|Abstract:||Most of our daily activities are carried out by means of mobile applications, that typically generate and store on the device large sets of data.
The forensic analysis of these data thus plays a crucial role during an investigation, as it allows to reconstruct the above activities.
Manually analyzing these applications is a long, tedious, and error-prone task.
In this paper we present the design, implementation, and evaluation of AnForA, a software tool that automates most of the activities that need to be carried out to forensically analyze Android applications, and that has been designed in such a way to yield various important properties, namely fidelity, completeness, soundness, effectiveness, repeatability, and generality.
AnForA is based on a dynamic "black box" approach, in which the application to be analyzed is first installed on a virtualized Android device, and then a set of experiments are carried out, in which actions of interest are automatically performed on the application by emulating a human user that interacts with its interface.
During the experiments, the filesystems of the device storage are actively monitored, so that the data created or modified by each one of these actions can be located and correlated with that action.
We have devised a proof-of-concept implementation of AnForA, that we use to assess its ability in achieving its design goals, by analyzing through it several Android applications already studied in the literature, so that we can compare AnForA's results against those reported in these papers.
The results of our evaluation confirm that AnForA greatly simplifies the forensic analysis of Android applications, and exhibits all the properties mentioned above.|