Digital Forensics Analysis of Ubuntu Touch on PinePhone

New smartphones made by small companies enter the technology market everyday. These new devices introduce new challenges for mobile forensic investigators as these devices end up becoming pertinent evidence during an investigation. One such device is the PinePhone from Pine Microsystems (Pine64). These new devices are sometimes also shipped with OSes that are developed by open source communities and are otherwise never seen by investigators. Ubuntu Touch is one of these OSes and is currently being developed for deployment on the PinePhone. There is little research behind both the device and OS on what methodology an investigator should follow to reliably and accurately extract data. This results in potentially flawed methodologies being used before any testing can occur and contributes to the backlog of devices that need to be processed. Therefore, in this paper, the first forensic analysis of the PinePhone device with Ubuntu Touch OS is performed using Autopsy, an open source tool, to establish a framework that can be used to examine and analyze devices running the Ubuntu Touch OS. The findings include analysis of artifacts that could impact user privacy and data security, organization structure of file storage, app storage, OS, etc. Moreover, locations within the device that stores call logs, SMS messages, images, and videos are reported. Interesting findings include forensic artifacts, which could be useful to investigators in understanding user activity and attribution. This research will provide a roadmap to the digital forensic investigators to efficiently and effectively conduct their investigations where they have Ubuntu Touch OS and/or PinePhone as the evidence source.

Forensic Investigation of Google Assistant

Google Nest devices have seen a rise in demand especially with Google’s huge advantage in search engine results and a complex ecosystem that consists of a range of companion devices and compatible mobile applications integrated and interacting with its virtual assistant, Google Assistant. This study undertakes the forensics extraction and analysis of client-centric and cloud-native data remnants left behind on Android smartphones by the Google Home and Google Assistant apps used to control a Google Nest device. We identified the main database and file system storage location central to the Google Assistant ecosystem. From our analysis, we show forensic artifacts of interest associated with user account information, the chronology and copies of past voice conversations exchanged, and record of deleted data. The findings from this study describe forensic artifacts that could assist forensic investigators and can facilitate a criminal investigation.

Malware Analysis Using Volatility

Volatile Data of a computer is a temporary and they are created when a computer system is running aka in operational condition. They are removed immediately when the system powered off. It is stored on the Random Access Memory (RAM) and other temporary storage units such as Registars of the Computer and not in the main storage partitions of Hard Drives. It could be emails related information, chats or browser history, running processes related information, unsaved data, clipboard contents etc. The analysis of volatile memory for extracting forensic artifacts is called Memory Forensic. Volatile Memory contains the most valuable information about running programs and instructions including running system processes, kernel drivers, loaded modules, executed commands, executable paths, active Network Connections, etc.