Degree

Doctor of Philosophy (PhD)

Department

Computer Science

Document Type

Dissertation

Abstract

The analysis of application-specific behavior has become an increasingly important technique in cyber forensics and incident response. The ability to determine the precise actions taken by a user can be the difference between a successful analysis and one that fails to meet its goals. The precise actions includes URLs visited, files downloaded, messages sent and received, images viewed, and data accessed. Evidence extraction from application memory at runtime is an effective solution to successfully extract valuable objects allocated by each application, and it is evident that there is a need for more Android forensics analysis tools that support recovering evidence from process or application memory. Evidence is extracted from the instance of each Android Runtime (application runtime environment of the Android operating system). The tool and the techniques proposed in this research leverages memory forensics (forensic analysis of volatile data in memory) to analyze application runtime instance and extract the allocated objects with utmost accuracy. First, an Android tool for recovering and reconstructing large objects focused specifically on images, large text files and video from memory dumps called `AmpleDroid’ was developed. The primary purpose of `AmpleDroid' is the retrieval of all allocated large objects from the Android process memory as media (images, video, and text files) files which can be presented as evidence in a cyber investigation. Next, the reliability and completeness of this recovered evidence is evaluated, and the impacts of external runtime factors like Garbage Collection (GC) and various states that a process might be in during acquisition are studied in detail. The volatile data from process memory dumps acquired with external runtime factors are evaluated with userland memory forensic tools like `DroidScraper' and `AmpleDroid' to assess the reliability and loss of data during object recovery. Finally, we conducted in-depth research on developing a memory forensic dataset by utilizing the process memory output generated from `DroidScraper.' We identified that the generated dataset could be effectively used to train machine learning algorithms to achieve high classification accuracy. Also, the memory forensic output files in the dataset were encoded as RGB images, to provide visual feedback to investigators regarding their content, to optimize an investigator's time.

Date

4-10-2022

Committee Chair

Richard III, Golden G.

DOI

10.31390/gradschool_dissertations.5807

Download

Available for download on Saturday, April 05, 2025

Share

COinS