Reconstructing Android User Behavior through Timestamped State Models

The recent, rapid development of mobile technology has impacted modern life in significant ways. The ubiquitous utility of Android mobile devices is a perfect example. Android mobile devices store many user data in the memory, and these data could be critical to forensics investigations. Among the data that can be acquired from Android mobile devices, user operations are one of the most important pieces of evidence. They can tell what a suspect or a victim was doing with their mobile devices. However, there is a lack of effective techniques that can help forensics investigators extract user operations from Android mobile devices and reconstruct user operation state models with timestamps. In this paper, we propose an approach that automatically identifies user operations from Android mobile devices' event logs and constructs a timestamped state model. First, we extract system logs relevant to the Android activity lifecycle. Then, we identify patterns in Android activity lifecycle in the logs and investigate the relationship between these lifecycle patterns and actual user operations. After that, we reconstruct user operations into timestamped state models. Using an experimental evaluation with ten real-world Android applications, we demonstrate that the proposed approach can effectively reconstruct timestamped state models, by achieving a mean of 100% activity coverage, a mean of 94.3% user operation coverage, and a mean of 95.5% state model coverage.