Responding to Living-Off-the-Land Tactics using Just-in-Time Memory Forensics (JIT-MF) for Android

Digital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when LivingOff-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26% closer to ground truth.

[1]  Golden G. Richard,et al.  DroidScraper: A Tool for Android In-Memory Object Recovery and Reconstruction , 2019, RAID.

[2]  Shashikala Tapaswi,et al.  Logical acquisition and analysis of data from android mobile devices , 2015, Inf. Comput. Secur..

[3]  Mingxuan Sun,et al.  Hooktracer: Automatic Detection and Analysis of Keystroke Loggers Using Memory Forensics , 2020, Comput. Secur..

[4]  Golden G. Richard,et al.  Memory forensics: The path forward , 2017, Digit. Investig..

[5]  Kristinn Guethjoacutensson Mastering the Super Timeline With log2timeline , 2015 .

[6]  Aisha I. Ali-Gombe,et al.  App-Agnostic Post-Execution Semantic Analysis of Android In-Memory Forensics Artifacts , 2020, ACSAC.

[7]  Davide Balzarotti,et al.  Introducing the Temporal Dimension to Memory Forensics , 2019, ACM Trans. Priv. Secur..

[8]  Xiangyu Zhang,et al.  Tipped Off by Your Memory Allocator: Device-Wide User Activity Sequencing from Android Memory Images , 2018, NDSS.

[9]  Cosimo Anglano,et al.  Forensic analysis of Telegram Messenger on Android smartphones , 2017, Digit. Investig..

[10]  Miroslav Bača,et al.  A framework to (Im)Prove „Chain of Custody“ in Digital Investigation Process , 2010 .

[11]  Hans P. Reiser,et al.  DroidKex: Fast extraction of ephemeral TLS keys from the memory of Android apps , 2018, Digit. Investig..

[12]  Christian Colombo,et al.  Reducing the Forensic Footprint with Android Accessibility Attacks , 2020, STM.

[13]  Real-Time Triggering of Android Memory Dumps for Stealthy Attack Investigation , 2020, NordSec.

[14]  Rami M. Mohammad,et al.  A comparison of machine learning techniques for file system forensics analysis , 2019, J. Inf. Secur. Appl..

[15]  Ahmad-Reza Sadeghi,et al.  ASM: A Programmable Interface for Extending Android Security , 2014, USENIX Security Symposium.

[16]  Gordon Russell,et al.  Real-Time Monitoring of Privacy Abuses and Intrusion Detection in Android System , 2015, HCI.

[17]  Xiaodong Lin,et al.  Android digital forensics: data, extraction and analysis , 2017, ACM TUR-C '17.

[18]  Taejoo Chang,et al.  New acquisition method based on firmware update protocols for Android smartphones , 2015, Digit. Investig..

[19]  Zhongshu Gu,et al.  VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images , 2015, CCS.

[20]  Christopher Hargreaves,et al.  An automated timeline reconstruction approach for digital forensic investigations , 2012 .

[21]  Jianming Fu,et al.  "Jekyll and Hyde" is Risky: Shared-Everything Threat Mitigation in Dual-Instance Apps , 2019, MobiSys.

[22]  Cosimo Anglano,et al.  Forensic analysis of WhatsApp Messenger on Android smartphones , 2014, Digit. Investig..

[23]  Alex Akinbi,et al.  Forensic analysis of open-source XMPP/Jabber multi-client instant messaging apps on Android smartphones , 2021, SN Applied Sciences.

[24]  M. Tahar Kechadi,et al.  An ontology-based approach for the reconstruction and analysis of digital incidents timelines , 2015, Digit. Investig..

[25]  Kevin Mandia,et al.  Incident Response & Computer Forensics , 2003 .

[26]  Sotiris Ioannidis,et al.  REAPER: Real-time App Analysis for Augmenting the Android Permission System , 2019, CODASPY.

[27]  Ziming Zhao,et al.  Uncovering the Face of Android Ransomware: Characterization and Real-Time Detection , 2018, IEEE Transactions on Information Forensics and Security.

[28]  M. Tahar Kechadi,et al.  A complete formalized knowledge representation model for advanced digital forensics timeline analysis , 2014, Digit. Investig..