Streamlining Android Browser Forensics & Examination
This Android forensics analysis has become an important part of digital forensics. This is because it stores suspects’ personal data on their personal phones. This is the crucial reason why Smartphone forensics especially Android (which is quite popular) phone OS, is important. It applies forensics to the artefacts collected for the investigation like; apps information, databases generated by the apps, messengers information, call logs of phone, file manager, etc. However, amongst all these artefacts, the most relevant source of evidence is browser files. Android browser forensics includes many stages like a collection of databases related to various browsers, viewing and analyzing the data records, identifying evidence, etc. Reconstruction of the browser history utilized in Android phones is also one of the keen procedures to perform an investigation on it.
Browsers Available for Androids
Many browser applications are available for Android phones. All of these browsers store the information like browser history in .sqlite or .db database. However, some of the common browsers utilized for the internet are:
- Firefox Mobile
- Android Browser
- Dolphin
- Opera Mini
- Opera Mobile
- Skyfire
- Google Chrome
While making any investigation, users must be aware of the suspect using the browser. But, it is possible that the suspect is using one or more or a combination of a few different types of browsers.
Android Security Model
The very first stage for Android browser forensics analysis i.e. collection is difficult. This is because of the android security model that keeps the android application processes running in protected layers. This security model makes sure that no other application can interfere or has any permission to perform operations on other applications that can affect it. Thus, all the applications get their own unique User ID and Group ID and the files and databases for the application are protected. This is done for the browser information storage SQLite databases as well.
Unfortunately, due to all these security layers, users have to perform the rooting of the Android device. This rooting process dissolves all the security layers and limitations that the manufacturer of devices apply. The rooting of the device helps to mount and create a copy of the active partition of the device for forensics investigation. Once the Android device gets root, the databases belonging to different browsers can be acquired for further examination.
Path Locations for Android Browser Databases
During Android Browser forensics analysis, users can acquire the Android device browser databases from the below mentioned locations:
Mozilla: /data/data/org.mozilla.fennec
For Android Browser: /data/data/com.android.browser
For Opera Mini: /data/data/com.opera.mini.android
Opera: /data/data/opera.browser
Skyfire: /data/data/com.skyfire.browser
The browser database browser.db files comprise various entities like history, keyword searches, bookmarks, timestamps, number of times sites searched, URLs viewed, etc. All of these trails can help investigators get pieces of evidence.
Analyze Android Browser SQLite Database
It can fetch the database by creating an image of the device using devices like an FTK imager or rooting mechanism. Then it can copy the databases to the system and users can view the components using many external applications. Applications like SQLite DB Browser, SQLite Forensic Explorer, Mozilla Firefox SQLite manager, etc. can be used for viewing the browser databases. Many other Windows & Linux based applications are available which can be installed for viewing SQLite database entities.
