You can run but you cannot hide from memory: Extracting IM evidence of Android apps.

Nisioti, A., Mylonas, A., Katos, V., Yoo, P. and Chryssanthou, A., 2017. You can run but you cannot hide from memory: Extracting IM evidence of Android apps. In: IEEE Symposium on Computers and Communications (ISCC), 3-6 July 2017, Heraklion, Greece, 457 - 464.

Full text available as:

[img]
Preview
PDF
08024571.pdf - Accepted Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.

473kB

DOI: 10.1109/ISCC.2017.8024571

Abstract

Smartphones have become a vital part of our business and everyday life, as they constitute the primary communication vector. Android dominates the smartphone market (86.2%) and has become pervasive, running in `smart' devices such as tablets, TV, watches, etc. Nowadays, instant messaging applications have become popular amongst smartphone users and since 2016 are the main way of messaging communication. Consequently, their inclusion in any forensics analysis is necessary as they constitute a source of valuable data, which might be used as (admissible) evidence. Often, their examination involves the extraction and analysis of the applications' databases that reside in the device's internal or external memory. The downfall of this method is the fact that databases can be tampered or erased, therefore the evidence might be accidentally or maliciously modified. In this paper, a methodology for retrieving instant messaging data from the volatile memory of Android smartphones is proposed, instead of the traditional database retrieval. The methodology is demonstrated with the use of a case study of four experiments, which provide insights regarding the behavior of such data in memory. Our experimental results show that a large amount of data can be retrieved from the memory, even if the device's battery is removed for a short time. In addition, the retrieved data are not only recent messages, but also messages sent a few months before data acquisition.

Item Type:Conference or Workshop Item (Paper)
Uncontrolled Keywords:Androids;Forensics;Humanoid robots;Instant messaging;Kernel;Linux;Random access memory;Android;Android forensics;Instant messaging apps;Memory forensics
Group:Faculty of Science & Technology
ID Code:30563
Deposited By: Unnamed user with email symplectic@symplectic
Deposited On:10 Apr 2018 14:52
Last Modified:10 Apr 2018 14:52

Downloads

Downloads per month over past year

More statistics for this item...
Repository Staff Only -