Please use this identifier to cite or link to this item:
Title: Real-time triggering of Android memory dumps for stealthy attack investigation
Other Titles: Secure IT systems
Authors: Bellizzi, Jennifer
Vella, Mark Joseph
Colombo, Christian
Hernandez-Castro, Julio
Keywords: Digital forensic science
Computer software -- Security measures
Malware (Computer software) -- Prevention
Issue Date: 2020
Publisher: Springer
Citation: Bellizzi, J., Vella, M., Colombo, C., & Hernandez-Castro, J. (2020). Real-Time triggering of Android memory dumps for stealthy attack investigation. In M. Asplund & S. Nadjm-Tehrani (Eds.), Secure IT systems (pp. 20-36). Cham: Springer.
Abstract: Attackers regularly target Android phones and come up with new ways to bypass detection mechanisms to achieve long-term stealth on a victim’s phone. One way attackers do this is by leveraging critical benign app functionality to carry out specific attacks. In this paper, we present a novel generalised framework, JIT-MF (Just-in-time Memory Forensics), which aims to address the problem of timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. The main components of this framework are i) Identification of critical data objects in memory linked with critical benign application steps that may be misused by an attacker; and ii) Careful selection of trigger points, which identify when memory dumps should be taken during benign app execution. The effectiveness and cost of trigger point selection, a cornerstone of this framework, are evaluated in a preliminary qualitative study using Telegram and Pushbullet as the victim apps targeted by stealthy malware. Our study identifies that JIT-MF is successful in dumping critical data objects on time, providing evidence that eludes all other forensic sources. Experimentation offers insight into identifying categories of trigger points that can strike a balance between the effort required for selection and the resulting effectiveness and storage costs. Several optimisation measures for the JIT-MF tools are presented, considering the typical resource constraints of Android devices.
Appears in Collections:Scholarly Works - FacICTCS

Files in This Item:
File Description SizeFormat 
  Restricted Access
1.31 MBAdobe PDFView/Open Request a copy

Items in OAR@UM are protected by copyright, with all rights reserved, unless otherwise indicated.