Abstract:
Traces found on Android smartphones form a significant part of digital investigations. A key component of these traces is the date and time, often formed as timestamps. These timestamps allow the examiner to relate the traces found on Android smartphones to some real event that took place. This paper performs exploratory experiments that involve the manipulation of timestamps found in SQLite databases on Android smartphones. Based on observations, specific heuristics are identified that may allow for the identification of manipulated timestamps. To overcome the limitations of these heuristics, a new reference architecture for Android applications is also introduced. The reference architecture provides examiners with a better understanding of Android applications as well as the associated digital evidence. The results presented in the paper show that the suggested techniques to establish the authenticity and accuracy of digital evidence are feasible.