There are several known technics used by the experts in forensics security investigations and forensics research projects. One of the most common used technic is analysis of volatile memory (live memory forensics). The rise of new technologies requires development and adaptation of investigation methodology. Recently we have just witnessed it in the area of mobile platforms.
My thesis focuses on tools supporting memory analyses available on Android platform. I have developed an automated system by developing further and merging currently available solutions. The aim of the software is to perform the tasks in advance that help and support the analysis performed by a human expert.
The analysis is performed in an emulated environment designed specifically for this purpose and further analysis. Here it is possible to do secure investigations on potentially malicious software.
The system is working as a web service which can be connected at two points. The system has a client application running on android platform. It is investigating further applications installed on the same system. In case an application is suspected potentially harmful than the application installer is sent to the server for further analysis. Another point of access of service is a conventional website. Anyone can upload applications here in “.apk” format which will be examined by the system and the results will be presented for the inquirer.
First I perform various static analyses steps on the suspicious files that arrived on the server side. This is necessary before further analyses. Then I create a fresh, emulated environment which surely does not contain any damage caused by previous analysis. I start several applications in the environment and simulate various user inputs in order to put the system in a close to real state. After certain period of time I install the application to be investigated and also send user inputs to this specific application again to simulate a real scenario. I let the system run in this state so that there is sufficient time for the application to perform various operations. After the pause I capture a copy of memory content of the emulated environment with the help of a kernel module. At this point I shut the emulator down because further analysis will only run on memory image.
I perform memory image analysis with the help of the well-known Volatility framework. I gain valuable information about the system’s state by using this framework. This enables me to gain access to the list of modifications performed by the application under investigation and get more detailed information about the behavior of the application.