DroidScraper: A tool for Android in-memory object recovery and reconstruction

Authors

Aisha Ali-Gombe, Towson University
Sneha Sudhakaran, Louisiana State University
Andrew Case, Volatility Foundation
Golden G. Richard, Louisiana State University

Document Type

Conference Proceeding

Publication Date

1-1-2019

Abstract

There is a growing need for post-mortem analysis in forensics investigations involving mobile devices, particularly when application-specific behaviors must be analyzed. This is especially true for architectures such as Android, where traditional kernel-level memory analysis frameworks such as Volatility [9] face serious challenges recovering and providing context for user-space artifacts. In this research work, we developed an app-agnostic userland memory analysis technique that targets the new Android Runtime (ART). Leveraging its latest memory allocation algorithms, called region-based memory management, we develop a system called DroidScraper that recovers vital runtime data structures for applications by enumerating and reconstructing allocated objects from a process memory image. The result of our evaluation shows DroidScraper can recover and decode nearly 90% of all live objects in all allocated memory regions.

Publication Source (Journal or Book title)

RAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses

First Page

547

Last Page

559

Recommended Citation

Ali-Gombe, A., Sudhakaran, S., Case, A., & Richard, G. (2019). DroidScraper: A tool for Android in-memory object recovery and reconstruction. RAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses, 547-559. Retrieved from https://repository.lsu.edu/eecs_pubs/2611