ADEL which is meant as an abbreviation of “Android Data Extractor Lite”. ADEL was developed for versions 2.x of Android and is able to automatically dump selected SQLite database files from Android devices and extract the contents stored within the dumped files. In this section we describe the main tasks of ADEL and what steps the tool actually performs.
However, there are conditions that must apply for ADEL to work correctly. These conditions are stated in the following sections, corresponding to the relevant tasks. A flow chart showing the structure of ADEL is depicted in the following figure:
During the development of ADEL we primarily took into account the following design guidelines:
Forensic principles: ADEL is intended to treat data in a forensically correct way. This goal is reached by the fact that activities are not conducted directly on the phone but on a copy of the databases. This procedure assures that data does not become changed, neither by the users of ADEL nor by an uncompromised operating system. In order to proof the forensic correctness of ADEL, hash values are calculated prior and after each analysis, to guarantee that dumped data did not become changed during analysis.
Extendibility: ADEL has been modularly built and contains two separate modules: the analysis and the report module. Predefined interfaces exist between these modules and both of them can be easily amended by additional functions. The modular structure allows for dumping and analyzing further databases of smartphones without great effort and facilitates updates of the system in the future.
Usability: The use of ADEL is intended to be as simple as possible to allow its use by both qualified persons and non-experts. At best, the analysis of the mobile phone is conducted in an autonomous way so that the user does not receive any notice of internal processes. Moreover, the report module creates a detailed report in a readable form, including all of the decoded data. During the execution, ADEL optionally writes an extensive log file where all of the important steps that were executed are traced.
ADEL makes use of the Android Software Development Kit (Android SDK) and especially the adb deamon to dump database files to the investigator’s machine.
To extract contents contained within a SQLite database file ADEL parses the low-level data structures. After having opened the database file that is to be parsed in read-only mode, ADEL reads the database header (first 100 bytes of the file) and extracts the values for each of the header fields. Not all, but some of the values in the header fields are necessary to be able to parse the rest of the database file. An important value is the size of the pages in the database file which is required for parsing the b-tree structures (page-wise). After having read the database header fields, ADEL parses the b-tree that contains the “sqlite_master” table for which the first page of the database always is the root page. The SQL CREATE statement and the page number of the b-tree root page are extracted for each of the database tables. Additionally, the SQL CREATE statement is further analyzed to extract the name and the data type for each column of the corresponding table. Finally the complete b-tree structure is parsed for each table, beginning at the b-tree root page that was extracted from the “sqlite_master” table. Every leaf page of the b-tree is identified by following the pointers of all of the interior pages. Finally the row contents of each table are extracted from the cells found in any leaf page that belongs to the same table b-tree.
Within this section we address the report module and its functionalities. In the current development state, the following databases are forensically treated and parsed:
- telephone and SIM-card information (e. g. IMSI and serial number)
- telephone book and call lists,
- calendar entries,
- SMS messages,
- GPS locations from different sources on the smartphone.
Data retrieved this way is written to an XML-File by the report module in order to ease further use and depiction of the data. As the analysis module, it can be easily updated regarding possible changes in future Android versions or in the underlying database schemas. Therefore, we have created different tuple – e. g. [table, row, column] – to define the data that is exchanged between both modules. If the database design changes in the future, only the tuple have to be adapted. The report module automatically creates XML-files for each of the data types listed above. In addition, a report is created which contains all data extracted from the analyzed databases. With the help of a XSL-file the report will be graphically refurbished. All files created by ADEL are stored in a subfolder of the current project.
