Abstract
Memory forensic tools provide a thorough way to detect malware and investigate cyber crimes. However, existing memory forensic tools must be compiled against the exact version of the kernel source code and the exact kernel configuration. This poses a problem for Android devices because there are more than 1,000 manufacturers and each manufacturer maintains its own kernel. Moreover, new security enhancements introduced in Android Lollipop prevent most memory acquisition tools from executing.
This chapter describes AMExtractor, a tool for acquiring volatile physical memory from a wide range of Android devices with high integrity. AMExtractor uses /dev/kmem to execute code in kernel mode, which is supported by most Android devices. Device-specific information is extracted at runtime without any assumptions about the target kernel source code and configuration. AMExtractor has been successfully tested on several devices shipped with different versions of the Android operating system, including the latest Android Lollipop. Memory images dumped by AMExtractor can be exported to other forensic frameworks for deep analysis. A rootkit was successfully detected using the Volatility Framework on memory images retrieved by AMExtractor.
Chapter PDF
Similar content being viewed by others
References
Apostolopoulos, D., Marinakis, G., Ntantogian, C., Xenakis, C.: Discovering authentication credentials in volatile memory of Android mobile devices. In: Proceedings of the Twelfth IFIP WG 6.11 Conference on e-Business, e-Services and e-Society, pp. 178–185 (2013)
Barmpatsalou, K., Damopoulos, D., Kambourakis, G., Katos, V.: A critical review of seven years of mobile device forensics. Digital Investigation 10(4), 323–349 (2013)
Cannon, T., Bradford, S.: Into the droid: Gaining access to Android user data, presented at the Defcon Hacking Conference (2012)
Devik, Sd.: Linux on-the-fly kernel patching without LKM. Phrack 11(58) (2001)
Garcia, G.: Forensic physical memory analysis: An overview of tools and techniques. Presented at the TKK T-110.5290 Seminar on Network Security (2007)
Ge, X., Vijayakumar, H., Jaeger, T.: Sprobes: Enforcing kernel code integrity in the TrustZone architecture. Presented at the Third Workshop on Mobile Security Technologies (2014)
International Data Corporation, Smartphone OS market share, 2015 Q2, Framington, Massachusetts (2015). www.idc.com/prodserv/smartphone-os-market-share.jsp
Kollar, I.: Forensic RAM Dump Image Analyzer, Master’s Thesis, Department of Software Engineering, Charles University in Prague, Prague, Czech Republic (2009)
Lineberry, A.: Malicious code injection via /dev/mem. Presented at the Black Hat Europe Conference (2009)
Lucic, K.: Over 27.44% users root their phone(s) in order to remove built-in apps, Android Headlines, Valencia, California, November 13, 2014
Macht, H.: Live Memory Forensics on Android with Volatility, Diploma Thesis in Computer Science, Department of Computer Science, Friedrich-Alexander University Erlangen-Nuremberg, Erlangen, Germany (2013)
Muller, T., Spreitzenbarth, M.: FROST – Forensic recovery of scrambled telephones. In: Proceedings of the Eleventh International Conference on Applied Cryptography and Network Security, pp. 373–388 (2013)
OpenSignal, Android fragmentation visualized, London, United Kingdom (2015). opensignal.com/reports/2015/08/android-fragmentation
Park, J., Choi, S.: Studying security weaknesses of Android systems. International Journal of Security and its Applications 9(3), 7–12 (2015)
Stuttgen, J., Cohen, M.: Robust Linux memory acquisition with minimal target impact. Digital Investigation 11(S1), S112–S119 (2014)
Sun, H., Sun, K., Wang, Y., Jing, J., Jajodia, S.: TrustDump: reliable memory acquisition from smartphones. In: Proceedings of the Nineteenth European Symposium on Research in Computer Security, pp. 202–218 (2014)
Sylve, J., Case, A., Marziale, L., Richard, G.: Acquisition and analysis of volatile memory from Android devices. Digital Investigation 8(3–4), 175–184 (2012)
Thing, V., Ng, K., Chang, E.: Live memory forensics of mobile phones. Digital Investigation 7(S), S74–S82 (2010)
Volatility Foundation, Volatility Framework (2016). www.volatilityfoundation.org
Willassen, S.: Forensic analysis of mobile phone internal memory. In: Pollitt, M., Shenoi, S. (eds.) Advances in Digital Forensics, pp. 191–204. Springer, Boston (2005)
Xu, W.: Ah! Universal Android rooting is back. Presented at the Black Hat USA Conference (2015)
Xu, W., Fu, Y.: Own your Android! Yet another universal root. Presented at the Ninth USENIX Workshop on Offensive Technologies (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 IFIP International Federation for Information Processing
About this paper
Cite this paper
Yang, H., Zhuge, J., Liu, H., Liu, W. (2016). A Tool for Volatile Memory Acquisition from Android Devices. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XII. DigitalForensics 2016. IFIP Advances in Information and Communication Technology, vol 484. Springer, Cham. https://doi.org/10.1007/978-3-319-46279-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-46279-0_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46278-3
Online ISBN: 978-3-319-46279-0
eBook Packages: Computer ScienceComputer Science (R0)