Android App Antiforensics

Aim: Android is one of the most popular platforms in the market. This popularity has led the operating system to be a potential tool for criminal activities. Law enforcement has noted this development and started incorporating smartphone evidence into their cases. However, digital evidence is susceptible to data modification, and thus anti-forensic techniques have been developed to counter forensic investigations. This research investigates the possibility of generating false data using automation techniques. Methods: A rooted Android device was acquired. The device screen coordinates were mapped using screenshots and Gimp. The coordinates were used to develop a Python script to automate common user tasks such as making a phone call, sending a text message, or adding a contact. These tasks were performed manually and using the automation script. A system image was acquired of the device before and after data population. The images were analyzed using Autopsy and Cellebrite’s Inspector. The forensic artifacts retrieved were compared between the manual and automatic data population. Results: The artifacts show that the data was added successfully and that forensic tools may not detect that the data was automatically generated. Conclusion: This research shows that it is possible to populate an Android device with false forensic artifacts using automation scripts. Being able to generate forensic artifacts using automation scripts can allow educators to more easily generate datasets to teach forensic techniques. Additionally, it can also be used by malicious actors to generate false forensic artifacts to mislead an investigator. Future work could improve the proposed data generation technique via machine learning to prevent hardcoding the screen coordinates in the automation script or improve the technique to generate data with old timestamps. Another avenue of future work includes the development of techniques to identify false data.