Aisha Ali-Gombe, Towson University; Sneha Sudhakaran, Louisiana State University; Andrew Case, Volatility Foundation; Golden G. Richard III, Louisiana State University
There is a growing need for post-mortem analysis in forensics investigations involving mobile devices, particularly when application-specific behaviors must be analyzed. This is especially true for architectures such as Android, where traditional kernel-level memory analysis frameworks such as Volatility face serious challenges recovering and providing context for user-space artifacts. In this research work, we developed an app-agnostic userland memory analysis technique that targets the new Android Runtime (ART). Leveraging its latest memory allocation algorithms, called region-based memory management, we develop a system called DroidScraper that recovers vital runtime data structures for applications by enumerating and reconstructing allocated objects from a process memory image. The result of our evaluation shows DroidScraper can recover and decode nearly 90% of all live objects in all allocated memory regions.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Aisha Ali-Gombe and Sneha Sudhakaran and Andrew Case and Golden G. Richard III},
title = {{DroidScraper}: A Tool for Android {In-Memory} Object Recovery and Reconstruction},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {547--559},
url = {https://www.usenix.org/conference/raid2019/presentation/ali-gombe},
publisher = {USENIX Association},
month = sep
}
