ndroid operated devices are one of the most competitive technology devices in the market, with the fastest growing market share within the mobile industry . Technology experts predict that it will dominate the mobile market in the coming decade. Additionally, recent research shows a huge year over year increase in the number of Android specific malware attacks [1,3]. It is relatively straightforward to investigate such attacks when they occur on mature operating system platforms such as Windows and Linux. However, due to the immaturity of Android memory image forensics, it is relatively problematic and time consuming to conduct such investigations on Android systems. In this research, we take advantage of recent advances in Android memory forensics technologies to explore a sample of these malware attacks, utilizing the open source digital forensics Volatility, a powerful investigation framework written in Python, capable of reading memory images from different Android kernel versions, and capable of performing a wide range of memory analysis and digital evidence extraction.
Volatility analyzes memory images, which must be extracted from the physical memory of the Android device, these images are extracted using Linux Memory Extractor “LiME” , to this moment, I`m not aware of any other Android memory image extractor. This loadable kernel module can acquire the full memory address range from an Android system, either over the network or via an SdCard . Along with various new Android specific Volatility plugins, and a custom built ARM architecture investigation profile for Volatility, these tools are used in our research to analyze running malware through the exploration of hidden processes, process structure, malicious APK activities, process caches, suspicious network connections, and other suspicious executed codes.
Commercial Android tools like FTK and Encase [19,17] can be used for Android content recovery and forensics investigation, and these tools are fairly easy to deploy, but are expensive solutions for small to medium business. This research illustrates Android memory forensics using open source, freely available tools. We use the recently available, first stable version of Volatility, rather than using older beta releases, this will provide more accurate evidence and analysis, using the new Android and employ very recently developed Android specific plugins in order to explore Android Dalvik instances, process structure and memory caches.
In the following sections, we discuss current work in the Android memory forensics field, then describe building an Android memory forensics investigation environment, the challenges involved in acquiring an Android memory image and finally we perform an experimental forensics investigations of a number of Android malware samples.
II. ANDROID MEMORY FORENSICS: AN OVERVIEW
There is wide consensus, at least in general outline, about the procedures involved in a forensic...