Forensic Analysis of Android Runtime (ART) Application Heap Objects in Emulated and Real Devices

Abstract

Each new release of a mobile device operating system represents a renewed challenge for the forensics analyst. Even a small modification or fault correction of such basic software requires the revision of forensic tools and methods, frequently yielding to the development of new investigation tools and the consequent adaptation of methods. Forensic analysts then need to preserve each tool set and related methods and associate these sets to the specific mobile operating system release. This paper describes a case of transition consequent to the Android Runtime (ART) operating system release. The introduction of this system in the market required the development of a new forensic technique for analyzing ART memory objects using a volatile memory data extraction. Considering the Android Open Source Project (AOSP) source code, a method and associated software tools were developed allowing the location, extraction and interpretation of arbitrary ART memory instances with the respective object classes and their data properties. The proposed technique and tools were validated both for emulated and real devices, illustrating the difficulties related to the forensics analysis for the target system due to its particular implementations by multiple manufacturers of mobile devices.