TY - JOUR
T1 - The Android Forensics Automator (AnForA): A tool for the Automated Forensic Analysis of Android Applications
AU - ANGLANO, Cosimo Filomeno
AU - CANONICO, Massimo
AU - GUAZZONE, Marco
N1 - Publisher Copyright:
© 2019
PY - 2020
Y1 - 2020
N2 - Most of our daily activities are carried out by means of mobile applications, that typically generate and store on the device large sets of data. The forensic analysis of these data thus plays a crucial role during an investigation, as it allows to reconstruct the above activities. Manually analyzing these applications is a long, tedious, and error-prone task.
In this paper we present the design, implementation, and evaluation of AnForA, a software tool that automates most of the activities that need to be carried out to forensically analyze Android applications, and that has been designed in such a way to yield various important properties, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality.
AnForA is based on a dynamic "black box" approach, in which the application to be analyzed is first installed on a virtualized Android device, and then a set of experiments are carried out, in which actions of interest are automatically performed on the application by emulating a human user that interacts with its interface. During the experiments, the file systems of the device storage are actively monitored, so that the data created or modified by each one of these actions can be located and correlated with that action.
We have devised a proof-of-concept implementation of AnForA, that we use to assess its ability in achieving its design goals, by analyzing through it several Android applications already studied in the literature, so that we can compare AnForA’s results against those reported in these papers. The results of our evaluation confirm that AnForA greatly simplifies the forensic analysis of Android applications, and exhibits all the properties mentioned above, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality, to a higher extent than previous studies published in the literature.
AB - Most of our daily activities are carried out by means of mobile applications, that typically generate and store on the device large sets of data. The forensic analysis of these data thus plays a crucial role during an investigation, as it allows to reconstruct the above activities. Manually analyzing these applications is a long, tedious, and error-prone task.
In this paper we present the design, implementation, and evaluation of AnForA, a software tool that automates most of the activities that need to be carried out to forensically analyze Android applications, and that has been designed in such a way to yield various important properties, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality.
AnForA is based on a dynamic "black box" approach, in which the application to be analyzed is first installed on a virtualized Android device, and then a set of experiments are carried out, in which actions of interest are automatically performed on the application by emulating a human user that interacts with its interface. During the experiments, the file systems of the device storage are actively monitored, so that the data created or modified by each one of these actions can be located and correlated with that action.
We have devised a proof-of-concept implementation of AnForA, that we use to assess its ability in achieving its design goals, by analyzing through it several Android applications already studied in the literature, so that we can compare AnForA’s results against those reported in these papers. The results of our evaluation confirm that AnForA greatly simplifies the forensic analysis of Android applications, and exhibits all the properties mentioned above, namely fidelity, artifact coverage, artifact precision, effectiveness, repeatability, and generality, to a higher extent than previous studies published in the literature.
KW - Android applications
KW - Automated forensics analysis
KW - Digital evidence
KW - Digital forensics
KW - Mobile forensics
KW - Android applications
KW - Automated forensics analysis
KW - Digital evidence
KW - Digital forensics
KW - Mobile forensics
UR - https://iris.uniupo.it/handle/11579/106559
U2 - 10.1016/j.cose.2019.101650
DO - 10.1016/j.cose.2019.101650
M3 - Article
SN - 0167-4048
VL - 88
SP - 101650
JO - COMPUTERS & SECURITY
JF - COMPUTERS & SECURITY
ER -