Live acquisition of main memory data from Android smartphones and smartwatches

Abstract Recent research in Android device forensics has largely focused on evidence recovery from NAND flash memory. However, pervasive deployment of NAND flash encryption technologies and the increase in malware infections which reside only in main memory have motivated an urgent need for the forensic study of main memory. Existing Android main memory forensics techniques are hardly being adopted in practical forensic investigations because they often require solving several usability constraints, such as requiring root privilege escalation, custom kernel replacement, or screen lock bypass. Moreover, there are still no commercially available tools for acquiring the main memory data of smart devices. To address these problems, we have developed an automated tool, called AMD, which is capable of acquiring the entire content of main memory from a range of Android smartphones and smartwatches. In developing AMD, we analyzed the firmware update protocols of these devices by reverse engineering the Android bootloader. Based on this study, we have devised a method that allows access to main memory data through the firmware update protocols. Our experimental results show that AMD overcomes the usability constraints of previous main memory acquisition approaches and that the acquired main memory data of a smartphone or smartwatch can be accurately used in forensic investigations.

[1]  Golden G. Richard,et al.  Acquisition and analysis of volatile memory from android devices , 2012, Digit. Investig..

[2]  Mordechai Guri,et al.  JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[3]  Sushil Jajodia,et al.  TrustDump: Reliable Memory Acquisition on Smartphones , 2014, ESORICS.

[4]  Ibrahim Baggili,et al.  Forensic analysis of social networking applications on mobile devices , 2012, Digit. Investig..

[5]  Wei Liu,et al.  A Tool for Volatile Memory Acquisition from Android Devices , 2016, IFIP Int. Conf. Digital Forensics.

[6]  Peter Hannay Kindle Forensics: Acquisition & Analysis , 2011, J. Digit. Forensics Secur. Law.

[7]  Hans P. Reiser,et al.  A Lightweight Framework for Cold Boot Based Forensics on Mobile Devices , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[8]  Svein Yngvar Willassen Forensic Analysis of Mobile Phone Internal Memory , 2005, IFIP Int. Conf. Digital Forensics.

[9]  Nicolas Christin,et al.  Toward a general collection methodology for Android devices , 2011, Digit. Investig..

[10]  Ibrahim M. Baggili,et al.  Amazon Kindle Fire HD Forensics , 2013, ICDF2C.

[11]  Taejoo Chang,et al.  New acquisition method based on firmware update protocols for Android smartphones , 2015, Digit. Investig..

[12]  Sangjin Lee,et al.  A study of user data integrity during acquisition of Android devices , 2013, Digit. Investig..

[13]  Andrew Hoog Android forensics : investigation, analysis, and mobile security for Google Android / Andrew Hoog ; John McCash, technical editor. , 2011 .

[14]  Mordechai Guri,et al.  JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface , 2015, TrustCom 2015.

[15]  Gary C. Kessler,et al.  Android forensics: Simplifying cell phone examinations , 2010 .

[16]  Justin Grover Android forensics: Automated data collection and reporting from a mobile device , 2013 .