ABSTRACT
An Android app's graphical user interface (GUI) displays rich semantic and contextual information about the smartphone's owner and app's execution. Such information provides vital clues to the investigation of crimes in both cyber and physical spaces. In real-world digital forensics however, once an electronic device becomes evidence most manual interactions with it are prohibited by criminal investigation protocols. Hence investigators must resort to "image-and-analyze" memory forensics (instead of browsing through the subject phone) to recover the apps' GUIs. Unfortunately, GUI reconstruction is still largely impossible with state-of-the-art memory forensics techniques, which tend to focus only on individual in-memory data structures. An Android GUI, however, displays diverse visual elements each built from numerous data structure instances. Furthermore, whenever an app is sent to the background, its GUI structure will be explicitly deallocated and disintegrated by the Android framework. In this paper, we present GUITAR, an app-independent technique which automatically reassembles and redraws all apps' GUIs from the multitude of GUI data elements found in a smartphone's memory image. To do so, GUITAR involves the reconstruction of (1) GUI tree topology, (2) drawing operation mapping, and (3) runtime environment for redrawing. Our evaluation shows that GUITAR is highly accurate (80-95% similar to original screenshots) at reconstructing GUIs from memory images taken from a variety of Android apps on popular phones. Moreover, GUITAR is robust in reconstructing meaningful GUIs even when facing GUI data loss.
- 7 American Law Reports. 4th, 8, 2b.Google Scholar
- Pearl Brewing Co. v. Jos. Schlitz Brewing Co. 415 F. Supp. 1122, (1976).Google Scholar
- US v. Scholle. 553 F. 2d 1109, (1977).Google Scholar
- Nat. Union Elec. Corp. v. Matsushita Elec. Indus. Co. 494 F. Supp. 1257, (1980).Google Scholar
- US v. Vela. 673 F. 2d 86, (1982).Google Scholar
- US v. Bonallo. 858 F. 2d 1427, (1988).Google Scholar
- Gates Rubber Co. v. Bando Chemical Industries, Ltd. 9 F. 3d 823, (1993).Google Scholar
- Illinois Tool Works v. Metro Mark Products, Ltd. 43 F. Supp. 2d 951, (1999).Google Scholar
- John Paul Mitchell Systems v. Quality King Distributors, Inc. 106 F. Supp. 2d 462, (2000).Google Scholar
- Schaghticoke Tribal Nation v. Kempthorne. 587 F. Supp. 2d 389, (2008).Google Scholar
- Hungarian method source. https://github.com/maandree/hungarian-algorithm-n3/blob/master/hungarian.c, 2014.Google Scholar
- 504ENSICS Labs. Dalvik Inspector (DI) Alpha. http://www.504ensics.com/tools/dalvik-inspector-di-alpha, 2013.Google Scholar
- 504ENSICS Labs. LiME Linux Memory Extractor. https://github.com/504ensicsLabs/LiME, 2013.Google Scholar
- F. Adelstein. Live forensics: diagnosing your system without killing it first. Communications of the ACM, 49(2), 2006. Google ScholarDigital Library
- D. Apostolopoulos, G. Marinakis, C. Ntantogian, and C. Xenakis. Discovering authentication credentials in volatile memory of android mobile devices. In Collaborative, Trusted and Privacy-Aware e/m-Services. 2013.Google ScholarCross Ref
- J. Ashcroft, D. J. Daniels, and S. V. Hart. Forensic examination of digital evidence: A guide for law enforcement. U.S. National Institute of Justice, Office of Justice Programs, NIJ Special Report, NCJ 199408, 2004.Google Scholar
- C. Betz. Memparser forensics tool. http://www.dfrws.org/2005/challenge/memparser.shtml, 2005.Google Scholar
- C. Bugcheck. Grepexec: Grepping executive objects from pool memory. In Proc. Digital Forensic Research Workshop, 2006.Google Scholar
- M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In Proc. CCS, 2009. Google ScholarDigital Library
- B. D. Carrier. Risks of live digital forensic analysis. Communications of the ACM, 49(2), 2006. Google ScholarDigital Library
- B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1, 2004. Google ScholarDigital Library
- A. Case, A. Cristina, L. Marziale, G. G. Richard, and V. Roussev. FACE: Automated digital evidence discovery and correlation. Digital Investigation, 5, 2008. Google ScholarDigital Library
- S. A. Chatzichristofis and Y. S. Boutalis. CEDD: color and edge directivity descriptor: a compact descriptor for image indexing and retrieval. In Computer Vision Systems. 2008. Google ScholarDigital Library
- B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proc. CCS, 2009. Google ScholarDigital Library
- M. Graves. Digital Archaeology: The Art and Science of Digital Forensics. Addison-Wesley, 2013.Google Scholar
- C. Hilgers, H. Macht, T. Muller, and M. Spreitzenbarth. Post-mortem memory analysis of cold-booted android devices. In Proc. IT Security Incident Management & IT Forensics (IMF), 2014. Google ScholarDigital Library
- H. M. Jarrett, M. W. Bailie, E. Hagen, and N. Judish. Searching and seizing computers and obtaining electronic evidence in criminal investigations. U.S. Department of Justice, Computer Crime and Intellectual Property Section Criminal Division, 2009.Google Scholar
- J. Lee, T. Avgerinos, and D. Brumley. TIE: Principled reverse engineering of types in binary programs. In Proc. NDSS, 2011.Google Scholar
- Z. Lin, J. Rhee, C. Wu, X. Zhang, and D. Xu. DIMSUM: Discovering semantic data of interest from un-mappable memory with confidence. In Proc. NDSS, 2012.Google Scholar
- Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proc. NDSS, 2011.Google Scholar
- Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proc. NDSS, 2010.Google Scholar
- M. Lux. Content based image retrieval with lire. In Proc. ACM International Conference on Multimedia, 2011. Google ScholarDigital Library
- M. Lux and S. A. Chatzichristofis. Lire: lucene image retrieval: an extensible java cbir library. In Proc. ACM International Conference on Multimedia, 2008. Google ScholarDigital Library
- H. Macht. Live memory forensics on android with volatility. Friedrich-Alexander University Erlangen-Nuremberg, 2013.Google Scholar
- P. Movall, W. Nelson, and S. Wetzstein. Linux physical memory analysis. In Proc. USENIX Annual Technical Conference, FREENIX Track, 2005. Google ScholarDigital Library
- Open Whisper Systems. TextSecure Private Messenger. https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms, 2015.Google Scholar
- N. L. Petroni Jr, A. Walters, T. Fraser, and W. A. Arbaugh. FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3, 2006. Google ScholarDigital Library
- B. Saltaformaggio. Forensic carving of wireless network information from the android linux kernel. University of New Orleans, 2012.Google Scholar
- B. Saltaformaggio, R. Bhatia, Z. Gu, X. Zhang, and D. Xu. VCR: App-agnostic recovery of photographic evidence from android device memory images. In Proc. CCS, 2015. Google ScholarDigital Library
- B. Saltaformaggio, Z. Gu, X. Zhang, and D. Xu. DSCRETE: Automatic rendering of forensic information from memory images via application logic reuse. In Proc. USENIX Security, 2014. Google ScholarDigital Library
- A. Schuster. Searching for processes and threads in microsoft windows memory dumps. Digital Investigation, 3, 2006. Google ScholarDigital Library
- A. Slowinska, T. Stancescu, and H. Bos. Howard: A dynamic excavator for reverse engineering data structures. In Proc. NDSS, 2011.Google Scholar
- H. Sun, K. Sun, Y. Wang, J. Jing, and S. Jajodia. Trustdump: Reliable memory acquisition on smartphones. In Proc. European Symposium on Research in Computer Security. 2014.Google ScholarCross Ref
- J. Sylve, A. Case, L. Marziale, and G. G. Richard. Acquisition and analysis of volatile memory from android devices. Digital Investigation, 8, 2012.Google Scholar
- The Volatility Framework. https://www.volatilesystems.com/default/volatility.Google Scholar
- V. L. Thing, K.-Y. Ng, and E.-C. Chang. Live memory forensics of mobile phones. Digital Investigation, 7, 2010. Google ScholarDigital Library
- R. Walls, B. N. Levine, and E. G. Learned-Miller. Forensic triage for mobile phones with DEC0DE. In Proc. USENIX Security, 2011. Google ScholarDigital Library
- J. Zeng, Y. Fu, K. A. Miller, Z. Lin, X. Zhang, and D. Xu. Obfuscation resilient binary code reuse through trace-oriented programming. In Proc. CCS, 2013. Google ScholarDigital Library
Index Terms
- GUITAR: Piecing Together Android App GUIs from Memory Images
Recommendations
VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityThe ubiquity of modern smartphones means that nearly everyone has easy access to a camera at all times. In the event of a crime, the photographic evidence that these cameras leave in a smartphone's memory becomes vital pieces of digital evidence, and ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
A Method of Android Application Forensics Based on Heap Memory Analysis
CSAE '18: Proceedings of the 2nd International Conference on Computer Science and Application EngineeringThis1 thesis presents a new method of Android application forensics, based on the heap memory analysis. In this method, the heap memory data of an Android app, running on the virtual machine, is directly extracted, parsed and reconstructed. The path of ...
Comments