Introduction to DEX File Forensics

The Android Dalvik Executable (DEX) file format is the bytecode equivalent for applications running on the Android platform. It’s a treasure trove of information for reverse engineers and forensic analysts, containing everything from compiled application logic to embedded strings and resource paths. Often, when developers attempt to remove sensitive code or assets, they might only delete references, leaving the underlying data intact within the DEX file. This article dives deep into the DEX file structure, demonstrating expert-level techniques to recover seemingly deleted code and unearth hidden assets.

Understanding how data is organized within a DEX file is crucial for effective forensic analysis. We’ll explore methods to identify and reconstruct program logic or sensitive information that developers believed they had erased.

Understanding the DEX File Structure

A DEX file is a highly structured archive. Its primary sections include:

• Header: Contains file magic, checksums, and offsets to other sections.
• String IDs List: An array of offsets pointing to string literals in the data section.
• Type IDs List: References to string IDs, representing classes and primitive types.
• Proto IDs List: Defines method prototypes (return type and parameters).
• Field IDs List: References to types and strings, representing class fields.
• Method IDs List: References to types, protos, and strings, representing class methods.
• Class Defs List: Defines each class in the DEX, including its superclass, interfaces, source file, annotations, static/instance fields, and direct/virtual methods.
• Map List: A list of all sections in the DEX file, with their types, sizes, and offsets.
• Data Section: Contains the actual raw data referenced by other sections, such as string data, code items, class data items, and debug info.

The key insight for forensic recovery is that ‘deletion’ in software often means removing pointers or references, not necessarily wiping the raw data. The data section, in particular, can harbor unreferenced code or strings that are still physically present.

Essential Tools for DEX Analysis

Effective DEX forensic analysis relies on a suite of specialized tools:

• dexdump: A part of the Android SDK build tools, useful for quickly getting a high-level structural overview of a DEX file and dumping specific sections.
• baksmali/smali: These tools convert DEX bytecode to human-readable Smali assembly and vice-versa. Essential for understanding recovered code.
• apktool: A versatile tool for decompiling and rebuilding APKs, allowing access to the DEX files and resources.
• Hex Editor (e.g., HxD, 010 Editor, Bless Hex Editor): Indispensable for raw byte-level inspection and manipulation of the DEX file to identify unreferenced data.
• Python with dexparser or custom scripts: For programmatic parsing and automated analysis of DEX structures, especially for scanning large files for specific patterns.

Recovering Deleted Code Items

How Code “Deletion” Manifests in DEX

Each method’s executable bytecode resides within a code_item structure in the DEX data section. A method_id_item in the method_ids_list points to this code_item via an offset. When a method or an entire class is