Real-Time Triggering of Android Memory Dumps for Stealthy Attack Investigation

Bellizzi, Jennifer; Vella, Mark; Colombo, Christian; Hernández-Castro, Julio

doi:10.1007/978-3-030-70852-8_2

Cited by 3 publications

(12 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Performance overheads. The practical overheads recorded in the initial JIT-MF study (Bellizzi et al, 2021) were confirmed. With JIT-MF drivers enabled, only an average increase of 0.5s was registered in Pushbullet turnaround times for SMS operations, as observed from the web browser's Javascript console.…”

Section: Resultsmentioning

confidence: 70%

“…Therefore, any result- ing evidence has to be present in process memory, even if just briefly. While full-device static dumps of volatile memory typically require an unlocked bootloader and customized firmware, dynamic dumps of process memory do not necessarily face similar restrictions (Bellizzi et al, 2021). We show that this is the case when deployed using a mix of static and dynamic app instrumentation, at least when not involving system apps and services.…”

Section: Introductionmentioning

confidence: 90%

“…While JIT-MF (Bellizzi et al, 2021) defines common steps to be followed by every JIT-MF tool, those aspects that are specific to the investigation scenario/target app pair at hand are described and eventually implemented by JIT-MF drivers. Conceptually, their definition starts with identifying the in-memory evidence objects of interest, which may correspond in some way to attack steps.…”

Section: Jit-mf Driversmentioning

confidence: 99%

“…Taking previous experiment results (Bellizzi et al, 2021) as guidance for JIT-MF driver definition, white-box analysis of the apps concerned should be restricted to Evidence_ob jects identification and implementing their corresponding carving/parsing. Consequently, some form of app code comprehension or reversing is required.…”

Section: Jit-mf Driver Definitionmentioning

confidence: 99%

“…We show that this is the case when deployed using a mix of static and dynamic app instrumentation, at least when not involving system apps and services. Just-in-time Memory Forensics (JIT-MF) is a framework for live process memory forensics, with an initial study describing how to formulate and implement JIT-MF drivers (Bellizzi et al, 2021). These drivers are responsible for establishing the points in time when memory dumps should be triggered and the heap/native memory areas/objects to be included.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Responding to Living-Off-the-Land Tactics using Just-in-Time Memory Forensics (JIT-MF) for Android

Bellizzi¹,

Vella²,

Colombo³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Digital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when Living-Off-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26% closer to ground truth.

show abstract

Section: Resultsmentioning

confidence: 70%

Section: Introductionmentioning

confidence: 90%

Section: Jit-mf Driversmentioning

confidence: 99%

Section: Jit-mf Driver Definitionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Responding to Living-Off-the-Land Tactics using Just-in-Time Memory Forensics (JIT-MF) for Android

Bellizzi¹,

Vella²,

Colombo³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

Responding to Targeted Stealthy Attacks on Android Using Timely-Captured Memory Dumps

et al. 2022

Self Cite

View full text Add to dashboard Cite

The increasing dominance of Android smartphones for everyday communication and data processing makes long-term stealthy malware an even more dangerous threat. Recent malware campaigns like Flubot demonstrate that by employing stealthy malware techniques even at minimal capacity, malware is highly effective in making its way to millions of devices with little resistance from existing detection mechanisms. Consequential late detection demands comprehensive forensic timelines to reconstruct all malicious activities. However, the reduced forensic footprint of stealthy attacks with minimal malware involvement leaves investigators little evidence to work with even when utilising state-of-the-art digital forensics tools. Volatile memory forensics can be effective in such scenarios since app execution of any form is always bound to leave a trail of evidence in memory, even if it is short-lived. In this work, we motivate the need for JIT-MF (Just-in-time Memory Forensics), a technique that aims to address the challenges that arise with timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. By taking an incident-response-centric approach, focused on protecting stock Android device users rather than treating them as potential adversaries, we show that JIT-MF tools can collect elusive attack steps in volatile memory without requiring device rooting. Furthermore, we build MobFor, a JIT-MF based tool focusing on capturing evidence related to messaging hijack attacks. This tool provides a context to explore solutions for JIT-MF implementation challenges, aiming to render JIT-MF tools practical for real-world requirements. Finally, we demonstrate that when compared to stateof-the-art digital forensic tools Belkasoft and XRY in a realistic attack scenario involving an enhanced version of the WhatsApp Pink malware and stock Android devices, only MobFor can recover the contents of messages sent by the malware, hence decisively contributing to an enriched forensic timeline.

show abstract

VEDRANDO: A Novel Way to Reveal Stealthy Attack Steps on Android through Memory Forensics

Bellizzi

Losiouk

Conti

et al. 2023

JCP

Self Cite

View full text Add to dashboard Cite

The ubiquity of Android smartphones makes them targets of sophisticated malware, which maintain long-term stealth, particularly by offloading attack steps to benign apps. Such malware leaves little to no trace in logs, and the attack steps become difficult to discern from benign app functionality. Endpoint detection and response (EDR) systems provide live forensic capabilities that enable anomaly detection techniques to detect anomalous behavior in application logs after an app hijack. However, this presents a challenge, as state-of-the-art EDRs rely on device and third-party application logs, which may not include evidence of attack steps, thus prohibiting anomaly detection techniques from exposing anomalous behavior. While, theoretically, all the evidence resides in volatile memory, its ephemerality necessitates timely collection, and its extraction requires device rooting or app repackaging. We present VEDRANDO, an enhanced EDR for Android that accomplishes (i) the challenge of timely collection of volatile memory artefacts and (ii) the detection of a class of stealthy attacks that hijack benign applications. VEDRANDO leverages memory forensics and app virtualization techniques to collect timely evidence from memory, which allows uncovering attack steps currently uncollected by the state-of-the-art EDRs. The results showed that, with less than 5% CPU overhead compared to normal usage, VEDRANDO could uniquely collect and fully reconstruct the stealthy attack steps of ten realistic messaging hijack attacks using standard anomaly detection techniques, without requiring device or app modification.

show abstract

Real-Time Triggering of Android Memory Dumps for Stealthy Attack Investigation

Cited by 3 publications

References 12 publications

Responding to Living-Off-the-Land Tactics using Just-in-Time Memory Forensics (JIT-MF) for Android

Responding to Living-Off-the-Land Tactics using Just-in-Time Memory Forensics (JIT-MF) for Android

Responding to Targeted Stealthy Attacks on Android Using Timely-Captured Memory Dumps

VEDRANDO: A Novel Way to Reveal Stealthy Attack Steps on Android through Memory Forensics

Contact Info

Product

Resources

About