Visible to the public Post-Mortem Memory Analysis of Cold-Booted Android Devices

Submitted by BrandonB on Mon, 05/04/2015 - 1:11pm
TitlePost-Mortem Memory Analysis of Cold-Booted Android Devices
Publication TypeConference Paper
Year of Publication2014
AuthorsHilgers, C., Macht, H., Muller, T., Spreitzenbarth, M.
Conference NameIT Security Incident Management IT Forensics (IMF), 2014 Eighth International Conference on
Date PublishedMay
KeywordsAndroid Forensics, Android memory structures, Android-driven smartphones, Androids, application level memory, Cold Boot Attack, cold boot attacks, cold-booted Android devices, cryptography, Dalvik VM, Dalvik VM memory structures, digital forensics, digital investigation process, DRAM chips, DRAM remanence effect, forensic memory dumps, Forensics, FROST tool, full disk encryption, Kernel, Linux, Memory Analysis, mobile computing, open-source volatility plugins, Post-mortem Analysis, post-mortem memory analysis, Random access memory, smart phones, tablet PCs, Volatility Plugins
Abstract

As recently shown in 2013, Android-driven smartphones and tablet PCs are vulnerable to so-called cold boot attacks. With physical access to an Android device, forensic memory dumps can be acquired with tools like FROST that exploit the remanence effect of DRAM to read out what is left in memory after a short reboot. While FROST can in some configurations be deployed to break full disk encryption, encrypted user partitions are usually wiped during a cold boot attack, such that a post-mortem analysis of main memory remains the only source of digital evidence. Therefore, we provide an in-depth analysis of Android's memory structures for system and application level memory. To leverage FROST in the digital investigation process of Android cases, we provide open-source Volatility plugins to support an automated analysis and extraction of selected Dalvik VM memory structures.
URLhttps://ieeexplore.ieee.org/document/6824082/
DOI10.1109/IMF.2014.8
Citation Key6824082
Groups: