research-article

App-Agnostic Post-Execution Semantic Analysis of Android In-Memory Forensics Artifacts

Authors:

Aisha Ali-Gombe,

Alexandra Tambaoan,

Angela Gurfolino,

Golden G. Richard IIIAuthors Info & Claims

ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

Pages 28 - 41

https://doi.org/10.1145/3427228.3427244

Published: 08 December 2020 Publication History

Abstract

Over the last decade, userland memory forensics techniques and algorithms have gained popularity among practitioners, as they have proven to be useful in real forensics and cybercrime investigations. These techniques analyze and recover objects and artifacts from process memory space that are of critical importance in investigations. Nonetheless, the major drawback of existing techniques is that they cannot determine the origin and context within which the recovered object exists without prior knowledge of the application logic.

Thus, in this research, we present a solution to close the gap between application-specific and application-generic techniques. We introduce OAGen, a post-execution and app-agnostic semantic analysis approach designed to help investigators establish concrete evidence by identifying the provenance and relationships between in-memory objects in a process memory image. OAGen utilizes Points-to analysis to reconstruct a runtime’s object allocation network. The resulting graph is then fed as an input into our semantic analysis algorithms to determine objects’ origin, context, and scope in the network. The results of our experiments exhibit OAGen’s ability to effectively create an allocation network even for memory-intensive applications with thousands of objects, like Facebook. The performance evaluation of our approach across fourteen different Android apps shows OAGen can efficiently search and decode nodes, and identify their references with a modest throughput rate. Further practical application of OAGen demonstrated in two case studies shows that our approach can aid investigators in the recovery of deleted messages and the detection of malware functionality in post-execution program analysis.

References

[1]

Aisha Ali-Gombe. 2019. DroidScraper. https://github.com/apphackuno/DroidScraper [Online; accessed 10-January 2018].

[2]

Aisha Ali-Gombe, Sneha Sudhakaran, Andrew Case, and Golden G Richard III. 2019. DroidScraper: A Tool for Android In-Memory Object Recovery and Reconstruction. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019). 547–559.

[3]

Aisha Ibrahim Ali-Gombe. 2012. Volatile Memory Message Carving: A” per process basis” Approach. Master’s Thesis. University of New Orleans, LA.

[4]

Aisha I Ali-Gombe, Brendan Saltaformaggio, Dongyan Xu, Golden G Richard III, 2018. Toward a more dependable hybrid analysis of android malware using aspect-oriented programming. computers & security 73(2018), 235–248.

[5]

Cosimo Anglano, Massimo Canonico, and Marco Guazzone. 2017. Forensic analysis of telegram messenger on android smartphones. Digital Investigation 23(2017), 31–49.

[6]

Rohit Bhatia, Brendan Saltaformaggio, Seung Jei Yang, Aisha I Ali-Gombe, Xiangyu Zhang, Dongyan Xu, and Golden G Richard III. 2018. Tipped Off by Your Memory Allocator: Device-Wide User Activity Sequencing from Android Memory Images. In NDSS.

[7]

Andrew Case. 2011. Memory analysis of the dalvik (android) virtual machine. Source Seattle.

[8]

Andrew Case, Mohammad M Jalalzai, Md Firoz-Ul-Amin, Ryan D Maggio, Aisha Ali-Gombe, Mingxuan Sun, and Golden G Richard III. 2019. HookTracer: A System for Automated and Accessible API Hooks Analysis. Digital Investigation 29(2019), S104–S112.

Digital Library

[9]

Andrew Case and Golden G Richard III. 2015. Advancing Mac OS X rootkit detection. Digital Investigation 14(2015), S25–S33.

Digital Library

[10]

Andrew Case and Golden G Richard III. 2016. Detecting objective-C malware through memory forensics. Digital Investigation 18(2016), S3–S10.

Digital Library

[11]

Andrew Case and Golden G Richard III. 2016. Memory forensics: The path forward. Digital investigation(2016), 1–11.

[12]

IBM Knowlegge Center. 2015. Garbage collection roots. https://www.ibm.com/support/knowledgecenter/en/SS3KLZ/com.ibm.java.diagnostics.memory.analyzer.doc/gcroots.html

[13]

Yoan Chabot, Aurélie Bertaux, Christophe Nicolle, and Tahar Kechadi. 2014. Automatic timeline construction and analysis for computer forensics purposes. In 2014 IEEE Joint Intelligence and Security Informatics Conference. IEEE, 276–279.

Digital Library

[14]

Jusop Choi, Jaewoo Park, and Hyoungshick Kim. 2017. Forensic analysis of the backup database file in KakaoTalk messenger. In 2017 IEEE International Conference on Big Data and Smart Computing (BigComp). IEEE, 156–161.

[15]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 1–29.

Digital Library

[16]

Peijun Feng, Qingbao Li, Ping Zhang, and Zhifeng Chen. 2019. Private Data Acquisition Method Based on System-Level Data Migration and Volatile Memory Forensics for Android Applications. IEEE Access 7(2019), 16695–16703.

[17]

The Apache Software Foundation. 2020. Interface HttpClient. https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/HttpClient.html [Online; accessed 1-June 2020].

[18]

Volatility Foundation. 2017. Volatility Command Reference. https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#memdump [Online; accessed 21-March 2018].

[19]

Genymotion. 2019. Genymotion Desktop. https://www.genymotion.com [Online; accessed 10-January 2020].

[20]

Google. 2019. Google Play. https://play.google.com/store?hl=en

[21]

George Grispos, William Bradley Glisson, and Tim Storer. 2015. Recovering residual forensic data from smartphone interactions with cloud storage providers. arXiv preprint arXiv:1506.02268(2015).

[22]

Kristinn Guðjónsson. 2010. Mastering the super timeline with log2timeline. SANS Institute (2010).

[23]

Aric Hagberg, Pieter Swart, and Daniel S Chult. 2008. Exploring network structure, dynamics, and function using NetworkX. Technical Report. Los Alamos National Lab.(LANL), Los Alamos, NM (United States).

[24]

Christopher Hargreaves and Jonathan Patterson. 2012. An automated timeline reconstruction approach for digital forensic investigations. Digital Investigation 9(2012), S69–S79.

[25]

Andrew Hoog. 2011. Android forensics: investigation, analysis and mobile security for Google Android. Elsevier.

[26]

MNA Khan and Ian Wakeman. 2006. Machine learning for post-event timeline reconstruction. In First Conference on Advances in Computer Security and Forensics, Liverpool, UK. Citeseer.

[27]

Jon Kleinberg and Éva Tardos. 2005. Algorithm Design. Pearson.

[28]

Jeff Lessard and Gary Kessler. 2010. Android Forensics: Simplifying Cell Phone Examinations.(2010).

[29]

Alex Levinson, Bill Stackpole, and Daryl Johnson. 2011. Third party application forensics on apple mobile devices. In 2011 44th Hawaii International Conference on System Sciences. IEEE, 1–9.

Digital Library

[30]

Nathan Lewis, Andrew Case, Aisha Ali-Gombe, and Golden G Richard III. 2018. Memory forensics and the Windows Subsystem for Linux. Digital Investigation 26(2018), S3–S11.

Digital Library

[31]

Yuping Li, Jiyong Jang, Xin Hu, and Xinming Ou. 2017. Android malware clustering through malicious payload mining. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 192–214.

[32]

Holger Macht. 2013. Live Memory Forensics on Android with Volatility. Friedrich-Alexander University Erlangen-Nuremberg (2013).

[33]

Ana Milanova, Atanas Rountev, and Barbara G Ryder. 2002. Parameterized object sensitivity for points-to and side-effect analyses for Java. In Proceedings of the 2002 ACM SIGSOFT international symposium on Software testing and analysis. 1–11.

Digital Library

[34]

Adam Pridgen, Simson Garfinkel, and Dan Wallach. 2017. Present but unreachable: reducing persistentlatent secrets in hotspot jvm. (2017).

[35]

Adam Pridgen, Simson Garfinkel, and Dan S Wallach. 2017. Picking up the trash: Exploiting generational GC for memory analysis. Digital Investigation 20(2017), S20–S28.

Digital Library

[36]

Brendan Saltaformaggio, Rohit Bhatia, Zhongshu Gu, Xiangyu Zhang, and Dongyan Xu. 2015. GUITAR: Piecing together android app GUIs from memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 120–132.

Digital Library

[37]

Brendan Saltaformaggio, Rohit Bhatia, Zhongshu Gu, Xiangyu Zhang, and Dongyan Xu. 2015. Vcr: App-agnostic recovery of photographic evidence from android device memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 146–157.

Digital Library

[38]

Brendan Saltaformaggio, Rohit Bhatia, Xiangyu Zhang, Dongyan Xu, and Golden G Richard III. 2016. Screen after previous screens: Spatial-temporal recreation of android app displays from memory images. In 25th {USENIX} Security Symposium ({USENIX} Security 16). 1137–1151.

[39]

Brendan Saltaformaggio, Zhongshu Gu, Xiangyu Zhang, and Dongyan Xu. 2014. {DSCRETE}: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse. In 23rd {USENIX} Security Symposium ({USENIX} Security 14). 255–269.

[40]

Bradley Schatz, George Mohay, and Andrew Clark. 2004. Rich event representation for computer forensics. In Proceedings of the Fifth Asia-Pacific Industrial Engineering and Management Systems Conference (APIEMS 2004), Vol. 2. 1–16.

[41]

Michael L. Scott. 2009. The Java Native Interface: Programmer’s Guide and Specification. Morgan Kaufmann.

[42]

Alberto Magno Muniz Soares and Rafael Timóteo de Sousa Jr. 2017. A Technique for Extraction and Analysis of Application Heap Objects within Android Runtime (ART). In ICISSP. 147–156.

[43]

Steven Stalinsky and R. Sosnow. 2017. Jihadi Use Of Encrypted Messaging App WhatsApp. https://www.memri.org/cjlab/jihadi-use-of-encrypted-messaging-app-whatsapp [Online; accessed 04-April 2020].

[44]

Tian Tan, Yue Li, and Jingling Xue. 2016. Making k-object-sensitive pointer analysis more precise with still k-limiting. In International Static Analysis Symposium. Springer, 489–510.

[45]

Cetus Team. 2004-2011. The Cetus Compiler Manual. ParaMount Research Group, Purdue University.

[46]

VirusShare. 2017. VirusShare.com - Because Sharing is Caring. https://virusshare.com

[47]

Wikipedia. 2020. Archaeology. https://en.wikipedia.org/wiki/Archaeology#cite_note-Society_for_American_Archaeology-1 [Online; accessed 1-June 2020].

[48]

Seung Jei Yang, Jung Ho Choi, Ki Bom Kim, Rohit Bhatia, Brendan Saltaformaggio, and Dongyan Xu. 2017. Live Acquisition of Main Memory Data from Android Smartphones and Smartwatches. Digital Investigation 23 (2017), 50–62.

[49]

Michal Zalewski. 2003. Memfetch. https://github.com/citypw/lcamtuf-memfetch [Online; accessed 17-March 2018].

Cited By

Bello SBappah BTanet NBetzwieser AAli-Gombe A(2024)User Privacy in the Digital Playground: An In-Depth Investigation of Facebook Instant Games2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00013(64-75)Online publication date: 7-Oct-2024
https://doi.org/10.1109/SecDev61143.2024.00013
Bellizzi JVella MColombo CHernandez-Castro J(2022)Responding to Targeted Stealthy Attacks on Android Using Timely-Captured Memory DumpsIEEE Access10.1109/ACCESS.2022.316053110(35172-35218)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3160531

Index Terms

App-Agnostic Post-Execution Semantic Analysis of Android In-Memory Forensics Artifacts

Index terms have been assigned to the content through auto-classification.

Recommendations

Android digital forensics: data, extraction and analysis
ACM TURC '17: Proceedings of the ACM Turing 50th Celebration Conference - China

Smartphones are exceedingly popular, with the Android platform being no exception. Also, the surge of applications available for such devices has revolutionized our lives, many of which process a significant amount of personal information. Instant ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Communications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Android Forensics: Investigation, Analysis and Mobile Security for Google Android

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

December 2020

962 pages

ISBN:9781450388580

DOI:10.1145/3427228

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC '20

ACSAC '20: Annual Computer Security Applications Conference

December 7 - 11, 2020

Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
399
Total Downloads

Downloads (Last 12 months)32
Downloads (Last 6 weeks)2

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bello SBappah BTanet NBetzwieser AAli-Gombe A(2024)User Privacy in the Digital Playground: An In-Depth Investigation of Facebook Instant Games2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00013(64-75)Online publication date: 7-Oct-2024
https://doi.org/10.1109/SecDev61143.2024.00013
Bellizzi JVella MColombo CHernandez-Castro J(2022)Responding to Targeted Stealthy Attacks on Android Using Timely-Captured Memory DumpsIEEE Access10.1109/ACCESS.2022.316053110(35172-35218)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3160531

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents