AndroKit: A toolkit for forensics analysis of web browsers on android platform

Due to the pervasive nature of smart phones and devices, users are becoming more and more dependent on such devices for accessing online information. Pervasive use of smart devices has significantly enlarged the attack surface and resulted in a proportional complication of cyber threat intelligence gathering. For such devices, web browsers have become a primary means for accessing information provided on Internet as well as file systems and therefore, web browser forensics is an important component of cyber threat intelligence. The basics of web browser forensics revolve around the artifacts such as web sites visited, malicious URLs, time stamps, counts of access, search histories, cookies, downloaded activities etc. However, leveraging and locating this information can be challenging without the needed prerequisite information. This paper presents how to perform forensics analysis of data structures used by popular web browsers such as Chrome, Opera, Mozilla Firefox, and Dolphin on Android and how a forensic investigator can acquire forensic artifacts from web browsers. To strengthen digital investigation, a toolkit named as AndroKit is proposed for Android web browsers forensics. The paper demonstrates that the AndroKit can successfully acquire and analyze forensic evidence such as Web History, Downloads, Cookies, Bookmarks, Chrome stored user credentials, decode base64 encoded images, Tabs information etc. Finally, a comparative analysis of AndroKit with standard forensic tool-kits such as Oxygen forensics, Andriller, MOBILedit and Belkasoft evidence center has been presented.