Open source forensic agent

Primary supervisor

Amin Sakzad

Co-supervisors

An "agent" or "client" in the context of mobile forensics is the program deployed using an exploit to a mobile device to facilitate extraction of the data from the phone. Some agents can also do other functions like passcode brute-force attacks.

Some of the major players in Mobile Forensics usually gain forensic extractions from devices by facilitating the installation of a forensic client onto the device. This client is normally deployed via exploits, runs in memory and leaves little or no trace of its installation on the device after it is removed. It is normally removed from the device if it loses power or reboots for any reason, but in some cases, can ensure the device in question remains in the After First Unlock State following a device reboot. These agents are usually proprietary and forensic vendor specific.

 

Aim/outline

The aim of this project is to create an open source forensic agent that could potentially be implemented by anyone onto a device with root access. The agent would be clearly documented and vendor agnostic, meaning that extractions would not need to be facilitated by any specific vendor's software. It could also potentially put the device into a forensic mode that ensures that perishable data is retained indefinitely and re-extraction could be completed faster.

To be clear, this project would not involve actively exploiting devices, but rather successfully ensuring the preservation and availability of data on devices after exploitation.

 

We aim to look at an agent that does speedy analysis and reporting of the content of the device or runs an AI agent on the phone that analyses the user's data. It's important though that any processes completed are forensically sound.

 

Deploying a lightweight open-source agent that parses various user records could be the output of this project.

Required knowledge

Student/students with familiarity with Java, Android App development and Android Security would be ideal.

It would also be good if they could have completed IT Forensics (FIT3168 or FIT5223) or be studying it concurrently.