TY - GEN
T1 - You can run but you cannot hide from memory
T2 - 2017 IEEE Symposium on Computers and Communications, ISCC 2017
AU - Nisioti, Antonia
AU - Mylonas, Alexios
AU - Katos, Vasilios
AU - Yoo, Paul D.
AU - Chryssanthou, Anargyros
PY - 2017/9/1
Y1 - 2017/9/1
N2 - Smartphones have become a vital part of our business and everyday life, as they constitute the primary communication vector. Android dominates the smartphone market (86.2%) and has become pervasive, running in 'smart' devices such as tablets, TV, watches, etc. Nowadays, instant messaging applications have become popular amongst smartphone users and since 2016 are the main way of messaging communication. Consequently, their inclusion in any forensics analysis is necessary as they constitute a source of valuable data, which might be used as (admissible) evidence. Often, their examination involves the extraction and analysis of the applications' databases that reside in the device's internal or external memory. The downfall of this method is the fact that databases can be tampered or erased, therefore the evidence might be accidentally or maliciously modified. In this paper, a methodology for retrieving instant messaging data from the volatile memory of Android smartphones is proposed, instead of the traditional database retrieval. The methodology is demonstrated with the use of a case study of four experiments, which provide insights regarding the behavior of such data in memory. Our experimental results show that a large amount of data can be retrieved from the memory, even if the device's battery is removed for a short time. In addition, the retrieved data are not only recent messages, but also messages sent a few months before data acquisition.
AB - Smartphones have become a vital part of our business and everyday life, as they constitute the primary communication vector. Android dominates the smartphone market (86.2%) and has become pervasive, running in 'smart' devices such as tablets, TV, watches, etc. Nowadays, instant messaging applications have become popular amongst smartphone users and since 2016 are the main way of messaging communication. Consequently, their inclusion in any forensics analysis is necessary as they constitute a source of valuable data, which might be used as (admissible) evidence. Often, their examination involves the extraction and analysis of the applications' databases that reside in the device's internal or external memory. The downfall of this method is the fact that databases can be tampered or erased, therefore the evidence might be accidentally or maliciously modified. In this paper, a methodology for retrieving instant messaging data from the volatile memory of Android smartphones is proposed, instead of the traditional database retrieval. The methodology is demonstrated with the use of a case study of four experiments, which provide insights regarding the behavior of such data in memory. Our experimental results show that a large amount of data can be retrieved from the memory, even if the device's battery is removed for a short time. In addition, the retrieved data are not only recent messages, but also messages sent a few months before data acquisition.
KW - Android
KW - Android forensics
KW - Instant messaging apps
KW - Memory forensics
UR - http://www.scopus.com/inward/record.url?scp=85030562433&partnerID=8YFLogxK
U2 - 10.1109/ISCC.2017.8024571
DO - 10.1109/ISCC.2017.8024571
M3 - Conference contribution
AN - SCOPUS:85030562433
T3 - Proceedings - IEEE Symposium on Computers and Communications
SP - 457
EP - 464
BT - 2017 IEEE Symposium on Computers and Communications, ISCC 2017
PB - Institute of Electrical and Electronics Engineers (IEEE)
Y2 - 3 July 2017 through 7 July 2017
ER -