A Novel Android Memory Forensics for Discovering Remnant Data

Abstract

As recently updated on the vulnerability statistics shown in 2019, Android-driven smartphones, tablet PCs, and other Android devices are vulnerable, whether from internal or external threats. Most users store sensitive data like emails, photos, cloud storage access, and contact lists on Android smartphones. This information holds a growing-importance for the digital investigation process of mobile devices, e.g., internal memory or random-access memory (RAM) forensics, or external memory or read-only memory (ROM) forensics on Android smartphones. Internal memory retrieval is considered flawed and difficult by some researchers as it alters the digital evidence in an intrusive way. On the other hand, external memory retrieval also called logical acquisition that implies the image of logical storage items (e.g., files, database, directories, etc.) that locate on logical storage. This research provides a novel methodology that focuses only on internal memory forensic in a forensically sound manner. This research also contributes two algorithms, e.g., collect raw information (CRI) for parsing the raw data, and investigate raw information (IRI) for extracting the digital evidence to be more readable. This research conducted with fourteenth events to be analyzed, and each event was captured by SHA-1 as digital evidence. By using GDrive as the case study, the authors concluded that the proposed methodology could be used as guidance by forensics analyst(s), cyberlaw practitioner(s), and expert witness(es) in the court.