Android Memory Forensics

Shailendra Sadh – sxs5554

4055-841 Advanced Computer Forensics

Agenda

• The Scenario• Technologies Used• Investigation Process • Questions & Results• Challenges & Future Work• Tech Pros & Cons

The Scenario

• Suspect Botnet Commander

• Custom Android Application to determine Bot status

• Feds go knocking on the door.

Evidence Retrieved

Technologies used

• LIME – Linux Memory Extractor (formerly DMD)

• Volatility 2.3 (Beta)Open SourceExtremely CapableWide Range of support for Win & Linux ( Android

)• Autopsy• Investigator’s Swiss knife - HEXEDITOR

Investigation Process

Seize

Acquire

Analyze

Report

• Warrant• Internal Investigation

• Hard Disk• Memory• PCAP/Logs

• Evidence Hashing• Forensic Analysis

• Present findings• Expert Witness

Acquire Droid RAM Dump - Revelations!!

• Acquisition

ADB Android Debug Bridge

KO No it not Knockout! Kernel Object loadable as kernel module

Insmod Insert module command to load module in kernel land

Acquisition over TCP Stream

On Host$ adb push evo-lime.ko /sdcard/evo-lime.ko$ adb forward tcp:4444 tcp:4444$ adb shell$ su

On Phone$ su$ insmod /sdcard/evo-lime.ko “path=tcp:4444 format=lime”

Acquisition on SD card

On Host$ adb push evo-lime.ko /sdcard/evo-lime.ko$ adb shell$ su

On Phone$ su$ insmod /sdcard/evo-lime.ko “path= /sdcard/mdump.lime format=lime”

Analysis

• Calculate MD5/SHA1 hash of acquired evidence

• Document the processes followed

• Record and document suspicious or notable findings

• Don’t Give up!

Droid RAM Analysis – Revelations!!

• Volatility – 2.3 (Beta)Profile used --LinuxEvo4Gx86Find available commands by running:

python vol.py --profile=LinuxEvo4Gx86 -f Evo4GRodeo.lime --info |grep linux_

Complete list available at:https://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_volshell

Questions & Results

1) When was LiME run, and what were the exact parameters used?

Python vol.py --profile=LinuxEvo4Gx86 –f Evo4GRodeo.lime linux_psaux |grep lime

Android Process Tree

2) What was the device’s IP address?

Python vol.py --profile=LinuxEvo4Gx86 –f Evo4GRodeo.lime linux_ifconfig

3) What are the IP and MAC address of the device’s gateway?

Python vol.py --profile=LinuxEvo4Gx86 –f Evo4GRodeo.lime linux_arp

4) Find a list of running processes. Do any appear to be of interest? List them, along with time of execution.

PID UID Process

712 10018 Com.smithmicro.DM

751 10066 Com.pv.wmdrmservice

780 1000 Com.pv.wmdrmproxy

1860 10093 Com.l33t.seccncviewer

659 10047 Htcloggerd

662 10047 ghost

5) Find any communication that would suggest information about the origin of the application and its author. Acquire a copy of the application, if possible.

Sanitized email extract - From HexEditor

<div class="gm-sender-name" style="color:#00681c">Joe Sylve</div><div class="gm-sender-email">joe.sylve<span></span>gmail.com</div>:<div class="gm-date">Aug 4</div><div class="gm-time">1:33am</div>:<td class="gm-recipient-title">To:</td><td class="gm-recipient-list">rodeo.wrangler.2012<span></span>gmail.com</td>:<div class="gm-body">..<div class="gm-message-content" style="zoom:1.5">Hey man.. Here&#39;s the app, it shouldn&#39;t leave any evidence on the phone, so feel free to burn it any time. Now please... send my money! I really need another ride on the mechanical whale...<div><br></div><div><a href="http://db.tt/9UECzowS" target="_blank">http://db.tt/9UECzowS</a><font color=#888888>:<br>..<div><br></div><div>-Joe</div></font></div></div>

5) Find any communication that would suggest information about the origin of the application and its author. Acquire a copy of the application, if possible.

• File retrieved and executed – seccncviewer.apk

Active Bot Connections

Challenges

Q 6) What is the IP address of the server that the application is connecting to?

Most volatility network commands didn’t give out any result

Uninteresting/no IPs found in hex dump (.lime & .apk files)Extracted RouteCache files. (Just too much data) Tried to emulate the bot connection – potentially different

IP addresses foundNot Enough time and lack of forensics skill!!!

Challenges - Cont

Q 7) Recover any information about the Bots.? Found files

• BOTStatusActivity.java (extract ELF file from Lime)• Com.l33t.seccncviewer.PullToRefreshListActivity • botInfo.xml- ( figure out the xml struct)

Distributed by Joe Sylve :P Spread out to multiple location and it tries to connect

every few milliseconds (267 probably)Not Enough time and lack of forensics & Reverse

Engineering skills!!!

Future Work

• Case Perspective Search and extract ELF (exe linkable format) files to

possibly find source code of the application Find more traces for BotInfo.xml Learn Assembly!!! Encryption used. (Maybe RSA!)

Tech – Pros & Cons

• Volatility 2.3 BetaBrilliant memory analysis toolkitNascent stages for android forensics

• Focus on Windows Forensics! (Well Obviously :P)

• Customization of open source tools (Time & Skills!)

Thank you!!