You can run but you cannot hide from memory: Extracting im evidence of Android apps

Antonia Nisioti, Alexios Mylonas, Vasilios Katos, Paul D. Yoo, Anargyros Chryssanthou

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Smartphones have become a vital part of our business and everyday life, as they constitute the primary communication vector. Android dominates the smartphone market (86.2%) and has become pervasive, running in 'smart' devices such as tablets, TV, watches, etc. Nowadays, instant messaging applications have become popular amongst smartphone users and since 2016 are the main way of messaging communication. Consequently, their inclusion in any forensics analysis is necessary as they constitute a source of valuable data, which might be used as (admissible) evidence. Often, their examination involves the extraction and analysis of the applications' databases that reside in the device's internal or external memory. The downfall of this method is the fact that databases can be tampered or erased, therefore the evidence might be accidentally or maliciously modified. In this paper, a methodology for retrieving instant messaging data from the volatile memory of Android smartphones is proposed, instead of the traditional database retrieval. The methodology is demonstrated with the use of a case study of four experiments, which provide insights regarding the behavior of such data in memory. Our experimental results show that a large amount of data can be retrieved from the memory, even if the device's battery is removed for a short time. In addition, the retrieved data are not only recent messages, but also messages sent a few months before data acquisition.
Original languageEnglish
Title of host publication2017 IEEE Symposium on Computers and Communications, ISCC 2017
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages457-464
Number of pages8
ISBN (Electronic)9781538616291
DOIs
Publication statusPublished - 1 Sept 2017
Event2017 IEEE Symposium on Computers and Communications, ISCC 2017 - Heraklion, Greece
Duration: 3 Jul 20177 Jul 2017

Publication series

NameProceedings - IEEE Symposium on Computers and Communications
ISSN (Print)1530-1346

Conference

Conference2017 IEEE Symposium on Computers and Communications, ISCC 2017
Country/TerritoryGreece
CityHeraklion
Period3/07/177/07/17

Keywords

  • Android
  • Android forensics
  • Instant messaging apps
  • Memory forensics

Fingerprint

Dive into the research topics of 'You can run but you cannot hide from memory: Extracting im evidence of Android apps'. Together they form a unique fingerprint.

Cite this