Responding to Living-Off-the-Land Tactics using Just-in-Time Memory Forensics (JIT-MF) for Android

by   Jennifer Bellizzi, et al.

Digital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when Living-Off-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26 closer to ground truth.


page 1

page 2

page 3

page 4


Automatic Investigation Framework for Android Malware Cyber-Infrastructures

The popularity of Android system, not only in the handset devices but al...

Mascara: A Novel Attack Leveraging Android Virtualization

Android virtualization enables an app to create a virtual environment, i...

Android Malware Clustering using Community Detection on Android Packages Similarity Network

The daily amount of Android malicious applications (apps) targeting the ...

Metadata-based Malware Detection on Android using Machine Learning

In the digitized world, smartphones and their apps play an important rol...

SpotCheck: On-Device Anomaly Detection for Android

In recent years the PC has been replaced by mobile devices for many secu...

Group-wise classification approach to improve Android malicious apps detection accuracy

In the fast-growing smart devices, Android is the most popular OS, and d...

EviHunter: Identifying Digital Evidence in the Permanent Storage of Android Devices via Static Analysis

Crimes, both physical and cyber, increasingly involve smartphones due to...

Please sign up or login with your details

Forgot password? Click here to reset