DFRWS Online

DFRWS 2011 Forensics Challenge Results

Overview   |   Results

Results

There were many participants and four official submissions to the DFRWS 2011 Forensics Challenge, which required the reconstruction and analysis of evidence collected from the flash-memory storage of two Android mobile devices. The challenge comprised tasks of varying difficulty, with some relevant data discoverable with fairly straightforward methods and tools. Other tasks required developing tools or techniques to locate and extract the necessary data for analysis. As in prior years, we were pleased that submissions came from not just researchers and developers, but also practitioners in the community.

We thank all contestants for their valuable work and their willingness to share their results, tools and techniques with the community. Their collective efforts in addressing the more technical aspects of the challenge shed light on approaches that will advance the state of practice in our community.

The overview presentation given at DFRWS 2011 can be found here.

The submissions are listed below with a short description and a link to a folder where the submission can be found. Inside of the folder is a .zip file that contains the entire submission.

The Winner

The winning submission for the DFRWS2011 Forensics Challenge was created by Ivo Pooters, Steffen Moorrees & Pascal Arends from Fox-IT in the Netherlands. This submission has multiple parts:

1. An open source toolkit for extracting and analyzing data stored on Android devices;
2. The analysis of the Challenge scenario that addresses the scenario questions;
3. Tool output organizing extracted data to facilitate analysis;
4. Technical documentation detailing the data structures and low-level analysis required to develop tools.

The submission developed Python utilities for extracting information from the Android data in both scenarios. For the Scenario 1, data structures were carved from the dd image. For the Scenario 2, the YAFFS2 file system was mounted in Linux and information was extracted from files and databases on the system. The report provided a great overall synthesis of evidence and application to the overall scenario, including an analysis of malware installed on one device. The analysis culminated with an impressive visual reconstruction of evidence. The care taken to present results in an organized manner to facilitate analysis was evident throughout this submission, including the arrangement of extracted information into a report such as the one shown here:

Other Submissions

• Jewan Bang, Jungheum Park, Hyunji Chung, Dohyun Kim and Sangjin Lee from the Korea University, Digital Forensic Research Center: The DFRC team developed custom tools (yaffs2fordroidimage and yaffs2PageAnalyzer) to parse YAFFS2 data, and made extensive efforts to reconstruct the logical arrangement of data. This submission has strong tool coverage and analysis, looked for a wide variety of data formats, and addressed challenge questions. The tool development included the ability to parse the YAFFS2 file system and extract files from the data from Scenario 2 as shown here:
  
• Apurva Rustagi: This submission concentrated on recovering relevant data from both images with a collection of custom carving programs. The results were outlined in a well-documented report addressing the challenge questions and a separate technical report.
• P. V. Burenin: This submission also focused on carving data using bespoke tools, together with other tools for interpreting Android information stores. Scenario 1 was analyzed using this approach, and a report prepared with an overview of the results and a guide to the recovered data.

Judging Process

Submissions were evaluated based on the completeness and accuracy of the findings, organization and presentation of results, and on effort developing new techniques and tools. The highest scores were awarded to the submissions that produced the most complete and accurate results, and that contributed significant new tools and techniques.