App-Agnostic Post-Execution Semantic Analysis of Android In-Memory Forensics Artifacts

Over the last decade, userland memory forensics techniques and algorithms have gained popularity among practitioners, as they have proven to be useful in real forensics and cybercrime investigations. These techniques analyze and recover objects and artifacts from process memory space that are of critical importance in investigations. Nonetheless, the major drawback of existing techniques is that they cannot determine the origin and context within which the recovered object exists without prior knowledge of the application logic. Thus, in this research, we present a solution to close the gap between application-specific and application-generic techniques. We introduce OAGen, a post-execution and app-agnostic semantic analysis approach designed to help investigators establish concrete evidence by identifying the provenance and relationships between in-memory objects in a process memory image. OAGen utilizes Points-to analysis to reconstruct a runtime’s object allocation network. The resulting graph is then fed as an input into our semantic analysis algorithms to determine objects’ origin, context, and scope in the network. The results of our experiments exhibit OAGen’s ability to effectively create an allocation network even for memory-intensive applications with thousands of objects, like Facebook. The performance evaluation of our approach across fourteen different Android apps shows OAGen can efficiently search and decode nodes, and identify their references with a modest throughput rate. Further practical application of OAGen demonstrated in two case studies shows that our approach can aid investigators in the recovery of deleted messages and the detection of malware functionality in post-execution program analysis.

[1]  Ping Zhang,et al.  Private Data Acquisition Method Based on System-Level Data Migration and Volatile Memory Forensics for Android Applications , 2019, IEEE Access.

[2]  Daryl Johnson,et al.  Third Party Application Forensics on Apple Mobile Devices , 2011, 2011 44th Hawaii International Conference on System Sciences.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Mingxuan Sun,et al.  HookTracer: A System for Automated and Accessible API Hooks Analysis , 2019, Digit. Investig..

[5]  Golden G. Richard,et al.  Memory forensics: The path forward , 2017, Digit. Investig..

[6]  Ian Wakeman,et al.  Machine Learning for Post-Event Timeline Reconstruction , 2006 .

[7]  Sheng Liang,et al.  Java Native Interface: Programmer's Guide and Specification , 1999 .

[8]  Rohit Bhatia,et al.  Live acquisition of main memory data from Android smartphones and smartwatches , 2017, Digit. Investig..

[9]  Alberto Magno Muniz Soares,et al.  A Technique for Extraction and Analysis of Application Heap Objects within Android Runtime (ART) , 2017, ICISSP.

[10]  Christopher Hargreaves,et al.  An automated timeline reconstruction approach for digital forensic investigations , 2012 .

[11]  Jaewoo Park,et al.  Forensic analysis of the backup database file in KakaoTalk messenger , 2017, 2017 IEEE International Conference on Big Data and Smart Computing (BigComp).

[12]  George M. Mohay,et al.  RICH EVENT REPRESENTATION FOR COMPUTER FORENSICS , 2004 .

[13]  Golden G. Richard,et al.  Advancing Mac OS X rootkit detection , 2015, Digit. Investig..

[14]  Tim Storer,et al.  Recovering residual forensic data from smartphone interactions with cloud storage providers , 2015, The Cloud Security Ecosystem.

[15]  Xiangyu Zhang,et al.  Tipped Off by Your Memory Allocator: Device-Wide User Activity Sequencing from Android Memory Images , 2018, NDSS.

[16]  Gary C. Kessler,et al.  Android forensics: Simplifying cell phone examinations , 2010 .

[17]  Golden G. Richard,et al.  Detecting objective-C malware through memory forensics , 2016 .

[18]  Aisha I. Ali-Gombe Volatile Memory Message Carving: A "per process basis" Approach , 2012 .

[19]  Dan S. Wallach,et al.  Picking up the trash: Exploiting generational GC for memory analysis , 2017 .

[20]  Xiangyu Zhang,et al.  Screen after Previous Screens: Spatial-Temporal Recreation of Android App Displays from Memory Images , 2016, USENIX Security Symposium.

[21]  Dan S. Wallach,et al.  Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM , 2017, HICSS.

[22]  Cosimo Anglano,et al.  Forensic analysis of Telegram Messenger on Android smartphones , 2017, Digit. Investig..

[23]  M. Tahar Kechadi,et al.  Automatic Timeline Construction and Analysis for Computer Forensics Purposes , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[24]  Zhongshu Gu,et al.  VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images , 2015, CCS.

[25]  Éva Tardos,et al.  Algorithm design , 2005 .

[26]  Golden G. Richard,et al.  DroidScraper: A Tool for Android In-Memory Object Recovery and Reconstruction , 2019, RAID.

[27]  Jingling Xue,et al.  Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting , 2016, SAS.

[28]  Jiyong Jang,et al.  Android Malware Clustering through Malicious Payload Mining , 2017, RAID.

[29]  Kristinn Guethjoacutensson Mastering the Super Timeline With log2timeline , 2015 .

[30]  Zhongshu Gu,et al.  GUITAR: Piecing Together Android App GUIs from Memory Images , 2015, CCS.

[31]  Zhongshu Gu,et al.  DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse , 2014, USENIX Security Symposium.

[32]  Andrew Hoog Android forensic techniques , 2011 .

[33]  Golden G. Richard,et al.  Memory forensics and the Windows Subsystem for Linux , 2018, Digit. Investig..

[34]  Aric Hagberg,et al.  Exploring Network Structure, Dynamics, and Function using NetworkX , 2008, Proceedings of the Python in Science Conference.

[35]  Golden G. Richard,et al.  Toward a more dependable hybrid analysis of android malware using aspect-oriented programming , 2018, Comput. Secur..

[36]  Andrew Hoog Android forensics : investigation, analysis, and mobile security for Google Android / Andrew Hoog ; John McCash, technical editor. , 2011 .

[37]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to and side-effect analyses for Java , 2002, ISSTA '02.