A Technique for Extraction and Analysis of Application Heap Objects within Android Runtime (ART)

Alberto Magno Muniz Soares, Rafael Timóteo de Sousa Jr.

2017

Abstract

This paper describes a technique for analysing objects in memory within the execution environment Android Runtime (ART) using a volatile memory data extraction. A study of the AOSP (Android Open Source Project) source code was necessary to understand the runtime environment used in the modern Android operating system, and software tools were developed allowing the location, extraction and interpretation of useful data for the forensic context. Built by the authors as extensions for the Volatility Framework, these tools help to locate, in a memory extraction from a device compliant with the ARM architecture, arbitrary instances of classes and their data properties.

References

  1. Apostolopoulos, D., Marinakis, G., Ntantogian, C., Xenakis, C. (2013). Discovering authentication credentials in volatile memory of android mobile devices. Collaborative, Trusted and Privacy-Aware e/m-Services. Springer Berlin Heidelberg, p. 178-185.
  2. Backes, M., Bugiel, S., Schranz, O., von Styp-Rekowsky, P, Weisgerber.S.(2016) ARTist: The Android Runtime Instrumentation and Security Toolkit. Cornell University Library. arXiv:1607.06619.
  3. Brezinski, D., Killalea, T. (2002). Guidelines for evidence collection and archiving. RFC 3227. IETF.
  4. Carrier, B. D. (2003). Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers. IJDE, 1(4).
  5. Drake,J.J., Lanier, Z., Mulliner, C., Fora, P. O., Ridley, S. A., Wicherski, G.(2014). Android hacker's handbook. John Wiley & Sons.
  6. Hilgers, C., Macht,H., Müller, T., Spreitzenbarth, N.(2014). Post-mortem memory analysis of coldbooted android devices. In: IT Security Incident Management & IT Forensics (IMF), Eighth International Conference on. IEEE. p. 62-75.
  7. Høgset, E. S. (2015). Investigating the security issues surrounding usage of Ephemeral data within Android environments. Master thesis. UiT The Arctic University of Norway.
  8. Ligh, M. H., Case, A., Levy, J., Walters, A.(2014). The art of memory forensics: detecting malware and threats in windows, linux, and mac memory. John Wiley & Sons.
  9. Sabanal,P. (2014).State Of The ART. Exploring The New Android KitKat Runtime. https://conference.hitb.org/ hitbsecconf2014ams/materials/D1T2-State-of-the-ArtExploring-the-New-Android-KitKat-Runtime.pdf. Accessed October 20, 2016.
  10. Sabanal,P. (2015). Hiding Behind ART. https://www.blackhat.com/docs/asia-15/materials/asia15-Sabanal-Hiding-Behind-ART-wp.pdf. Accessed October 20, 2016.
  11. Sylve J., Case, A., Marziale, L., Richard, G. G. (2012). Acquisition and analysis of volatile memory from Android devices. Digital Investigation, v. 8, n. 3, p. 175-184.
  12. Wächter, P., Gruhn, M. (2015). Practicability study of android volatile memory forensic research. In: Information Forensics and Security (WIFS), 2015 IEEE International Workshop on. IEEE. p. 1-6.
Download


Paper Citation


in Harvard Style

Muniz Soares A. and Jr. R. (2017). A Technique for Extraction and Analysis of Application Heap Objects within Android Runtime (ART) . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 147-156. DOI: 10.5220/0006204101470156


in Bibtex Style

@conference{icissp17,
author={Alberto Magno Muniz Soares and Rafael Timóteo de Sousa Jr.},
title={A Technique for Extraction and Analysis of Application Heap Objects within Android Runtime (ART)},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={147-156},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006204101470156},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Technique for Extraction and Analysis of Application Heap Objects within Android Runtime (ART)
SN - 978-989-758-209-7
AU - Muniz Soares A.
AU - Jr. R.
PY - 2017
SP - 147
EP - 156
DO - 10.5220/0006204101470156