DroidScraper: A Tool for Android In-Memory Object Recovery and Reconstruction

There is a growing need for post-mortem analysis in forensics investigations involving mobile devices, particularly when application-specific behaviors must be analyzed. This is especially true for architectures such as Android, where traditional kernel-level memory analysis frameworks such as Volatility [9] face serious challenges recovering and providing context for user-space artifacts. In this research work, we developed an app-agnostic userland memory analysis technique that targets the new Android Runtime (ART). Leveraging its latest memory allocation algorithms, called region-based memory management, we develop a system called DroidScraper that recovers vital runtime data structures for applications by enumerating and reconstructing allocated objects from a process memory image. The result of our evaluation shows DroidScraper can recover and decode nearly 90% of all live objects in all allocated memory regions.

[1]  Alberto Magno Muniz Soares,et al.  A Technique for Extraction and Analysis of Application Heap Objects within Android Runtime (ART) , 2017, ICISSP.

[2]  Brian Neil Levine,et al.  Forensic Triage for Mobile Phones with DEC0DE , 2011, USENIX Security Symposium.

[3]  Dan S. Wallach,et al.  Picking up the trash: Exploiting generational GC for memory analysis , 2017 .

[4]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[5]  Dan S. Wallach,et al.  Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM , 2017, HICSS.

[6]  Xiangyu Zhang,et al.  Tipped Off by Your Memory Allocator: Device-Wide User Activity Sequencing from Android Memory Images , 2018, NDSS.

[7]  Xiangyu Zhang,et al.  Screen after Previous Screens: Spatial-Temporal Recreation of Android App Displays from Memory Images , 2016, USENIX Security Symposium.

[8]  Zhongshu Gu,et al.  GUITAR: Piecing Together Android App GUIs from Memory Images , 2015, CCS.

[9]  Zhongshu Gu,et al.  DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse , 2014, USENIX Security Symposium.

[10]  Chao Wu,et al.  Discovering Semantic Data of Interest from Un-mappable Memory with Confidence , 2012, NDSS.

[11]  Ali A. Ghorbani,et al.  Toward Developing a Systematic Approach to Generate Benchmark Android Malware Datasets and Classification , 2018, 2018 International Carnahan Conference on Security Technology (ICCST).

[12]  Zhongshu Gu,et al.  VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images , 2015, CCS.

[13]  Golden G. Richard,et al.  Memory forensics: The path forward , 2017, Digit. Investig..

[14]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[15]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[16]  Dowon Hong,et al.  Data Acquisition from Cell Phone using Logical Approach , 2007 .

[17]  Rohit Bhatia,et al.  Live acquisition of main memory data from Android smartphones and smartwatches , 2017, Digit. Investig..

[18]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.