Jennifer Bellizzi,Mark Vella,Christian Colombo,Julio Hernandez-Castro

DOI: https://doi.org/10.48550/arXiv.2105.05510

2021-05-12

Cryptography and Security

Abstract:Digital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when Living-Off-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26% closer to ground truth.

Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

George Grispos,William Bradley Glisson,Tim Storer

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00016-1

2015-06-07

Abstract:There is a growing demand for cloud storage services such as Dropbox, Box, Syncplicity and SugarSync. These public cloud storage services can store gigabytes of corporate and personal data in remote data centres around the world, which can then be synchronized to multiple devices. This creates an environment which is potentially conducive to security incidents, data breaches and other malicious activities. The forensic investigation of public cloud environments presents a number of new challenges for the digital forensics community. However, it is anticipated that end-devices such as smartphones, will retain data from these cloud storage services. This research investigates how forensic tools that are currently available to practitioners can be used to provide a practical solution for the problems related to investigating cloud storage environments. The research contribution is threefold. First, the findings from this research support the idea that end-devices which have been used to access cloud storage services can be used to provide a partial view of the evidence stored in the cloud service. Second, the research provides a comparison of the number of files which can be recovered from different versions of cloud storage applications. In doing so, it also supports the idea that amalgamating the files recovered from more than one device can result in the recovery of a more complete dataset. Third, the chapter contributes to the documentation and evidentiary discussion of the artefacts created from specific cloud storage applications and different versions of these applications on iOS and Android smartphones.

Cryptography and Security

Shiwen Song,Xuanyu Liu,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom46510.2021.9685748

2021-01-01

Abstract:With the widespread use of Android devices, research on their security has attracted increasing attention. However, at present, digital forensics for investigating attacks, such as social engineering attacks and phishing that target Android users, remains a challenging and time-consuming task. To help discover the existence of an attack and conduct effective investigations, we propose a top-down digital forensic tool for Android applications to reconstruct attack scenarios by considering both high-level user interface (UI) elements and low-level system events. Thus, we can explain the nature of an attack from a visual and global perspective. The tested evaluation results show that our tool can successfully reconstruct scenarios on Android devices for phishing attacks.

Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Raffaele Cuomo,Davide D'Agostino,Mario Ianulardo

DOI: https://doi.org/10.3390/s22187096

2022-09-19

Abstract:This paper presents several scenarios where digital evidence can be collected from mobile devices, their legal value keeping untouched. The paper describes a robust methodology for mobile forensics developed through on-field experiences directly gained by the authors over the last 10 years and many real court cases. The results show that mobile forensics, digital analysis of smartphone Android or iOS can be obtained in two ways: on the one hand, data extraction must follow the best practice of the repeatability procedure; on the other hand, the extraction of the data must follow the best practice of the non-repeatability procedure. The laboratory study of the two methods for extracting digital data from mobile phones, for use as evidence in court trials, has shown that the same evidence can be obtained even when the procedure of unavailability of file mining activities has been adopted. Indeed, thanks to laboratory tests, the existence of multiple files frequently and continuously subjected to changes generated by the presence of several hashes found at forensic extractions conducted in very short moments of time (sometimes not exceeding 15 min) has been proven. If, on the other hand, the examination of a device is entrusted to a judicial police officer in order to conduct a forensic analysis to acquire data produced and managed by the user (such as images, audio, video, documents, SMS, MMS, chat conversations, address book content, etc.) we have sufficient grounds to believe that such examination can be organized according to the system of repeatable technical assessments.

Xiao Fu,Hao Ruan,Xuanyu Liu,Xiaojiang Du,B. Luo

DOI: https://doi.org/10.1109/ICCCN.2017.8038362

2017-07-01

Abstract:The wide spread of mobile devices has also caused the explosive growth of malwares. Application behavior analysis is a popular technique to fight against malwares. However current app behavior analysis methods still have some limitations. For example, many popular dynamic analysis methods are built on Dalvik virtual machines. They cannot disclose the behavior of native code. VMI based methods can overcome this limitation but they're executed in simulated environments. Now malwares can detect where they are running so as to hide the illegal behaviors by anti-forensic techniques. Considering these, we present the DroidRevealer. It is based on kernel-level system calls monitoring and it's running on real android devices. By intercepting and interpreting certain file/network related and android-specific system calls, it can reconstruct app behaviors in real-time. It's difficult to evade as it runs in the kernel. And its results do not simply focus on a single kind of behavior or a single app. Instead it is data oriented, i.e. it monitors how the target data source is used. The result is presented as an intelligible graph which can provide both a good basis for detection and crucial evidence for forensics. Experiments have proved that the performance of our method is acceptable.

Computer Science

Claudinei Morin da Silveira,Rafael T. de Sousa,Robson de Oliveira Albuquerque,Georges D. Amvame Nze,Gildásio Antonio de Oliveira Júnior,Ana Lucila Sandoval Orozco,Luis Javier García Villalba,Rafael T. de Sousa Jr

DOI: https://doi.org/10.3390/app10124231

2020-06-20

Applied Sciences

Abstract:This paper proposes a new forensic analysis methodology that combines processes, techniques, and tools for physical and logical data acquisition from mobile devices. The proposed methodology allows an overview of the use of the In-System Programming (ISP) technique with the usage of Combination Firmware, aligned with specific collection and analysis processes. The carried out experiments show that the proposed methodology is convenient and practical and provides new possibilities for data acquisition on devices that run the Android Operating System with advanced protection mechanisms. The methodology is also feasible in devices compatible with the usage of Joint Test Action Group (JTAG) techniques and which use Embedded Multimedia Card (eMMC) or Embedded Multi-Chip Package (eMCP) as main memory. The techniques included in the methodology are effective on encrypted devices, in which the JTAG and Chip-Off techniques prove to be ineffective, especially on those that have an unauthorized access protection mechanism enabled, such as lock screen password, blocked bootloader, and Factory Reset Protection (FRP) active. Studies also demonstrate that data preservation and integrity are maintained, which is critical to a digital forensic process.

Nurul Adhlina Hani Roslee,Nurul Hidayah bt Ab Rahman,Nurul Hidayah Bt Ab Rahman

DOI: https://doi.org/10.30630/joiv.2.3-2.137

2018-06-06

Abstract:This study aims to design and develop an interactive system that can visualize evidence collected from Android smartphone data. This project is developing to support forensic investigator in investigating the security incidents particularly involving Android smartphone forensic data. The used of smartphone in crime was widely recognized. Several types of personnel information are stored in their smartphones. When the investigator analyses the image data of the smartphone, the investigator can know the behaviour of the smartphone’s owner and his social relationship with other people. The analysis of smartphone forensic data is cover in mobile device forensic. Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence from a mobile device under forensically sound condition. The digital investigation model used in this project is the model proposed by United States National Institute of Justice (NIJ) which consists four phases, which are collection phase, examination phase, analysis phase and presentation phase. This project related with analysis phase and presentation phase only. This paper introduces Visroid, a new tool that provides a suite of visualization for Android smartphone data.

Mark Scanlon

DOI: https://doi.org/10.48550/arXiv.1712.02529

2017-12-07

Cryptography and Security

Abstract:Providing the ability to any law enforcement officer to remotely transfer an image from any suspect computer directly to a forensic laboratory for analysis, can only help to greatly reduce the time wasted by forensic investigators in conducting on-site collection of computer equipment. RAFT (Remote Acquisition Forensic Tool) is a system designed to facilitate forensic investigators by remotely gathering digital evidence. This is achieved through the implementation of a secure, verifiable client/server imaging architecture. The RAFT system is designed to be relatively easy to use, requiring minimal technical knowledge on behalf of the user. One of the key focuses of RAFT is to ensure that the evidence it gathers remotely is court admissible. This is achieved by ensuring that the image taken using RAFT is verified to be identical to the original evidence on a suspect computer.

Min-Hao Wu,Ting-Cheng Chang,Yi Li-Min

DOI: https://doi.org/10.13052/jwe1540-9589.20310

2021-06-09

Journal of Web Engineering

Abstract:With the rapid development of the Internet era, cell phones play an essential and indispensable role in nowadays life. Smartphones have profoundly influenced our social relationships and our daily lives. Generally speaking, the most common tools we hear about in our daily lives are QQ, WeChat, and other Internet communication services that allow users to send text messages, pictures, and documents, providing a more convenient and faster medium for people to communicate and chat. The popularity and convenience of mobile technology have changed people’s habits of communication. People no longer need to rely on computers to communicate, and computers cannot communicate anytime and anywhere. In the kernel of Linux and Windows, as long as the Message Hooker will install, it can monitor the messages of other programs, including WeChat and QQ, in this research. We can provide relevant law enforcement officers with effective evidence collection so that criminals will not be able to hide. The suspects often delete their WeChat or QQ records after committing the crime. It impossible for our law enforcement agencies to obtain evidence directly from the cell phone and the crime facts. Our research hopes to use some technology to help law enforcement units effectively obtain strong evidence in the iPhone not to hide the crime facts.

computer science, theory & methods, software engineering

Julian Geus,Jenny Ottmann,Felix Freiling

2024-04-19

Abstract:Due to the increasing security standards of modern smartphones, forensic data acquisition from such devices is a growing challenge. One rather generic way to access data on smartphones in practice is to use the local backup mechanism offered by the mobile operating systems. We study the suitability of such mechanisms for forensic data acquisition by performing a thorough evaluation of iOS's and Android's local backup mechanisms on two mobile devices. Based on a systematic and generic evaluation procedure comparing the contents of local backup to the original storage, we show that in our exemplary practical evaluations, in most cases (but not all) local backup actually yields a correct copy of the original data from storage. Our study also highlights corner cases, such as database files with pending changes, that need to be considered when assessing the integrity and authenticity of evidence acquired through local backup.

Cryptography and Security

Milda Petraityte,Ali Dehghantanha,Gregory Epiphaniou

DOI: https://doi.org/10.48550/arXiv.1706.08048

2017-06-25

Abstract:This paper uses a scenario-based role-play experiment based on the usage of QR codes to detect how mobile users respond to social engineering attacks conducted via mobile devices. The results of this experiment outline a guided mobile phone forensics investigation method which could facilitate the work of digital forensics investigators while analysing the data from mobile devices. The behavioural response of users could be impacted by several aspects, such as impulsivity, smartphone usage and security or simply awareness that QR codes could contain malware. The findings indicate that the impulsivity of users is one of the key areas that determine the common mistakes of mobile device users. As a result, an investigative framework for mobile phone forensics is proposed based on the impulsivity and common mistakes of mobile device users. As a result, an investigative framework for mobile phone forensics is proposed based on the impulsivity and common mistakes of mobile device users. It could help the forensics investigators by potentially shortening the time spent on investigation of possible breach scenarios.

Cryptography and Security

Ben Martini,Quang Do,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00015-X

2015-06-18

Abstract:Using the evidence collection and analysis methodology for Android devices proposed by Martini, Do and Choo, we examined and analyzed seven popular Android cloud-based apps. Firstly, we analyzed each app in order to see what information could be obtained from their private app storage and SD card directories. We collated the information and used it to aid our investigation of each app database files and AccountManager data. To complete our understanding of the forensic artefacts stored by apps we analyzed, we performed further analysis on the apps to determine if the user authentication credentials could be collected for each app based on the information gained in the initial analysis stages. The contributions of this research include a detailed description of artefacts, which are of general forensic interest, for each app analyzed.

Computers and Society,Cryptography and Security

Xingbin Yang,Liyang Zhou,Hanqing Jiang,Zhongliang Tang,Yuanbo Wang,Hujun Bao,Guofeng Zhang

DOI: https://doi.org/10.1109/tvcg.2020.3023634

IF: 5.2

2020-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:We present a real-time monocular 3D reconstruction system on a mobile phone, called Mobile3DRecon. Using an embedded monocular camera, our system provides an online mesh generation capability on back end together with real-time 6DoF pose tracking on front end for users to achieve realistic AR effects and interactions on mobile phones. Unlike most existing state-of-the-art systems which produce only point cloud based 3D models online or surface mesh offline, we propose a novel online incremental mesh generation approach to achieve fast online dense surface mesh reconstruction to satisfy the demand of real-time AR applications. For each keyframe of 6DoF tracking, we perform a robust monocular depth estimation, with a multi-view semi-global matching method followed by a depth refinement post-processing. The proposed mesh generation module incrementally fuses each estimated keyframe depth map to an online dense surface mesh, which is useful for achieving realistic AR effects such as occlusions and collisions. We verify our real-time reconstruction results on two mid-range mobile platforms. The experiments with quantitative and qualitative evaluation demonstrate the effectiveness of the proposed monocular 3D reconstruction system, which can handle the occlusions and collisions between virtual objects and real scenes to achieve realistic AR effects.

Lang Liu,Yacong Gu,Qi Li,Purui Su

DOI: https://doi.org/10.1109/icccn.2017.8038419

2017-01-01

Abstract:In order to effectively detect malware in Android, dynamic analysis techniques with Android emulators are widely adopted. Emulators can be deployed for large-scale malware detection and restored to an ensured clean state in a short period after each app analysis process such that dynamic analysis upon emulators can effectively detect malware. Moreover, emulators significantly reduce the detection cost compared to real devices. However, emulator-based analysis has limited capability in detecting evasive malware that can detect the presence of the emulator-based environment and hide its malicious behaviors. In this paper, we propose RealDroid, a dynamic and emulator-based analysis system that can capture Android evasive malware and is capable of large-scale malware detection. RealDroid completely simulates a real device such that it can't be identified by evasive malware. Thereby, evasive malware can exhibit its malicious behaviors in RealDroid. Moreover, we propose an automated exploration mechanism, i.e., Android Test Engine (ATE), to improve the code coverage of dynamic analysis in RealDroid, such that it provides efficient and effective automatic detection of large-scale apps. Our experimental results demonstrate that ATE in RealDroid achieves much better exploration effects compared with state-of-the-art automatic exploration tools in large-scale malware detection. In particular, it can successfully detect evasive malware.

Kleomenis Katevas,Diego Perino,Nicolas Kourtellis

DOI: https://doi.org/10.48550/arXiv.2206.10963

2022-12-16

Abstract:Federated Learning (FL) has recently emerged as a popular solution to distributedly train a model on user devices improving user privacy and system scalability. Major Internet companies have deployed FL in their applications for specific use cases (e.g., keyboard prediction or acoustic keyword trigger), and the research community has devoted significant attention to improving different aspects of FL (e.g., accuracy, privacy, efficiency). However, there is still a lack of a practical system to enable easy collaborative cross-silo FL training, in the context of mobile environments. In this work, we bridge this gap and propose FLaME, an end-to-end system (i.e., client-side framework and libraries, and central server) to enable intra- and inter-app training on mobile devices with different types of IID and NonIID data distributions, in a secure and easy to deploy fashion. Our design solves major technical challenges such as on-device training, secure and private single and cross-app model training, while being offered in an "as a service" model. We implement FLaME for Android devices and experimentally evaluate its performance in-lab and in-wild, on more than 140 users for over a month. Our results show the feasibility and benefits of the design in a realistic mobile context and provide several insights to the FL community on the practicality and usage of FL in the wild.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Neil Redmond,Le-Nam Tran,Kim-Kwang Raymond Choo,Nhien-An Le-Khac

DOI: https://doi.org/10.1007/978-3-030-47131-6_9

2020-01-01

Abstract:Long Term Evolution (“LTE”) or 4G data services are relied upon by many people to process information such as payments, VOIP and applications on their mobile devices. Today this technology is widely used and many people depend upon its security every day for all manner of tasks. GSM traffic, SMS traffic and data traffic are encrypted by the network to prevent third party access. In this paper, we are going to investigate a methodology to overcome the security restrictions of LTE network to extract data from mobile device in real-time. The outcome of this research not only assists the digital investigators to tackle the challenges of extracting relevant artefacts from suspect devices using LTE network but also allows us to evaluate the possibility of extract important data from LTE security network in real-time. We also test our approach with real-world scenarios and services.

Nishchal Soni,Manpreet Kaur,Vishwas Bhardwaj

DOI: https://doi.org/10.1016/j.fsidi.2024.301695

IF: 1.805

2024-02-08

Forensic Science International Digital Investigation

Abstract:This study delves into a forensic analysis of the AnyDesk Remote Access application, focusing prominently on disk forensic acquisitions. We aim to assess the security and privacy features of AnyDesk, uncovering insights vital for forensic investigators and potential adversaries. The recovery of artifacts from Android Mobile and Window-based PC devices, employing acquisition techniques, plays a pivotal role in forensic analysis. The study underscores the significance of log files, housing crucial details like user IDs, dates, transfer times, and file movements. Manual scrutiny of the extracted data establishes user connections and reveals user-centric information, encompassing wallpapers, chat logs, AnyDesk-IDs, and transferred files. As the data lacks encryption, artifacts are easily comprehensible and interlinked. AnyDesk-related files, including session recordings, media files, and documents, undergo successful extraction via forensic methods. Root permissions on the Android phone emerge as a critical asset, facilitating the identification of more reliable and concealed data. In contrast, on the PC, all files related to AnyDesk were identified through a combination of automatic and manual examination. In essence, this study provides profound insights into AnyDesk's security and privacy features, underscored by the instrumental role of forensic acquisitions in pinpointing and extracting pertinent data.

computer science, information systems, interdisciplinary applications

Haiyu Yang,Jianwei Zhuge,Huiming Liu,Wei Liu

DOI: https://doi.org/10.1007/978-3-319-46279-0_19

2016-01-01

Abstract:Memory forensic tools provide a thorough way to detect malware and investigate cyber crimes. However, existing memory forensic tools must be compiled against the exact version of the kernel source code and the exact kernel configuration. This poses a problem for Android devices because there are more than 1,000 manufacturers and each manufacturer maintains its own kernel. Moreover, new security enhancements introduced in Android Lollipop prevent most memory acquisition tools from executing. This chapter describes AMExtractor, a tool for acquiring volatile physical memory from a wide range of Android devices with high integrity. AMExtractor uses /dev/kmem to execute code in kernel mode, which is supported by most Android devices. Device-specific information is extracted at runtime without any assumptions about the target kernel source code and configuration. AMExtractor has been successfully tested on several devices shipped with different versions of the Android operating system, including the latest Android Lollipop. Memory images dumped by AMExtractor can be exported to other forensic frameworks for deep analysis. A rootkit was successfully detected using the Volatility Framework on memory images retrieved by AMExtractor.