A journey into IoT Forensics - Episode 3 - Analysis of an Ematic Android TV OS Box (aka thanks VTO Labs for sharing!)

By -

This the third blog post on the analysis of IoT devices images made available by VTO Labs. The first blog post was about the analysis of Samsung refrigerator, the second one was about the analysis of an LG Smart TV, and this one is about the analysis of an Ematic Android TV Box.

[START DISCLAIMER]

I only had one dataset, so the testing is limited and not to be considered strong and verified. 

The goal is to open a discussion and to provide a first glimpse into the analysis of these types of devices.

[END DISCLAIMER]

The Ematic Jetstream Android TV Box

The third candidate for my research in the VTO Labs dataset was the image of an Ematic Jetstream 4K Ultra HD Android TV Box with Voice Search Remote (model AGT418), an Android TV Box produced by Ematic with the Android TV OS.

Android TV OS is a version of the Android OS developed for televisions, digital media players and set-top boxes.

By searching online I only found a few articles and papers mentioning security and forensic analysis of this specific version of Android.

An interesting article about hacking a Sony Android TV was published by Valerio Mulas in 2019. More recently a vulnerability affecting TCL Smart TV was revealed by the Sick.Codes website. Android TVs are also mentioned in the document "Illegal IPTV in the Europena Union" by EUIPO as a possible mean for illegal online streaming. XDA Developers has an Android TV dedicated forum. 

On the Digital Forensics side I only found a 2016 presentation by Nicole Jarvis.

Image verification and partitioning schema

As in the previous cases, I tried loading the provided image (androidtv.dd) in X-Ways Forensics. By simply loading the image, the tool was not able to find any partitioning schema.


I then used the "Scan for lost partitions" feature, and X-Ways found two EXT4 partitions.


[UPDATE on 4th January 2021]

X-Ways version 20.1 SR-2 can now find 5 partitions.

Thanks Michael Yasumoto for the information and for your testing!

[END UPDATE]

I then did some additional testing with various tools and the best result was provided by Active Partition Recovery, which found five EXT4 partitions. Partitions can be easily extracted and imported in X-Ways Forensics for analysis.

None of the found partitions is a "Data" partition: apparently, no user data is stored on the device. I tried running binwalk, to search also for YAFFS2 file systems, but without success.

System partition

The "System" partition contains the stock Android TV OS and has the typical folder structure of an Android system partition.


The build.prop file contains information about the device (model, brand, name) and the operating system build (description and fingerprint).


The "app" and "priv-app" folders contain native apps. Among the others, we can find some specific apps for the Android TV OS (TVLauncher, TVProvider, TVReccomendations, TVSettings and TVTutorials).



The "media" folder contains some background pictures specifically related to the Android TV OS.

Vendor partition

The "Vendor" partition contains vendor settings (hardware and software) and custom pre-installed apps.

The "build.prop" file contains information about the device (model, brand, name), the operating system build (description and fingerprint), and additional vendor build properties (ringtone, date format, and so on). 


The "app" folder contains vendor preinstalled apps. In the provided dataset we can find, for example, the Netflix App and some specific device settings apps.


Conclusions

The Android TV OS seems almost identical to the Android OS installed on Smartphones and Tablets. 
In the provided dataset the "Data" partition was not found, but only System and Vendor partitions. 

The "System" partition can be useful to identify the specific device, including OS version, brand and model, and the native apps. 

The "Vendor" partition can be analyzed to discover vendor-specific apps, for example for specific settings. 

More research is needed on a dataset that includes also a "Data" partition, especially to study specific apps and settings developed for the Android TV OS. If you have any additional image to share for research, you are very welcome!

I encourage you to provide me any kind of feedback and verify my findings. I'll update the blog post mentioning and thanking the reader.

Comments

Post a Comment

Popular posts from this blog

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information

By -
Image
As explained in the first blog post, I would like to start discussing the acquisition and processing details. The acquisition was done by Josh Hickman using the Cellebrite Premium tool and the result is a Full File System capture in the traditional file format created by UFED. If you open the file EXTRACTION _FFS.zip ZIP you will see that UFED organizes the extracted full file system into 5 subfolders; filesystem1 : extraction of system partition, without the mount point “/private/var/mobile/” (“user data") filesystem2: extraction of the mount point for user data (“/private/var/mobile”) metadata1: metadata for files stored in “filesystem1” metadata1: metadata for files stored in “filesystem2” extra: iOS Keychain As always, when an acquisition is made with UFED, the ZIP file is accompanied by a UFD file that contains all the details of the acquisition process. UFED PA can load an acquisition created with UFED 4PC/Premium by simply loading the UFD file into PA GUI. The user has just
Keep reading

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading