BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:EviHunter: Identifying Digital Forensic Artifacts from Android App s/Devices via Static &\; Dynamic Analysis + Android™ App Forensic Art ifacts Database - Yong Guan\, Iowa State University DTSTART:20230721T150000Z DTEND:20230721T160000Z UID:TALK203113@talks.cam.ac.uk CONTACT:Hridoy Sankar Dutta DESCRIPTION:We are seeing the increasing trend of mobile app evidence in r eported cases in the US and globally. Our prior study on the global app ma rkets showed that real-world mobile apps have exceeded 8 million\, and man y apps have been frequently updated. Commercial mobile device forensic too lkits\, such as Cellebrite UEFD\, can help physically acquire\, search\, a nd recover evidence and reporting. However\, most crime labs suffer signif icantly large backlogs due to an overly-long investigation process (often takes one or two days of an investigator’s efforts per device. Average o f 40-80 apps on a device). The Lack of expert knowledge on many of these a pps has led to the inability to identify and discover evidence\, sometimes misunderstanding the evidence\, which resulted in error-prone investigati ons\, subsequently contributing to large backlogs in crime labs. Most exis ting tools demand the investigators to have the expertise and related expe rience to utilize them\, and the investigative results often heavily depen d on the experience and knowledge level of the investigator. With the supp ort of NIST\, CSAFE\, and many crime labs\, we have developed EviHunter\, a set of toolkits to simplify and automate the mobile device investigation process with better guarantees in terms of completeness and accuracy. Evi Hunter leverages taint analysis to retrieve the information flow within an app from source APIs to sink APIs to deliver detailed\, accurate\, and ti mely findings of digital evidence stored in the local file system or from a third-party cloud server (e.g.\, Google/Amazon/Microsoft). Our dynamic E viHunter modified the Android OS and forced the system always enter an int erpreter mode where we have inserted taint propagation code inside to foll ow the data flow in an app. We have cross-validated the analysis result fr om static and dynamic EviHunter\, and are building the integrated results into the Android app forensic artifacts database. With it\, practitioners can hopefully reduce the investigation of one device to 20 minutes of work with repeatable and verifiable guarantees. At the end of the talk\, we wi ll discuss several future directions this line of research can lead to. We also briefly discuss other interesting forensic\, security\, and privacy research issues and efforts.\n\nRECORDING: Please note\, this event will b e recorded and will be available after the event for an indeterminate peri od under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions. LOCATION:Webinar &\; FW11\, Computer Laboratory\, William Gates Buildin g. END:VEVENT END:VCALENDAR