A Tool for Volatile Memory Acquisition from Android Devices

Memory forensic tools provide a thorough way to detect malware and investigate cyber crimes. However, existing memory forensic tools must be compiled against the exact version of the kernel source code and the exact kernel configuration. This poses a prob

  • PDF / 1,651,612 Bytes
  • 14 Pages / 439.37 x 666.142 pts Page_size
  • 43 Downloads / 200 Views

DOWNLOAD

REPORT

Memory forensic tools provide a thorough way to detect malware and investigate cyber crimes. However, existing memory forensic tools must be compiled against the exact version of the kernel source code and the exact kernel configuration. This poses a problem for Android devices because there are more than 1,000 manufacturers and each manufacturer maintains its own kernel. Moreover, new security enhancements introduced in Android Lollipop prevent most memory acquisition tools from executing. This chapter describes AMExtractor, a tool for acquiring volatile physical memory from a wide range of Android devices with high integrity. AMExtractor uses /dev/kmem to execute code in kernel mode, which is supported by most Android devices. Device-specific information is extracted at runtime without any assumptions about the target kernel source code and configuration. AMExtractor has been successfully tested on several devices shipped with different versions of the Android operating system, including the latest Android Lollipop. Memory images dumped by AMExtractor can be exported to other forensic frameworks for deep analysis. A rootkit was successfully detected using the Volatility Framework on memory images retrieved by AMExtractor.

Keywords: Mobile device forensics, memory forensics, Android, rootkit detection

1.

Introduction

The Android operating system is the most popular smartphone platform with a market share of 82.8% in Q2 2015 [7]. The popularity of the operating system makes it vital for digital forensic investigators to acquire and analyze evidence from Android devices. Most digital forensic c IFIP International Federation for Information Processing 2016  Published by Springer International Publishing AG 2016. All Rights Reserved G. Peterson and S. Shenoi (Eds.): Advances in Digital Forensics XII, IFIP AICT 484, pp. 365–378, 2016. DOI: 10.1007/978-3-319-46279-0 19

366

ADVANCES IN DIGITAL FORENSICS XII

tools and frameworks focus on extracting user data and metadata from the Android filesystem instead of volatile memory. However, new security enhancements, such as full-disk encryption introduced in Android Ice Cream (version 4.0), make it extremely difficult to recover evidence via filesystem forensics [2]. Volatile memory is valuable because it contains a wealth of information that is otherwise unrecoverable. The evidence in volatile memory includes objects related to running and terminated processes, open files, network activity, memory mappings and more [1]. This evidence could be extracted directly if a full physical memory dump were to be obtained. Often, a full copy of volatile memory is the first, but essential, step in advanced Android forensics and threat analysis. Volatile memory acquisition from Android devices is challenging. A major challenge is the fragmentation of Android devices – there are more than 24,000 distinct Android devices and 1,294 manufacturers [13]. This fragmentation introduces flaws in Android memory acquisition tools: Availability: Memory acquisition tools do not work on several devices b

Data Loading...

Recommend Documents
Technology for Training: Acquisition Recommender Support Tool

170 104 64MB

Small Organic Molecules for Electrically Re-writable Non-volatile Polymer Memory Devices

278 22 316KB

Cloud Forensic Analysis on pCloud: From Volatile Memory Perspectives

136 65 41MB

Read Back of Stored Data in Non Volatile Memory Devices by Scanning Capacitance Microscopy

167 59 2MB

Future Directions of Non-volatile Memory Technologies

157 16 214KB

A Non-Volatile Buffered Main Memory Using Phase-Change RAM

172 30 289KB

A novel, nanocrystal (nc) based non-volatile memory device

193 49 2MB

Sensing of Non-Volatile Memory Demystified

147 69 5MB

Implementation of a Real-Time Communication Library Between Smart TV Devices and Android Devices Based on WebSocket for

152 101 26MB

A Certification Process for Android Applications

162 24 393KB

A Tool to Improve Visual Attention and the Acquisition of Meaning for Low-Functioning People

131 32 1MB

An IoT Application: Health Care System with Android Devices

196 55 2MB