Overview of Digital Forensics Technologies of RAM in Android Devices

doi:10.3969/j.issn.1671-1122.2019.02.002

Abstract

Abstract:

Different from the sensitive data in static memory being encrypted and stored, some sensitive data in Android dynamic memory exists in the form of plaintext, such as application account, password, encryption key and some cached application data, which have great forensics value. In addition, with the increasing capacity of dynamic memory of smart phones, more and more application data are cached in the dynamic memory, the forensics research on the dynamic memory of Android smart phones is of great significance. This article analyzed and compared several Android smartphones dynamic memory extraction technologies, such as LiME, improved LiME, FROST, MEMGRAB, improved MEMGRAB and hardware extraction method, and several Android smartphone dynamic memory analysis technologies, such as process analysis, system information analysis, encryption key analysis, application account and password analysis. It is concluded that these methods have deficiencies in applicability, efficiency or operability. Through analyzing the weakness of these digital forensics technologies, this article gave some improvement advices and future research directions. The work of this article is able to benefit digital forensics practice of Android devices.

Key words: Android, smart phone, RAM, digital forensics

CLC Number:

TP309

Liping DING, Xuehua LIU, Guangxuan CHEN, Yin LI. Overview of Digital Forensics Technologies of RAM in Android Devices[J]. Netinfo Security, 2019, 19(2): 10-17.

Figures/Tables 6

References 20

[1]	LESSARD J, KESSLER G.Android Forensics: Simplifying Cell Phone Examinations[J]. Small Scale Digital Device Forensics Journal, 2010, 4(1): 1-12.
[2]	HOOG A.Android Forensics: Investigation, Analysis and Mobile Security for Google Android[M].Waltham: Elsevier, 2011.
[3]	LIU Haoyang, Research on Android Device Forensic[J]. Netinfo Security,2015,15(9):29-32.
	刘浩阳. Android设备取证研究[J]. 信息网络安全,2015,15(9):29-32.
[4]	HERIYANTO A P.Procedures and Tools for Acquisition and Analysis of Volatile Memory on Android Smart Phones[C]//Edith Cowan University. The 11th Australian Digital Forensics Conference. December 2-4,2013, Perth, Western Australia. Perth: The Security Research Centre, Edith Cowan University, 2013: 84-95.
[5]	ANGLANO C.Forensic Analysis of WhatsApp Messenger on Android Smart Phones[J]. Digital Investigation, 2014, 11(3): 201-213.
[6]	ANGLANO C, CANONICO M, GUAZZONE M.Forensic Analysis of the Chat Secure Instant Messaging Application on Android Smart Phones[J]. Digital Investigation, 2016,19(10): 44-59.
[7]	WU S, ZHANG Y, WANG X, et al.Forensic Analysis of WeChat on Android Smart Phones[J]. Digital Investigation, 2017, 21(6): 3-10.
[8]	DO Q, MARTINI B, CHOO K K R. A Cloud-focused Mobile Forensics Methodology[J]. IEEE Cloud Computing, 2015, 2(4): 60-65.
[9]	MALIK R, SHASHIDHAR N, CHEN L.Cloud Storage Client Application Evidence Analysis on UNIX/Linux[C]// IEEE. International Conference on Security and Management (SAM). July 27-30, 2015, Las Vegas. New York: IEEE, 2015: 111-117.
[10]	CAHYANI N D W, RAHMAN N H A, GLISSON W B, et al. The Role of Mobile Forensics in Terrorism Investigations Involving the Use of Cloud Storage Service and Communication APPs[J]. Mobile Networks and Applications, 2017, 22(2): 240-254.
[11]	SYLVE J, CASE A, MARZIALE L, et al.Acquisition and Analysis of Volatile Memory from Android Devices[J]. Digital Investigation, 2012, 8(3): 175-184.
[12]	CHEN Long, MAO Yue.Forensic Analysis of Email on Android Volatile Memory[C]//IEEE. The 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. August 23-26,2016, Tianjin, China. New York: IEEE, 2016: 945-951.
[13]	KANG Yanrong, FAN Wei, ZHAO Lu, et al.Acquisition of Live Memory from Android Phones Based on Similar Kernel[J]. Forensic Science and Technology, 2018, 43(2):92-96
	康艳荣,范玮,赵露,等,基于相似内核的Android手机动态内存提取技术研究[J].刑事技术,2018,43(2):92-96.
[14]	SCHEICK L Z,GUERTIN S M,SWIFT G M.Analysis of Radiation Effects on Individual DDRAM Cells[J].IEEE Trans on Nuclear Science,2000,47( 6) : 2534-2538.
[15]	MÜLLER T, SPREITZENBARTH M. Frost[C]// ACNS. The 11th International Conference on Applied Cryptography and Network Security, June 25-28, 2013, Banff, AB, Canada. Berlin Heidelberg: Springer, 2013: 373-388.
[16]	THING V L L, NG K Y, CHANG E C. Live Memory Forensics of Mobile Phones[J]. Digital investigation, 2010, 7(8): S74-S82.
[17]	XU Naiyang.Research and Realization of Android System Simulation and Memory Forensics[D]. Nanjing: Southeast University, 2017.
	徐乃阳. Android系统仿真与内存取证技术的研究与实现[D].南京:东南大学,2017.
[18]	APOSTOLOPOULOS D, MARINAKIS G, NTANTOGIAN C, et al.Discovering Authentication Credentials in Volatile Memory of Android Mobile Devices[C]//IFIP. Conference on e-Business, e-Services and e-Society. April 25-26, 2013, Athens, Greece. Berlin Heidelberg: Springer, 2013: 178-185.
[19]	ZHOU F, YANG Y, DING Z, et al.Dump and Analysis of Android Volatile Memory on Wechat[C]//IEEE. IEEE International Conference on Communications, June 8-12 2015,London, UK. New York: IEEE, 2015: 7151-7156.
[20]	LI Qiang, LIU Baoxu, JIANG Zhengwei, et al.Analysis of Model of QQ Forensic in Android System[J]. Netinfo Security, 2016, 16(1): 40-44.
	李强,刘宝旭,姜政伟,等. 一种Android系统下的QQ取证模型分析[J]. 信息网络安全,2016,16(1):40-44.