research-article

GUITAR: Piecing Together Android App GUIs from Memory Images

Authors:

Brendan Saltaformaggio,

Dongyan XuAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 120 - 132

https://doi.org/10.1145/2810103.2813650

Published: 12 October 2015 Publication History

Abstract

An Android app's graphical user interface (GUI) displays rich semantic and contextual information about the smartphone's owner and app's execution. Such information provides vital clues to the investigation of crimes in both cyber and physical spaces. In real-world digital forensics however, once an electronic device becomes evidence most manual interactions with it are prohibited by criminal investigation protocols. Hence investigators must resort to "image-and-analyze" memory forensics (instead of browsing through the subject phone) to recover the apps' GUIs. Unfortunately, GUI reconstruction is still largely impossible with state-of-the-art memory forensics techniques, which tend to focus only on individual in-memory data structures. An Android GUI, however, displays diverse visual elements each built from numerous data structure instances. Furthermore, whenever an app is sent to the background, its GUI structure will be explicitly deallocated and disintegrated by the Android framework. In this paper, we present GUITAR, an app-independent technique which automatically reassembles and redraws all apps' GUIs from the multitude of GUI data elements found in a smartphone's memory image. To do so, GUITAR involves the reconstruction of (1) GUI tree topology, (2) drawing operation mapping, and (3) runtime environment for redrawing. Our evaluation shows that GUITAR is highly accurate (80-95% similar to original screenshots) at reconstructing GUIs from memory images taken from a variety of Android apps on popular phones. Moreover, GUITAR is robust in reconstructing meaningful GUIs even when facing GUI data loss.

References

[1]

7 American Law Reports. 4th, 8, 2b.

[2]

Pearl Brewing Co. v. Jos. Schlitz Brewing Co. 415 F. Supp. 1122, (1976).

[3]

US v. Scholle. 553 F. 2d 1109, (1977).

[4]

Nat. Union Elec. Corp. v. Matsushita Elec. Indus. Co. 494 F. Supp. 1257, (1980).

[5]

US v. Vela. 673 F. 2d 86, (1982).

[6]

US v. Bonallo. 858 F. 2d 1427, (1988).

[7]

Gates Rubber Co. v. Bando Chemical Industries, Ltd. 9 F. 3d 823, (1993).

[8]

Illinois Tool Works v. Metro Mark Products, Ltd. 43 F. Supp. 2d 951, (1999).

[9]

John Paul Mitchell Systems v. Quality King Distributors, Inc. 106 F. Supp. 2d 462, (2000).

[10]

Schaghticoke Tribal Nation v. Kempthorne. 587 F. Supp. 2d 389, (2008).

[11]

Hungarian method source. https://github.com/maandree/hungarian-algorithm-n3/blob/master/hungarian.c, 2014.

[12]

504ENSICS Labs. Dalvik Inspector (DI) Alpha. http://www.504ensics.com/tools/dalvik-inspector-di-alpha, 2013.

[13]

504ENSICS Labs. LiME Linux Memory Extractor. https://github.com/504ensicsLabs/LiME, 2013.

[14]

F. Adelstein. Live forensics: diagnosing your system without killing it first. Communications of the ACM, 49(2), 2006.

Digital Library

[15]

D. Apostolopoulos, G. Marinakis, C. Ntantogian, and C. Xenakis. Discovering authentication credentials in volatile memory of android mobile devices. In Collaborative, Trusted and Privacy-Aware e/m-Services. 2013.

[16]

J. Ashcroft, D. J. Daniels, and S. V. Hart. Forensic examination of digital evidence: A guide for law enforcement. U.S. National Institute of Justice, Office of Justice Programs, NIJ Special Report, NCJ 199408, 2004.

[17]

C. Betz. Memparser forensics tool. http://www.dfrws.org/2005/challenge/memparser.shtml, 2005.

[18]

C. Bugcheck. Grepexec: Grepping executive objects from pool memory. In Proc. Digital Forensic Research Workshop, 2006.

[19]

M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In Proc. CCS, 2009.

Digital Library

[20]

B. D. Carrier. Risks of live digital forensic analysis. Communications of the ACM, 49(2), 2006.

Digital Library

[21]

B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1, 2004.

Digital Library

[22]

A. Case, A. Cristina, L. Marziale, G. G. Richard, and V. Roussev. FACE: Automated digital evidence discovery and correlation. Digital Investigation, 5, 2008.

Digital Library

[23]

S. A. Chatzichristofis and Y. S. Boutalis. CEDD: color and edge directivity descriptor: a compact descriptor for image indexing and retrieval. In Computer Vision Systems. 2008.

Digital Library

[24]

B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proc. CCS, 2009.

Digital Library

[25]

M. Graves. Digital Archaeology: The Art and Science of Digital Forensics. Addison-Wesley, 2013.

[26]

C. Hilgers, H. Macht, T. Muller, and M. Spreitzenbarth. Post-mortem memory analysis of cold-booted android devices. In Proc. IT Security Incident Management & IT Forensics (IMF), 2014.

Digital Library

[27]

H. M. Jarrett, M. W. Bailie, E. Hagen, and N. Judish. Searching and seizing computers and obtaining electronic evidence in criminal investigations. U.S. Department of Justice, Computer Crime and Intellectual Property Section Criminal Division, 2009.

[28]

J. Lee, T. Avgerinos, and D. Brumley. TIE: Principled reverse engineering of types in binary programs. In Proc. NDSS, 2011.

[29]

Z. Lin, J. Rhee, C. Wu, X. Zhang, and D. Xu. DIMSUM: Discovering semantic data of interest from un-mappable memory with confidence. In Proc. NDSS, 2012.

[30]

Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proc. NDSS, 2011.

[31]

Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proc. NDSS, 2010.

[32]

M. Lux. Content based image retrieval with lire. In Proc. ACM International Conference on Multimedia, 2011.

Digital Library

[33]

M. Lux and S. A. Chatzichristofis. Lire: lucene image retrieval: an extensible java cbir library. In Proc. ACM International Conference on Multimedia, 2008.

Digital Library

[34]

H. Macht. Live memory forensics on android with volatility. Friedrich-Alexander University Erlangen-Nuremberg, 2013.

[35]

P. Movall, W. Nelson, and S. Wetzstein. Linux physical memory analysis. In Proc. USENIX Annual Technical Conference, FREENIX Track, 2005.

Digital Library

[36]

Open Whisper Systems. TextSecure Private Messenger. https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms, 2015.

[37]

N. L. Petroni Jr, A. Walters, T. Fraser, and W. A. Arbaugh. FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3, 2006.

Digital Library

[38]

B. Saltaformaggio. Forensic carving of wireless network information from the android linux kernel. University of New Orleans, 2012.

[39]

B. Saltaformaggio, R. Bhatia, Z. Gu, X. Zhang, and D. Xu. VCR: App-agnostic recovery of photographic evidence from android device memory images. In Proc. CCS, 2015.

Digital Library

[40]

B. Saltaformaggio, Z. Gu, X. Zhang, and D. Xu. DSCRETE: Automatic rendering of forensic information from memory images via application logic reuse. In Proc. USENIX Security, 2014.

Digital Library

[41]

A. Schuster. Searching for processes and threads in microsoft windows memory dumps. Digital Investigation, 3, 2006.

Digital Library

[42]

A. Slowinska, T. Stancescu, and H. Bos. Howard: A dynamic excavator for reverse engineering data structures. In Proc. NDSS, 2011.

[43]

H. Sun, K. Sun, Y. Wang, J. Jing, and S. Jajodia. Trustdump: Reliable memory acquisition on smartphones. In Proc. European Symposium on Research in Computer Security. 2014.

Digital Library

[44]

J. Sylve, A. Case, L. Marziale, and G. G. Richard. Acquisition and analysis of volatile memory from android devices. Digital Investigation, 8, 2012.

[45]

The Volatility Framework. https://www.volatilesystems.com/default/volatility.

[46]

V. L. Thing, K.-Y. Ng, and E.-C. Chang. Live memory forensics of mobile phones. Digital Investigation, 7, 2010.

Digital Library

[47]

R. Walls, B. N. Levine, and E. G. Learned-Miller. Forensic triage for mobile phones with DEC0DE. In Proc. USENIX Security, 2011.

Digital Library

[48]

J. Zeng, Y. Fu, K. A. Miller, Z. Lin, X. Zhang, and D. Xu. Obfuscation resilient binary code reuse through trace-oriented programming. In Proc. CCS, 2013.

Digital Library

Cited By

Valdez EAhmed SGu Zde Dinechin CCheng PJamjoom HLuo BLiao XXu JKirda ELie D(2024)Crossing Shifted Moats: Replacing Old Bridges with New Tunnels to Confidential ContainersProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670352(1390-1404)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670352
Inam MChen YGoyal ALiu JMink JMichael NGaur SBates AHassan W(2023)SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179405(2620-2638)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179405
Sun PChen SFan LGao PSong FYang M(2022)VenomAttack: automated and adaptive activity hijacking in AndroidFrontiers of Computer Science10.1007/s11704-021-1126-x17:1Online publication date: 8-Aug-2022
https://doi.org/10.1007/s11704-021-1126-x
Show More Cited By

Index Terms

GUITAR: Piecing Together Android App GUIs from Memory Images
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

The ubiquity of modern smartphones means that nearly everyone has easy access to a camera at all times. In the event of a crime, the photographic evidence that these cameras leave in a smartphone's memory becomes vital pieces of digital evidence, and ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
A Method of Android Application Forensics Based on Heap Memory Analysis
CSAE '18: Proceedings of the 2nd International Conference on Computer Science and Application Engineering

This1 thesis presents a new method of Android application forensics, based on the heap memory analysis. In this method, the heap memory data of an Android app, running on the virtual machine, is directly extracted, parsed and reconstructed. The path of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Best Paper

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
1,035
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)1

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Valdez EAhmed SGu Zde Dinechin CCheng PJamjoom HLuo BLiao XXu JKirda ELie D(2024)Crossing Shifted Moats: Replacing Old Bridges with New Tunnels to Confidential ContainersProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670352(1390-1404)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670352
Inam MChen YGoyal ALiu JMink JMichael NGaur SBates AHassan W(2023)SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179405(2620-2638)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179405
Sun PChen SFan LGao PSong FYang M(2022)VenomAttack: automated and adaptive activity hijacking in AndroidFrontiers of Computer Science10.1007/s11704-021-1126-x17:1Online publication date: 8-Aug-2022
https://doi.org/10.1007/s11704-021-1126-x
Bellizzi JVella MColombo CHernandez-Castro J(2021)Real-Time Triggering of Android Memory Dumps for Stealthy Attack InvestigationSecure IT Systems10.1007/978-3-030-70852-8_2(20-36)Online publication date: 3-Mar-2021
https://doi.org/10.1007/978-3-030-70852-8_2
Ali-Gombe ATambaoan AGurfolino ARichard III G(2020)App-Agnostic Post-Execution Semantic Analysis of Android In-Memory Forensics ArtifactsProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427244(28-41)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427244
Sudhakaran SAli-Gombe AOrgah ACase ARichard G(2020)AmpleDroid Recovering Large Object Files from Android Application Memory2020 IEEE International Workshop on Information Forensics and Security (WIFS)10.1109/WIFS49906.2020.9360906(1-6)Online publication date: 6-Dec-2020
https://doi.org/10.1109/WIFS49906.2020.9360906
Pagani FFedorov OBalzarotti D(2019)Introducing the Temporal Dimension to Memory ForensicsACM Transactions on Privacy and Security10.1145/331035522:2(1-21)Online publication date: 18-Mar-2019
https://dl.acm.org/doi/10.1145/3310355
Durmus EKorus PMemon N(2019)Every Shred Helps: Assembling Evidence From Orphaned JPEG FragmentsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.289791214:9(2372-2386)Online publication date: Sep-2019
https://doi.org/10.1109/TIFS.2019.2897912
Cai YWang YLei LZhou QLi J(2019)SuiT: Secure User Interface Based on TrustZoneICC 2019 - 2019 IEEE International Conference on Communications (ICC)10.1109/ICC.2019.8761616(1-7)Online publication date: May-2019
https://doi.org/10.1109/ICC.2019.8761616
Song WYin HLiu CSong DLie DMannan MBackes MWang X(2018)DeepMemProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243813(606-618)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243813
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten