Tipped Off by Your Memory Allocator: Device-Wide User Activity Sequencing from Android Memory Images

An essential forensic capability is to infer the sequence of actions performed by a suspect in the commission of a crime. Unfortunately, for cyber investigations, user activity timeline reconstruction remains an open research challenge, currently requiring manual identification of datable artifacts/logs and heuristic-based temporal inference. In this paper, we propose a memory forensics capability to address this challenge. We present Timeliner, a forensics technique capable of automatically inferring the timeline of user actions on an Android device across all apps, from a single memory image acquired from the device. Timeliner is inspired by the observation that Android app Activity launches leave behind key self-identifying data structures. More importantly, this collection of data structures can be temporally ordered, owing to the predictable manner in which they were allocated and distributed in memory. Based on these observations, Timeliner is designed to (1) identify and recover these residual data structures, (2) infer the user-induced transitions between their corresponding Activities, and (3) reconstruct the devicewide, cross-app Activity timeline. Timeliner is designed to leverage the memory image of Android’s centralized ActivityManager service. Hence, it is able to sequence Activity launches across all apps — even those which have terminated. Our evaluation shows that Timeliner can reveal substantial evidence (up to an hour) across a variety of apps on different Android platforms.

[1]  Daryl Johnson,et al.  Third Party Application Forensics on Apple Mobile Devices , 2011, 2011 44th Hawaii International Conference on System Sciences.

[2]  Ian Wakeman,et al.  Machine Learning for Post-Event Timeline Reconstruction , 2006 .

[3]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[4]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[5]  Golden G. Richard,et al.  FACE: Automated digital evidence discovery and correlation , 2008, Digit. Investig..

[6]  Mechthild Stoer,et al.  A simple min-cut algorithm , 1997, JACM.

[7]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[8]  Chao Wu,et al.  Discovering Semantic Data of Interest from Un-mappable Memory with Confidence , 2012, NDSS.

[9]  Zhongshu Gu,et al.  VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images , 2015, CCS.

[10]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[11]  Florian P. Buchholz,et al.  Design and Implementation of Zeitline: a Forensic Timeline Editor , 2005, DFRWS.

[12]  Tilo Müller,et al.  Post-Mortem Memory Analysis of Cold-Booted Android Devices , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[13]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[14]  Paul Movall,et al.  Linux Physical Memory Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[15]  Kristinn Guethjoacutensson Mastering the Super Timeline With log2timeline , 2015 .

[16]  Brian Neil Levine,et al.  Forensic Triage for Mobile Phones with DEC0DE , 2011, USENIX Security Symposium.

[17]  Zhongshu Gu,et al.  GUITAR: Piecing Together Android App GUIs from Memory Images , 2015, CCS.

[18]  Zhongshu Gu,et al.  DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse , 2014, USENIX Security Symposium.

[19]  Martin Boldt,et al.  Computer forensic timeline visualization tool , 2009 .

[20]  George M. Mohay,et al.  ECF - Event Correlation for Forensics , 2003, Australian Computer, Network & Information Forensics Conference.

[21]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[22]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[23]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[24]  Xiangyu Zhang,et al.  Obfuscation resilient binary code reuse through trace-oriented programming , 2013, CCS.

[25]  Vrizlynn L. L. Thing,et al.  Live memory forensics of mobile phones , 2010, Digit. Investig..

[26]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[27]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[28]  Christoforos Ntantogian,et al.  Discovering Authentication Credentials in Volatile Memory of Android Mobile Devices , 2013, I3E.

[29]  Christophe Nicolle,et al.  Automatic Timeline Construction For Computer Forensics Purposes , 2014 .

[30]  Xiangyu Zhang,et al.  Screen after Previous Screens: Spatial-Temporal Recreation of Android App Displays from Memory Images , 2016, USENIX Security Symposium.

[31]  Samuel T. King,et al.  Digging for Data Structures , 2008, OSDI.

[32]  Ross Gardner,et al.  Practical Crime Scene Analysis and Reconstruction , 2009 .

[33]  Christopher Hargreaves,et al.  An automated timeline reconstruction approach for digital forensic investigations , 2012 .

[34]  George M. Mohay,et al.  RICH EVENT REPRESENTATION FOR COMPUTER FORENSICS , 2004 .