by Brendan Saltaformaggio@Purdue
memory forensics: does not require a suspect's password to unlock the device, oblivious to any persistent storage encryption
Evidence is memory is stored data structure
previous state of the art: evidence is recovered from plain-text or self-evident fields
however, cannot understand the content of the data structure
Approach: reuse the functions that print/render the data
intuit: invalid data content breaks the function, versus valid data generate output
how to find rendering logic: dynamic analysis on binary
how to isolate entry point: test every "candidate" entry point
how to setup proper context: run with some dummy input until the entry point
What about mobile environment:
Problem: too many apps to identify just a few rendering logic
use andriod gui frameworks "draw_ops" etc. data structure
what about background applications, where some of the gui tree nodes are nullfied?
1. try reconstruct the tree sturcture
2. to find the graphic content in each node: piecing together the screen by moedling is as a matching problem
How to reconstruct previous screens (not just the current one)?
Limitation of the previous approach: only recovers the latest screen
How to approach: profile to see how app's internal memory and screen-drawing memory size change over time (when I change screen)
Solution: utilize Android's redraw mechanisms to reuse app's internal memory
generically interleave the execution of a live Android environment and the memory image
Q: how dependent your techniques are on specific version of Android?
A: we updated from Android 2.2 to 6.0, the essence does not change
Vision: cyber forensics need shift from personal experiences to more formal methods
没有评论:
发表评论