Analysis of Digital Forensics Method on the Smartphone

— The increased use of social networking applications on smartphones makes these devices a goldmine for forensic investigators. Potential evidence can be held on these devices and recovered with the right tools and examination methods. This paper created a smartphone user analysis framework which can extract meaningful digital evidence for digital forensics by analyzing the user’s usage of smartphone applications. Furthermore, with this method, we studied a system which can guide a digital forensic analyst to important information. In the future, structured data would be included aside from SQLite, and the system will be used to collect and analyze unstructured data online such as SNS data. In particular, it is expected to be a more efficient system in terms of digital forensic analysis if there are additional algorithms for big data analysis.

: Analysis procedure of android smartphone digital forensics The Android smartphone system usually stores various data such as application usage, work data, and user's personal data. Data stored in an Android smartphone can be classified as data in SQLite database, key-value in Shared-Preferences as the XML data, and Local File data such as the myriad of log files and cookies [6]. These data are stored in the databases, files, and preferences folders of /Data/Data/ [Installed Package Name] folder First, the Android smartphone uses SQLite small database engine to store data and it is generally stored under "/data/data/[Installed Package Name]/databases" with .db as the filename extension or nothing. Figure 2 shows SQLite data files in /data/data/ [Package Name]/databases folder of Android Smartphones.
XML data files in Preferences are constructed with a combination of Key and Values and stored under the "/data/data/ [Installed Package Name]/shared_pref" folder. Figure 2 illustrates the XML data files in /data/data/ [Package Name]/shared_pref of Android smartphones.

III. SUB ANALYSIS SYSTEM
The SUB (Smartphone User Behavior) analysis system collects data stored under /data/data /[Package Name]/ folder based on the data type such as Unstructured data existing in the files and preference folders of /data/data folder, clipboard contents of the user storage file, files related to the network setting, and log files related to the Android system, or structure data of SQLite DB file-type stored in the database folder These collected data will be used to formulate a system which can calculate various weight values such as values on deleted files, on repeated calls, on the reaction after the connection to important targets etc., and these will be delivered efficiently to the digital forensic analyst based on the level of importance. Figure 3 shows the SUB analysis system architecture.

IV. EXPERIMENT AND DISCUSSION
In this paper, we directly access necessary data by rooting and applying the Encase program to collect data from an Android smartphone. Figure 4 shows the image data extraction of LGGX2 Android smartphone using EnCase. The storage path of the user's behavior data from the collected smartphone images for digital forensics analysis is as follows. Call related behavior of smartphone users is stored in "com.android.providers.contacts/databases/contacts2.db SQLite databases" and SMS/MMS related behavior is stored in "com.android.providers.telephony/databases/mmssms.db SQLite databases". Also, the contents of Internet WIFI connection related behavior is stored in /data/misc/wifi/WifiConnectionSuccessList and /data/misc/wifi/WifiConnectionFailList. Moreover, the data on Pictures and Videos related behavior using smartphones are stored in /sdcard/dcim/camera/.
There was a total of 919 user data collected from the LGGX2 Android smartphone in the experiment. Among these, only 822 meaningful data are separated and used for the analysis. Targets for key digital evidence can be identified by analyzing the amount of calls and the number of calls of Android smartphone users. In addition, new targets can be added by analyzing the daily and hourly calls on the previous major target.
V. CONCLUSION With the development of IT technology, the use of mass storage devices and various digital devices has resulted in diversification and high capacity devices, and thus, conventional digital forensic analysis method shows limitations. Moreover, with the proliferation of smartphones, users can do web surfing, office, multimedia, call, MMS, social network, etc. by using smart devices equipped with Android or iOS. As a result, the data stored on smart devices is considered as the most significant evidence in digital forensics and researches on smart devices are also actively being pursued. This case becomes more important if one has to analyze various data which are spread everywhere. Among the tremendous amount of data, it is difficult for one to find meaningful information.
In this paper, we created a smartphone user analysis framework which can extract meaningful digital evidence for digital forensics by analyzing the user's usage of smartphone applications. Furthermore, with this method, we studied a system which can guide a digital forensic analyst to important information. In the future, structured data would be included aside from SQLite, and the system will be used to collect and analyze unstructured data online such as SNS data. In particular, it is expected to be a more efficient system in terms of digital forensic analysis if there are additional algorithms for big data analysis ACKNOWLEDGMENT Funding for this paper was provided by Namseoul university