Post-Mortem Memory Analysis of Cold-Booted Android Devices

Author

Hilgers, Christian ; Macht, Holger ; Muller, Tim ; Spreitzenbarth, Michael

fYear

2014

fDate

12-14 May 2014

Firstpage

62

Lastpage

75

Abstract

As recently shown in 2013, Android-driven smartphones and tablet PCs are vulnerable to so-called cold boot attacks. With physical access to an Android device, forensic memory dumps can be acquired with tools like FROST that exploit the remanence effect of DRAM to read out what is left in memory after a short reboot. While FROST can in some configurations be deployed to break full disk encryption, encrypted user partitions are usually wiped during a cold boot attack, such that a post-mortem analysis of main memory remains the only source of digital evidence. Therefore, we provide an in-depth analysis of Android´s memory structures for system and application level memory. To leverage FROST in the digital investigation process of Android cases, we provide open-source Volatility plugins to support an automated analysis and extraction of selected Dalvik VM memory structures.

Keywords

DRAM chips; cryptography; digital forensics; mobile computing; smart phones; Android memory structures; Android-driven smartphones; DRAM remanence effect; Dalvik VM memory structures; FROST tool; application level memory; cold boot attacks; cold-booted Android devices; digital investigation process; forensic memory dumps; full disk encryption; open-source volatility plugins; post-mortem memory analysis; tablet PCs; Androids; Cryptography; Forensics; Kernel; Linux; Random access memory; Smart phones; Android Forensics; Cold Boot Attack; Dalvik VM; Memory Analysis; Post-mortem Analysis; Volatility Plugins;

fLanguage

English

Publisher

ieee

Conference_Titel

IT Security Incident Management & IT Forensics (IMF), 2014 Eighth International Conference on

Conference_Location

Munster

Print_ISBN

978-1-4799-4330-2

Type

conf

DOI

10.1109/IMF.2014.8

Filename

6824082