Acquisition And Analysis Of Volatile Memory From Android Devices Pdf

  • and pdf
  • Thursday, April 15, 2021 9:40:40 AM
  • 1 comment
acquisition and analysis of volatile memory from android devices pdf

File Name: acquisition and analysis of volatile memory from android devices .zip
Size: 1105Kb
Published: 15.04.2021

Skip to search form Skip to main content You are currently offline. Some features of the site may not work correctly.

Michael Spreitzenbarth Dipl. For many, it has become a constant companion for a variety of tasks, such as making calls, surfing the web, or using location-based services. Common usage always leaves traces in the main memory which could turn out to become digital evidence that can be valuable for criminal investigations.

LiME is an open source tool, created by Joy Sylve, that allows incident responders, investigators and others to acquire a memory sample from a live Linux system. The first release of the Volatility Framework was released in At the moment, Volatility is a powerful, modular and feature rich framework that combines a number of tools to perform memory analysis.

Linux Forensics [WIP]

LiME is an open source tool, created by Joy Sylve, that allows incident responders, investigators and others to acquire a memory sample from a live Linux system. The first release of the Volatility Framework was released in At the moment, Volatility is a powerful, modular and feature rich framework that combines a number of tools to perform memory analysis.

The framework is written in Python and allows plugins to be easily added in order to add features. Nowadays it is on version 2. It supports a variety of operating systems. To analyze memory captures from Linux systems, Andrew Case, in [7], introduced several techniques into the Volatility framework in order to analyze Linux memory samples.

Since then, new plugins have been introduced and different kernel versions are supported. At the moment there are 69 Linux plugins available. LiME works by loading a kernel driver on the live system and dump the memory capture to disk or network.

The only catch is that the loadable kernel module needs to be compiled for the exact version of the kernel of the target system. Volatility is then be able to interpret this memory capture, but it needs a profile that matches the system from where the memory was acquired. This means that if you want to acquire a memory capture from a system in an enterprise, the incident response team will need to transfer LiME and Volatility code to the system and compile it in order to create the required files.

This is a sensible step from a forensic standpoint. Hal Pomeranz, experienced forensics professional, has a few comments about this on the readme file from his Linux Memory Grabber utility [8]. In an ideal world all the requirements necessary to have LiME kernel module and Volatility profile for all your Linux kernel versions will be done in advance.

This can be done and should be done during the preparation phase [9] of your incident response process. One thing that can be done is creating LiME modules and Volaility profiles for the Kernel versions of the systems that are running in production.

This can be done directly on the system or on a pre-production system. Of course, I can tell you that based on my experience, this hardly happens. Its more common the case when an incident happens i. Yes, the incident response team acquires live response data or a forensic image of the disk but the acquisition of memory can aid the investigation efforts.

During enterprise incident response its common to come across the need to analyze commercial Linux systems such as Red Hat that are running business applications. The following illustration shows the steps for compiling LiME on the target system.

I start by checking the Kernel version following by installing the necessary dependencies on this particular system. The LiME package can be retrieved from GitHub and can be made available to the target system using removable media, a network file share, or by copying into the system. Compiling LiME is an easy step. Next step is to run LiME with the insmod command.

This step will acquire a memory sample in LiME format and in this case I also told LiME to produce a hash of the acquired memory sample. As an example the memory capture is written to disk but in a real incident is should be written to a network share, removable media sent via the network. Finally, you can remove the module with rmmod. After that, we need a Volatility profile for the Linux kernel version we are dealing with. I had to get the source code from GitHub and transfer it to the system and compile it.

Then, with the dependencies met I could compile and make the dwarf module. Finally, I acquired the system-map file and zipped it together with module. This zip file needs to be placed in the volatility profiles folder or you can place it on a different folder and specify it in the command line. Now that I have a profile for the Linux system that I can try different Volatility plugins.

In this particular case I was interested in determining what I could observe when looking with Volatility on a memory capture from the system after it has been backdoored with publicly available rootkits.

There are several Volatility plugins for Volatility that can help identifying rootkits [10]. Modules appearing with this plugin might indicate they were released but still laying in memory or they are hiding. This plugin will detect inline hooking. A match will display a message about the function that is being hooked.

Essentially, infecting the Red Hat system with the rootkit and capture a memory sample. It can hide processes, files and directories. The following illustration shows, as an example, the Reptile installation on a Red Hat 6. There is also a step on hiding a PID referent to bash process. The Volshell plugin was created in by Brendan Dolan-Gavitt. Following that, and from a analysis perspective, I could use VolShell on the pristine memory dump and also on the one that has Diaphormine LKM loaded.

Then I could list a few bytes in Assembly to compare and understand how good and bad looks like. Basically the syscall handler address was modified to point to the Diaphormine code. The other rootkit that is worth to look at is Reptile. It was written by Ighor Augusto and is a feature rich rootkit with features like port knocking. It is written in C and under the hood it uses the Khook framework.

After compromising a system with Reptile and acquiring a memory capture, I executed the mentioned plugins. Volatility was able to find the Reptile LKM. Then we could dump the module to disk and perform additional static analysis. It was able to detect several network related functions that were patched by the Reptile code. Another function that is patched by Reptile code in order to hide directories is the filleonedir. On the image below, on the left side, I used Volshell to check the function prologue on a pristine system.

On the right side, we can see how the patched function looks like. In this post I shared some notes on how to use different Volatility plugins to detect known Rootkits that leverage Linux Kernel Modules. The memory capture was obtained using LiME and and instructions were given on how to acquire the memory capture and create a Volatility profile. Nothing new but practice these kind of skills, share your experiences, get feedback, repeat the practice, and improve until you are satisfied with your performance.

Have fun! You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account.

You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. Count Upon Security Increase security awareness.

Promote, reinforce and learn security skills. Home About Papers. Oct 14 Leave a comment. Like this: Like Loading Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public. Name required. Blog at WordPress. Add your thoughts here Email Required Name Required Website. Post was not sent - check your email addresses! Sorry, your blog cannot share posts by email.

Smartphone Volatile Memory Acquisition for Security Analysis and Forensics Investigation

Memory forensic tools provide a thorough way to detect malware and investigate cyber crimes. However, existing memory forensic tools must be compiled against the exact version of the kernel source code and the exact kernel configuration. This poses a problem for Android devices because there are more than 1, manufacturers and each manufacturer maintains its own kernel. Moreover, new security enhancements introduced in Android Lollipop prevent most memory acquisition tools from executing. This chapter describes AMExtractor, a tool for acquiring volatile physical memory from a wide range of Android devices with high integrity. Device-specific information is extracted at runtime without any assumptions about the target kernel source code and configuration. AMExtractor has been successfully tested on several devices shipped with different versions of the Android operating system, including the latest Android Lollipop.

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones ; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers. A proliferation of phones particularly smartphones and other digital devices on the consumer market caused a demand for forensic examination of the devices, which could not be met by existing computer forensics techniques. Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes, SMS and MMS messages. Smartphones may additionally contain video, email, web browsing information, location information, and social networking messages and contacts. There is growing need for mobile forensics due to several reasons and some of the prominent reasons are:.

Mobile device forensics

In this paper, we first identify the need to be equipped with the capability to perform raw volatile memory data acquisition from live smartphones. We then investigate and discuss the potential of different approaches to achieve this task on Symbian smartphones. Based on our initial analysis, we propose a simple, flexible and portable approach which can have a full-coverage view of the memory space, to acquire the raw volatile memory data from commercial Symbian smartphones. We develop the tool to conduct the proof-of-concept experiments on the phones, and are able to acquire the volatile memory data successfully.

LiME is an open source tool, created by Joy Sylve, that allows incident responders, investigators and others to acquire a memory sample from a live Linux system. The first release of the Volatility Framework was released in At the moment, Volatility is a powerful, modular and feature rich framework that combines a number of tools to perform memory analysis. The framework is written in Python and allows plugins to be easily added in order to add features. Nowadays it is on version 2.

Mobile device forensics

Skip to Main Content. A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. Use of this web site signifies your agreement to the terms and conditions.

 Очень печальная история. Одному несчастному азиату стало плохо. Я попробовал оказать ему помощь, но все было бесполезно.

Не упусти .

1 Comments

  1. Sharon L. 17.04.2021 at 02:25

    This makes LiME unique as it is the first tool that allows for full memory captures on Android devices.