VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images

The ubiquity of modern smartphones means that nearly everyone has easy access to a camera at all times. In the event of a crime, the photographic evidence that these cameras leave in a smartphone's memory becomes vital pieces of digital evidence, and forensic investigators are tasked with recovering and analyzing this evidence. Unfortunately, few existing forensics tools are capable of systematically recovering and inspecting such in-memory photographic evidence produced by smartphone cameras. In this paper, we present VCR, a memory forensics technique which aims to fill this void by enabling the recovery of all photographic evidence produced by an Android device's cameras. By leveraging key aspects of the Android framework, VCR extends existing memory forensics techniques to improve vendor-customized Android memory image analysis. Based on this, VCR targets application-generic artifacts in an input memory image which allow photographic evidence to be collected no matter which application produced it. Further, VCR builds upon the Android framework's existing image decoding logic to both automatically recover and render any located evidence. Our evaluation with commercially available smartphones shows that VCR is highly effective at recovering all forms of photographic evidence produced by a variety of applications across several different Android platforms.

[1]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[2]  Paul Movall,et al.  Linux Physical Memory Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[3]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[4]  Zhongshu Gu,et al.  GUITAR: Piecing Together Android App GUIs from Memory Images , 2015, CCS.

[5]  Zhongshu Gu,et al.  DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse , 2014, USENIX Security Symposium.

[6]  Hongyang Li,et al.  Screenmilker: How to Milk Your Android Screen for Secrets , 2014, NDSS.

[7]  Christoforos Ntantogian,et al.  Discovering Authentication Credentials in Volatile Memory of Android Mobile Devices , 2013, I3E.

[8]  Brian D. Carrier Risks of live digital forensic analysis , 2006, CACM.

[9]  Brendan Saltaformaggio Forensic Carving of Wireless Network Information from the Android Linux Kernel , 2012 .

[10]  Samuel T. King,et al.  Digging for Data Structures , 2008, OSDI.

[11]  Brian Neil Levine,et al.  Forensic Triage for Mobile Phones with DEC0DE , 2011, USENIX Security Symposium.

[12]  P. Danielsson Euclidean distance mapping , 1980 .

[13]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[14]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[15]  Chao Wu,et al.  Discovering Semantic Data of Interest from Un-mappable Memory with Confidence , 2012, NDSS.

[16]  Xiangyu Zhang,et al.  Obfuscation resilient binary code reuse through trace-oriented programming , 2013, CCS.

[17]  Golden G. Richard,et al.  FACE: Automated digital evidence discovery and correlation , 2008, Digit. Investig..

[18]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[19]  Tilo Müller,et al.  Post-Mortem Memory Analysis of Cold-Booted Android Devices , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[20]  Frank Adelstein,et al.  Live forensics: diagnosing your system without killing it first , 2006, CACM.

[21]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[22]  Vrizlynn L. L. Thing,et al.  Live memory forensics of mobile phones , 2010, Digit. Investig..

[23]  Golden G. Richard,et al.  Acquisition and analysis of volatile memory from android devices , 2012, Digit. Investig..

[24]  Sushil Jajodia,et al.  TrustDump: Reliable Memory Acquisition on Smartphones , 2014, ESORICS.

[25]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[26]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[27]  Rolando R. Lopez Battling Human Trafficking with Big Data , 2014 .

[28]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[29]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.