Abstract

With the rapid development of social economy, the number of Android mobile devices has increased rapidly in recent years. At present, digital forensics experts mainly extract digital evidence from non-volatile physical memory and file system of mobile devices. However, non-volatile storage based method has little effect for some high secure Apps forensics, such as the encrypted data or deleted information, e.g. the private conversation records or payment records, in chat Apps or payment Apps. Accordingly, data residential in memory is an important source of evidence. On the other hand, relying solely on digital evidence in non-volatile storage is incomplete and unreliable as well. So, the demand for memory forensic on the Android platform has increased. In this paper, based on ptrace a scheme for Android memory extraction at the process level is proposed. For this scheme, a complete memory mirror of a specific process can be achieved, including memory space shared anonymously by the process and other processes, the memory space of the process, and the memory space of each thread in process. This method is of great importance to high secure Apps forensics, such as Chat Apps or Bitcoin Payment Apps.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.