skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Evaluating the Reliability of Android Userland Memory Forensics
Memory Forensics is one of the most important emerging areas in computer forensics. In memory forensics, analysis of userland memory is a technique that analyses per-process runtime data structures and extracts significant evidence for application-specific investigations. In this research, our focus is to examine the critical challenges faced by process memory acquisition that can impact object and data recovery. Particularly, this research work seeks to address the issues of consistency and reliability in userland memory forensics on Android. In real-world investigations, memory acquisition tools record the information when the device is running. In such scenarios, each application’s memory content may be in flux due to updates that are in progress, garbage collection activities, changes in process states, etc. In this paper we focus on various runtime activities such as garbage collection and process states and the impact they have on object recovery in userland memory forensics. The outcome of the research objective is to assess the reliability of Android userland memory forensic tools by providing new research directions for efficiently developing a metric study to measure the reliability. We evaluated our research objective by analysing memory dumps acquired from 30 apps in different Process Acquisition Modes. The Process Acquisition Mode (PAM) is the memory dump of a process that is extracted while external runtime factors are triggered. Our research identified an inconsistency in the number of objects recovered from analysing the process memory dumps with runtime factors included. Particularly, the evaluation results revealed differences in the count of objects recovered in different acquisition modes. We utilized Euclidean distance and covariance as the metrics for our study. These two metrics enabled the authors to identify how the change in the number of recovered objects in PAM impact forensic analysis. Our conclusion revealed that runtime factors could on average result in about 20% data loss, thus revealing these factors can have an obvious impact on object recovery.  more » « less
Award ID(s):
1850054
PAR ID:
10353976
Author(s) / Creator(s):
; ; ;
Date Published:
Journal Name:
17th International Conference on Information Warfare and Security
Page Range / eLocation ID:
423
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. (, ACSAC 2020)
    Over the last decade, userland memory forensics techniques and algorithms have gained popularity among practitioners, as they have proven to be useful in real forensics and cybercrime investigations. These techniques analyze and recover objects and artifacts from process memory space that are of critical importance in investigations. Nonetheless, the major drawback of existing techniques is that they cannot determine the origin and context within which the recovered object exists without prior knowledge of the application logic. Thus, in this research, we present a solution to close the gap between application-specific and application-generic techniques. We introduce OAGen, a post-execution and app-agnostic semantic analysis approach designed to help investigators establish concrete evidence by identifying the provenance and relationships between in-memory objects in a process memory image. OAGen utilizes Points-to analysis to reconstruct a runtime’s object allocation network. The resulting graph is then fed as an input into our semantic analysis algorithms to determine objects’ origin, context, and scope in the network. The results of our experiments exhibit OAGen’s ability to effectively create an allocation network even for memory-intensive applications with thousands of objects, like Facebook. The performance evaluation of our approach across fourteen different Android apps shows OAGen can efficiently search and decode nodes, and identify their references with a modest throughput rate. Further practical application of OAGen demonstrated in two case studies shows that our approach can aid investigators in the recovery of deleted messages and the detection of malware functionality in post-execution program analysis. 
    more » « less
  2. (, 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019))
    null (Ed.)
    There is a growing need for post-mortem analysis in forensics investigations involving mobile devices, particularly when application-specific behaviors must be analyzed. This is especially true for architectures such as Android, where traditional kernel-level memory analysis frameworks such as Volatility face serious challenges recovering and providing context for user-space artifacts. In this research work, we developed an app-agnostic userland memory analysis technique that targets the new Android Runtime (ART). Leveraging its latest memory allocation algorithms, called region-based memory management, we develop a system called DroidScraper that recovers vital runtime data structures for applications by enumerating and reconstructing allocated objects from a process memory image. The result of our evaluation shows DroidScraper can recover and decode nearly 90% of all live objects in all allocated memory regions. 
    more » « less
  3. ; ; (, ACM CODASPY 2021)
    null (Ed.)
    Traditionally, Android malware is analyzed using static or dynamic analysis. Although static techniques are often fast; however, they cannot be applied to classify obfuscated samples or malware with a dynamic payload. In comparison, the dynamic approach can examine obfuscated variants but often incurs significant runtime overhead when collecting every important malware behavioral data. This paper conducts an exploratory analysis of memory forensics as an alternative technique for extracting feature vectors for an Android malware classifier. We utilized the reconstructed per-process object allocation network to identify distinguishable patterns in malware and benign application. Our evaluation results indicate the network structural features in the malware category are unique compared to the benign dataset, and thus features extracted from the remnant of in-memory allocated objects can be utilized for robust Android malware classification algorithm. 
    more » « less
  4. ; (, The 2024 ADMI Symposium.)
    In recent years, the number of Internet of Things (IoT) devices has expanded fast, transforming various industries such as healthcare, manufacturing, and transportation, and delivering benefits to both individuals and industries. However, the increased use of IoT devices has exposed IoT ecosystems to a slew of security risks and digital forensic issues. This thesis investigates the most common IoT security dangers and attacks, as well as students' understanding of them and mitigation techniques, as well as the key issues involved with IoT forensic investigations. In this thesis, a mixed-method approach is used, combining a literature review and a survey investigation. The poll measures students' understanding of IoT security threats, mitigation approaches, and perceptions of the most effective ways to improve IoT security. In addition, the survey underlines the importance of user training and awareness in minimizing IoT dangers, highlighting the most effective strategies, such as stronger regulations and increased device security by manufacturers. The literature review provides a complete overview of the most popular IoT security risks and attacks, including malware, malicious code injection, replay attacks, Man in the Middle (MITM), botnets, and Distributed Denial of Service (DDoS). This paper also emphasizes the definition and process of digital and IoT forensics, the significance of IoT forensics, and various data sources in IoT ecosystems. The key issues of IoT forensics and how they affect the efficiency of digital investigations in the IoT ecosystem are thoroughly investigated. Overall, the findings of this study contribute to ongoing research to improve IoT device security, emphasize the necessity of greater awareness and user training, and address the issues of IoT forensic investigations. 
    more » « less
  5. ; ; ; (, Digital Forensics and Cyber Crime. ICDF2C 2021)
    Gladyshev, P.; Goel, S.; James, J.; Markowsky, G.; Johnson, D. (Ed.)
    AI Forensics is a novel research field that aims at providing techniques, mechanisms, processes, and protocols for an AI failure investigation. In this paper, we pave the way towards further exploring a sub-domain of AI forensics, namely AI model forensics, and introduce AI model ballistics as a subfield inspired by forensic ballistics. AI model forensics studies the forensic investigation process, including where available evidence can be collected, as it applies to AI models and systems. We elaborate on the background and nature of AI model development and deployment, and highlight the fact that these models can be replaced, trojanized, gradually poisoned, or fooled by adversarial input. The relationships and the dependencies of our newly proposed subdomain draws from past literature in software, cloud, and network forensics. Additionally, we share a use-case mini-study to explore the peculiarities of AI model forensics in an appropriate context. Blockchain is discussed as a possible solution for maintaining audit trails. Finally, the challenges of AI model forensics are discussed. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email