Fine-grained analysis method for Android volatile memory

Abstract

Android dominates the mobile operating system market. Volatile memory analysis of Android devices has been the focus of research on mobile forensics technology. However, due to the semantic gap between the kernel and the volatile memory allocator, existing Android volatile memory analysis methods are coarse-grained. With the volatile memory capacity of Android devices increasing, these methods cannot satisfy the need of Android volatile memory analysis accuracy. In this paper, we first discuss the address space layout of Android processes and the management mechanism of Jemalloc, the default Android volatile memory allocator. Then, we bridge the semantic gap by utilizing the boundary auto alignment feature of the data structure of Jemalloc. Finally, we propose a Fine-grained Analysis Method for Android volatile Memory, called FAMAM. Experimental results shows that FAMAM has an accurate data analysis capability as well as a good robustness. In addition, we successfully use FAMAM to discover new storage patterns for username and password of Wechat.