Blog

Streamlining Android Browser Forensics & Examination

Dexter Morgan | October 3rd, 2017 | Updates

Android forensics analysis has become an important part of digital forensics. This is because suspect’s personal data is stored in the personal phones. This is the crucial reason why Smartphone forensics especially Android (which is quite popular) phone OS, is important. Forensics is done on the artifacts collected for the investigation like; apps information, databases generated by the apps, messengers information, call logs of phone, file manager, etc. However, amongst all these artifacts, the most relevant source of evidence is browser files. Android browser forensics includes many stages like collection of databases related to various browsers, viewing and analyzing the data records, identifying evidence, etc. Reconstruction of the browser history utilized in Android phones is also one of the keen procedures to perform investigation on it.

Browsers Available for Androids

Many browser applications are available for Android phones. All of these browsers store the information like browser history in .sqlite or .db database. Some of the common browsers utilized for internet are:

  • Firefox Mobile
  • Android Browser
  • Dolphin
  • Opera Mini
  • Opera Mobile
  • Skyfire
  • Google Chrome

While making any investigation, users must be aware of the browser used by the suspect. It is possible that suspect is using one or more or combination of few different types of browsers.

Android Security Model

The very first stage for Android browser forensics analysis i.e. collection, is difficult. This is because of the android security model that keeps the android application processes run in protected layers. This security model makes sure that no other application can interfere or has any permission to perform operations on other applications that can affect it. All the applications get its own unique User ID and Group ID and the files and databases for the application are protected. This is done for the browser information storage SQLite databases as well.

Unfortunately, due to all these security layers, users have to perform the rooting of the Android device. This rooting process dissolves all the security layers and limitations that are applied by the manufacturer of devices. The rooting of the device helps to mount and create a copy of the active partition of the device for forensics investigation. Once the Android device is rooted, the databases belonging to different browsers can be acquired for further examination.

Path Locations for Android Browser Databases

During Android Browser forensics analysis, users can acquire the Android device browser databases from the below mentioned locations:

For Mozilla: /data/data/org.mozilla.fennec

For Android Browser: /data/data/com.android.browser

For Opera Mini: /data/data/com.opera.mini.android

For Opera: /data/data/opera.browser

For Skyfire: /data/data/com.skyfire.browser

The browser database browser.db files comprises of various entities like history, keyword searches, bookmarks, time stamps, number of times sites searched, URL’s viewed, etc. All of these trails can help investigators get pieces of evidence.

Analyze Android Browser SQLite Database

The database can be also fetched by creating an image of the device using devices like FTK imager or rooting mechanism can be used. The databases can be then copied to the system and users can view the components using many external applications. Applications like SQLite DB Browser, SQLite Forensic Explorer, Mozilla Firefox SQLite manager, etc. can be used for viewing the browser databases. Many other Windows & Linux based applications are available which can be installed for viewing SQLite database entities.