are looking for. If you have any suggestions or requests, please feel free to reach out by email at firstname.lastname@example.org.
Forensics Consultant, Magnet Forensics