DocumentCode
146872
Title
Post-Mortem Memory Analysis of Cold-Booted Android Devices
Author
Hilgers, Christian ; Macht, Holger ; Muller, Tim ; Spreitzenbarth, Michael
fYear
2014
fDate
12-14 May 2014
Firstpage
62
Lastpage
75
Abstract
As recently shown in 2013, Android-driven smartphones and tablet PCs are vulnerable to so-called cold boot attacks. With physical access to an Android device, forensic memory dumps can be acquired with tools like FROST that exploit the remanence effect of DRAM to read out what is left in memory after a short reboot. While FROST can in some configurations be deployed to break full disk encryption, encrypted user partitions are usually wiped during a cold boot attack, such that a post-mortem analysis of main memory remains the only source of digital evidence. Therefore, we provide an in-depth analysis of Android´s memory structures for system and application level memory. To leverage FROST in the digital investigation process of Android cases, we provide open-source Volatility plugins to support an automated analysis and extraction of selected Dalvik VM memory structures.
Keywords
DRAM chips; cryptography; digital forensics; mobile computing; smart phones; Android memory structures; Android-driven smartphones; DRAM remanence effect; Dalvik VM memory structures; FROST tool; application level memory; cold boot attacks; cold-booted Android devices; digital investigation process; forensic memory dumps; full disk encryption; open-source volatility plugins; post-mortem memory analysis; tablet PCs; Androids; Cryptography; Forensics; Kernel; Linux; Random access memory; Smart phones; Android Forensics; Cold Boot Attack; Dalvik VM; Memory Analysis; Post-mortem Analysis; Volatility Plugins;
fLanguage
English
Publisher
ieee
Conference_Titel
IT Security Incident Management & IT Forensics (IMF), 2014 Eighth International Conference on
Conference_Location
Munster
Print_ISBN
978-1-4799-4330-2
Type
conf
DOI
10.1109/IMF.2014.8
Filename
6824082
Link To Document