Screen after Previous Screens: Spatial-Temporal Recreation of Android App Displays from Memory Images

Smartphones are increasingly involved in cyber and real world crime investigations. In this paper, we demonstrate a powerful smartphone memory forensics technique, called RetroScope, which recovers multiple previous screens of an Android app — in the order they were displayed — from the phone’s memory image. Different from traditional memory forensics, RetroScope enables spatial-temporal forensics, revealing the progression of the phone user’s interactions with the app (e.g., a banking transaction, online chat, or document editing session). RetroScope achieves near perfect accuracy in both the recreation and ordering of reconstructed screens. Further, RetroScope is app-agnostic, requiring no knowledge about an app’s internal data definitions or rendering logic. RetroScope is inspired by the observations that (1) app-internal data on previous screens exists much longer in memory than the GUI data structures that “package” them and (2) each app is able to perform context-free redrawing of its screens upon command from the Android framework. Based on these, RetroScope employs a novel interleaved re-execution engine to selectively reanimate an app’s screen redrawing functionality from within a memory image. Our evaluation shows that RetroScope is able to recover full temporally-ordered sets of screens (each with 3 to 11 screens) for a variety of popular apps on a number of different Android devices.

[1]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[2]  Tilo Müller,et al.  Post-Mortem Memory Analysis of Cold-Booted Android Devices , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[3]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[4]  Ivor Kollár Forensic RAM dump image analyzer , 2009 .

[5]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[6]  Vrizlynn L. L. Thing,et al.  Live memory forensics of mobile phones , 2010, Digit. Investig..

[7]  Christoforos Ntantogian,et al.  Discovering Authentication Credentials in Volatile Memory of Android Mobile Devices , 2013, I3E.

[8]  Zhongshu Gu,et al.  VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images , 2015, CCS.

[9]  Michael Gruhn Windows NT pagefile.sys Virtual Memory Analysis , 2015, 2015 Ninth International Conference on IT Security Incident Management & IT Forensics.

[10]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[11]  Golden G. Richard,et al.  FACE: Automated digital evidence discovery and correlation , 2008, Digit. Investig..

[12]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[13]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[14]  H. Marshall Jarrett,et al.  Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations , 1979 .

[15]  Paul Movall,et al.  Linux Physical Memory Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[16]  Sarah V. Hart,et al.  Forensic Examination of Digital Evidence: A Guide for Law Enforcement , 2014 .

[17]  Brian Neil Levine,et al.  Forensic Triage for Mobile Phones with DEC0DE , 2011, USENIX Security Symposium.

[18]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[19]  Timothy Vidas,et al.  Volatile Memory Acquisition via Warm Boot Memory Survivability , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[20]  George H. Mealy,et al.  A method for synthesizing sequential circuits , 1955 .

[21]  Taejoo Chang,et al.  New acquisition method based on firmware update protocols for Android smartphones , 2015, Digit. Investig..

[22]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[23]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[24]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[25]  Golden G. Richard,et al.  In lieu of swap: Analyzing compressed RAM in Mac OS X and Linux , 2014, Digit. Investig..

[26]  Chao Wu,et al.  Discovering Semantic Data of Interest from Un-mappable Memory with Confidence , 2012, NDSS.

[27]  Jesse D. Kornblum Using every part of the buffalo in Windows memory analysis , 2007, Digit. Investig..

[28]  Brendan Saltaformaggio Forensic Carving of Wireless Network Information from the Android Linux Kernel , 2012 .

[29]  Zhongshu Gu,et al.  GUITAR: Piecing Together Android App GUIs from Memory Images , 2015, CCS.

[30]  Zhongshu Gu,et al.  DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse , 2014, USENIX Security Symposium.

[31]  Sushil Jajodia,et al.  TrustDump: Reliable Memory Acquisition on Smartphones , 2014, ESORICS.

[32]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.