research-article

VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images

Authors:

Brendan Saltaformaggio,

Dongyan XuAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 146 - 157

https://doi.org/10.1145/2810103.2813720

Published: 12 October 2015 Publication History

Abstract

The ubiquity of modern smartphones means that nearly everyone has easy access to a camera at all times. In the event of a crime, the photographic evidence that these cameras leave in a smartphone's memory becomes vital pieces of digital evidence, and forensic investigators are tasked with recovering and analyzing this evidence. Unfortunately, few existing forensics tools are capable of systematically recovering and inspecting such in-memory photographic evidence produced by smartphone cameras. In this paper, we present VCR, a memory forensics technique which aims to fill this void by enabling the recovery of all photographic evidence produced by an Android device's cameras. By leveraging key aspects of the Android framework, VCR extends existing memory forensics techniques to improve vendor-customized Android memory image analysis. Based on this, VCR targets application-generic artifacts in an input memory image which allow photographic evidence to be collected no matter which application produced it. Further, VCR builds upon the Android framework's existing image decoding logic to both automatically recover and render any located evidence. Our evaluation with commercially available smartphones shows that VCR is highly effective at recovering all forms of photographic evidence produced by a variety of applications across several different Android platforms.

References

[1]

Riley v. California. 134 S. Ct. 2473, (2014).

[2]

504ENSICS Labs. Dalvik Inspector (DI) Alpha. http://www.504ensics.com/tools/dalvik-inspector-di-alpha, 2013.

[3]

504ENSICS Labs. LiME Linux Memory Extractor. https://github.com/504ensicsLabs/LiME, 2013.

[4]

F. Adelstein. Live forensics: diagnosing your system without killing it first. Communications of the ACM, 49(2), 2006.

Digital Library

[5]

D. Apostolopoulos, G. Marinakis, C. Ntantogian, and C. Xenakis. Discovering authentication credentials in volatile memory of android mobile devices. In Collaborative, Trusted and Privacy-Aware e/m-Services. 2013.

[6]

C. Betz. Memparser forensics tool. http://www.dfrws.org/2005/challenge/memparser.shtml, 2005.

[7]

C. Bugcheck. Grepexec: Grepping executive objects from pool memory. In Proc. Digital Forensic Research Workshop, 2006.

[8]

M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In Proc. CCS, 2009.

Digital Library

[9]

B. D. Carrier. Risks of live digital forensic analysis. Communications of the ACM, 49(2), 2006.

Digital Library

[10]

B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1, 2004.

Digital Library

[11]

A. Case, A. Cristina, L. Marziale, G. G. Richard, and V. Roussev. FACE: Automated digital evidence discovery and correlation. Digital Investigation, 5, 2008.

Digital Library

[12]

Q. A. Chen, Z. Qian, and Z. M. Mao. Peeking into your app without actually seeing it: UI state inference and novel android attacks. In Proc. USENIX Security, 2014.

Digital Library

[13]

A. Cozzie, F. Stratton, H. Xue, and S. T. King. Digging for data structures. In Proc. Symposium on Operating Systems Design and Implementation, 2008.

Digital Library

[14]

P.-E. Danielsson. Euclidean distance mapping. Computer Graphics and image processing, 14(3), 1980.

[15]

B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proc. CCS, 2009.

Digital Library

[16]

Google, Inc. Android dashboards - platform versions. https://developer.android.com/about/dashboards/index.html, 2015.

[17]

C. Hilgers, H. Macht, T. Muller, and M. Spreitzenbarth. Post-mortem memory analysis of cold-booted android devices. In Proc. IT Security Incident Management & IT Forensics (IMF), 2014.

Digital Library

[18]

J. Lee, T. Avgerinos, and D. Brumley. TIE: Principled reverse engineering of types in binary programs. In Proc. NDSS, 2011.

[19]

C.-C. Lin, H. Li, X. Zhou, and X. Wang. Screenmilker: How to milk your android screen for secrets. In Proc. NDSS, 2014.

[20]

Z. Lin, J. Rhee, C. Wu, X. Zhang, and D. Xu. DIMSUM: Discovering semantic data of interest from un-mappable memory with confidence. In Proc. NDSS, 2012.

[21]

Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proc. NDSS, 2011.

[22]

Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proc. NDSS, 2010.

[23]

R. R. Lopez. Battling Human Trafficking with Big Data. Invited talk, USENIX Security Symposium, 2014.

[24]

H. Macht. Live memory forensics on android with volatility. Friedrich-Alexander University Erlangen-Nuremberg, 2013.

[25]

P. Movall, W. Nelson, and S. Wetzstein. Linux physical memory analysis. In Proc. USENIX Annual Technical Conference, FREENIX Track, 2005.

Digital Library

[26]

N. L. Petroni Jr, A. Walters, T. Fraser, and W. A. Arbaugh. FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3, 2006.

Digital Library

[27]

B. Saltaformaggio. Forensic carving of wireless network information from the android linux kernel. University of New Orleans, 2012.

[28]

B. Saltaformaggio, R. Bhatia, Z. Gu, X. Zhang, and D. Xu. GUITAR: Piecing together android app GUIs from memory images. In Proc. CCS, 2015.

Digital Library

[29]

B. Saltaformaggio, Z. Gu, X. Zhang, and D. Xu. DSCRETE: Automatic rendering of forensic information from memory images via application logic reuse. In Proc. USENIX Security, 2014.

Digital Library

[30]

A. Schuster. Searching for processes and threads in microsoft windows memory dumps. Digital Investigation, 3, 2006.

Digital Library

[31]

A. Slowinska, T. Stancescu, and H. Bos. Howard: A dynamic excavator for reverse engineering data structures. In Proc. NDSS, 2011.

[32]

H. Sun, K. Sun, Y. Wang, J. Jing, and S. Jajodia. Trustdump: Reliable memory acquisition on smartphones. In Proc. European Symposium on Research in Computer Security. 2014.

Digital Library

[33]

J. Sylve, A. Case, L. Marziale, and G. G. Richard. Acquisition and analysis of volatile memory from android devices. Digital Investigation, 8, 2012.

[34]

The Volatility Framework. https://www.volatilesystems.com/default/volatility.

[35]

V. L. Thing, K.-Y. Ng, and E.-C. Chang. Live memory forensics of mobile phones. Digital Investigation, 7, 2010.

Digital Library

[36]

R. Walls, B. N. Levine, and E. G. Learned-Miller. Forensic triage for mobile phones with DEC0DE. In Proc. USENIX Security, 2011.

Digital Library

[37]

J. Zeng, Y. Fu, K. A. Miller, Z. Lin, X. Zhang, and D. Xu. Obfuscation resilient binary code reuse through trace-oriented programming. In Proc. CCS, 2013.

Digital Library

Cited By

Valdez EAhmed SGu Zde Dinechin CCheng PJamjoom HLuo BLiao XXu JKirda ELie D(2024)Crossing Shifted Moats: Replacing Old Bridges with New Tunnels to Confidential ContainersProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670352(1390-1404)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670352
Bellizzi JVella MColombo CHernandez-Castro J(2022)Responding to Targeted Stealthy Attacks on Android Using Timely-Captured Memory DumpsIEEE Access10.1109/ACCESS.2022.316053110(35172-35218)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3160531
Benkraouda HNahrstedt K(2021)Image reconstruction attacks on distributed machine learning modelsProceedings of the 2nd ACM International Workshop on Distributed Machine Learning10.1145/3488659.3493779(29-35)Online publication date: 7-Dec-2021
https://dl.acm.org/doi/10.1145/3488659.3493779
Show More Cited By

Index Terms

VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

GUITAR: Piecing Together Android App GUIs from Memory Images
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

An Android app's graphical user interface (GUI) displays rich semantic and contextual information about the smartphone's owner and app's execution. Such information provides vital clues to the investigation of crimes in both cyber and physical spaces. ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
A Method of Android Application Forensics Based on Heap Memory Analysis
CSAE '18: Proceedings of the 2nd International Conference on Computer Science and Application Engineering

This1 thesis presents a new method of Android application forensics, based on the heap memory analysis. In this method, the heap memory data of an Android app, running on the virtual machine, is directly extracted, parsed and reconstructed. The path of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
848
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)1

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Valdez EAhmed SGu Zde Dinechin CCheng PJamjoom HLuo BLiao XXu JKirda ELie D(2024)Crossing Shifted Moats: Replacing Old Bridges with New Tunnels to Confidential ContainersProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670352(1390-1404)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670352
Bellizzi JVella MColombo CHernandez-Castro J(2022)Responding to Targeted Stealthy Attacks on Android Using Timely-Captured Memory DumpsIEEE Access10.1109/ACCESS.2022.316053110(35172-35218)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3160531
Benkraouda HNahrstedt K(2021)Image reconstruction attacks on distributed machine learning modelsProceedings of the 2nd ACM International Workshop on Distributed Machine Learning10.1145/3488659.3493779(29-35)Online publication date: 7-Dec-2021
https://dl.acm.org/doi/10.1145/3488659.3493779
Varshney GIyer PAtrey PMisra M(2021)Evading DoH via Live Memory Forensics for Phishing Detection and Content Filtering2021 International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS51098.2021.9352935(1-4)Online publication date: 5-Jan-2021
https://doi.org/10.1109/COMSNETS51098.2021.9352935
Bellizzi JVella MColombo CHernandez-Castro J(2021)Real-Time Triggering of Android Memory Dumps for Stealthy Attack InvestigationSecure IT Systems10.1007/978-3-030-70852-8_2(20-36)Online publication date: 3-Mar-2021
https://doi.org/10.1007/978-3-030-70852-8_2
Ali-Gombe ATambaoan AGurfolino ARichard III G(2020)App-Agnostic Post-Execution Semantic Analysis of Android In-Memory Forensics ArtifactsProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427244(28-41)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427244
Deyannis DPapadogiannaki EKalivianakis GVasiliadis GIoannidis SRoussev VThuraisingham BCarminati BKantarcioglu M(2020)TrustAVProceedings of the Tenth ACM Conference on Data and Application Security and Privacy10.1145/3374664.3375748(39-48)Online publication date: 16-Mar-2020
https://dl.acm.org/doi/10.1145/3374664.3375748
Sudhakaran SAli-Gombe AOrgah ACase ARichard G(2020)AmpleDroid Recovering Large Object Files from Android Application Memory2020 IEEE International Workshop on Information Forensics and Security (WIFS)10.1109/WIFS49906.2020.9360906(1-6)Online publication date: 6-Dec-2020
https://doi.org/10.1109/WIFS49906.2020.9360906
Sharma PSiddanagaiah UKul G(2020)Towards an AI-Based After-Collision Forensic Analysis Protocol for Autonomous Vehicles2020 IEEE Security and Privacy Workshops (SPW)10.1109/SPW50608.2020.00055(240-243)Online publication date: May-2020
https://doi.org/10.1109/SPW50608.2020.00055
Pagani FFedorov OBalzarotti D(2019)Introducing the Temporal Dimension to Memory ForensicsACM Transactions on Privacy and Security10.1145/331035522:2(1-21)Online publication date: 18-Mar-2019
https://dl.acm.org/doi/10.1145/3310355
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten