Residual network data structures in Android devices

Abstract

The emergence and recent ubiquity of Smartphones present new opportunities and challenges to forensic examiners. Smartphones enable new mobile application and use paradigms by being constantly attached to the Internet via one of several physical communication media, e.g. cellular radio, WiFi, or Bluetooth. The Smartphone's storage medium represents a potential source of current and historical network metadata and records of prior data transfers. By using known ground truth data exchanges in a controlled experimental environment, this thesis identifies network metadata stored by the Android operating system that can be readily retrieved from the device's internal non-volatile storage. The identified network metadata can ascertain the identity of prior network access points to which the device associated. An important by-product of this research is a well-labeled Android Smartphone image corpus, allowing the mobile forensic community to perform repeatable, scientific experiments, and to test mobile forensic tools.