Most of our daily activities are carried out by means of mobile applications, that typically generate and store on the device large sets of data. The forensic analysis of these data thus plays a crucial role during an investigation, as it allows to reconstruct the above activities. Manually analyzing these applications is a long, tedious, and error-prone task. In this paper we present the design, implementation, and evaluation of AnForA, a software tool that automates most of the activities that need to be carried out to forensically analyze Android applications, and that has been designed in such a way to yield various important properties, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality. AnForA is based on a dynamic "black box" approach, in which the application to be analyzed is first installed on a virtualized Android device, and then a set of experiments are carried out, in which actions of interest are automatically performed on the application by emulating a human user that interacts with its interface. During the experiments, the file systems of the device storage are actively monitored, so that the data created or modified by each one of these actions can be located and correlated with that action. We have devised a proof-of-concept implementation of AnForA, that we use to assess its ability in achieving its design goals, by analyzing through it several Android applications already studied in the literature, so that we can compare AnForA’s results against those reported in these papers. The results of our evaluation confirm that AnForA greatly simplifies the forensic analysis of Android applications, and exhibits all the properties mentioned above, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality, to a higher extent than previous studies published in the literature.

The Android Forensics Automator (AnForA): A tool for the Automated Forensic Analysis of Android Applications

Anglano, Cosimo;Canonico, Massimo
;
Guazzone, Marco
2020-01-01

Abstract

Most of our daily activities are carried out by means of mobile applications, that typically generate and store on the device large sets of data. The forensic analysis of these data thus plays a crucial role during an investigation, as it allows to reconstruct the above activities. Manually analyzing these applications is a long, tedious, and error-prone task. In this paper we present the design, implementation, and evaluation of AnForA, a software tool that automates most of the activities that need to be carried out to forensically analyze Android applications, and that has been designed in such a way to yield various important properties, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality. AnForA is based on a dynamic "black box" approach, in which the application to be analyzed is first installed on a virtualized Android device, and then a set of experiments are carried out, in which actions of interest are automatically performed on the application by emulating a human user that interacts with its interface. During the experiments, the file systems of the device storage are actively monitored, so that the data created or modified by each one of these actions can be located and correlated with that action. We have devised a proof-of-concept implementation of AnForA, that we use to assess its ability in achieving its design goals, by analyzing through it several Android applications already studied in the literature, so that we can compare AnForA’s results against those reported in these papers. The results of our evaluation confirm that AnForA greatly simplifies the forensic analysis of Android applications, and exhibits all the properties mentioned above, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality, to a higher extent than previous studies published in the literature.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11579/106559
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 16
  • ???jsp.display-item.citation.isi??? 12
social impact