Please use this identifier to cite or link to this item:
Title: Responding to living-off-the-land tactics using just-in-time memory forensics (JIT-MF) for Android
Authors: Bellizzi, Jennifer
Vella, Mark Joseph
Colombo, Christian
Hernandez-Castro, Julio
Keywords: Digital forensic science
Forensic sciences
Digital preservation
Computer software -- Security measures
Issue Date: 2021
Publisher: SCITEPRESS Digital Library
Citation: Bellizzi, J., Vella, M., Colombo, C., & Hernandez-Castro, J. (2021). Responding to living-off-the-land tactics using just-in-time memory forensics (JIT-MF) for Android. International Conference on Security and Cryptography (SECRYPT 2021), Milan. 356-369.
Abstract: Digital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when Living- Off-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26% closer to ground truth.
Appears in Collections:Scholarly Works - FacICTCS

Files in This Item:
File Description SizeFormat 
  Restricted Access
7.37 MBAdobe PDFView/Open Request a copy

Items in OAR@UM are protected by copyright, with all rights reserved, unless otherwise indicated.