TY - GEN
T1 - A lightweight framework for cold boot based forensics on mobile devices
AU - Taubmann, Benjamin
AU - Huber, Manuel
AU - Wessel, Sascha
AU - Heim, Lukas
AU - Reiser, Hans Peter
AU - Sigl, Georg
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/10/16
Y1 - 2015/10/16
N2 - Mobile devices, like tablets and smartphones, are common place in everyday life. Thus, the degree of security these devices can provide against digital forensics is of particular interest. A common method to access arbitrary data in main memory is the cold boot attack. The cold boot attack exploits theremanence effect that causes data in DRAM modules not to lose the content immediately in case of a power cut-off. This makes it possible to restart a device and extract the data in main memory. In this paper, we present a novel framework for cold boot based data acquisition with a minimal bare metal application on a mobile device. In contrast to other cold boot approaches, our forensics tool overwrites only a minimal amount of data in main memory. This tool requires no more than five kilobytes of constant data in the kernel code section. We hence sustain all of the data relevant for the analysis of the previously running system. This makes it possible to analyze the memory with data acquisition tools. For this purpose, we extend the memory forensics tool Volatility in order to request parts of the main memory dynamically from our bare metal application. We show the feasibility of our approach by comparing it to a traditional memory dump based analysis using the Samsung Galaxy S4 mobile device.
AB - Mobile devices, like tablets and smartphones, are common place in everyday life. Thus, the degree of security these devices can provide against digital forensics is of particular interest. A common method to access arbitrary data in main memory is the cold boot attack. The cold boot attack exploits theremanence effect that causes data in DRAM modules not to lose the content immediately in case of a power cut-off. This makes it possible to restart a device and extract the data in main memory. In this paper, we present a novel framework for cold boot based data acquisition with a minimal bare metal application on a mobile device. In contrast to other cold boot approaches, our forensics tool overwrites only a minimal amount of data in main memory. This tool requires no more than five kilobytes of constant data in the kernel code section. We hence sustain all of the data relevant for the analysis of the previously running system. This makes it possible to analyze the memory with data acquisition tools. For this purpose, we extend the memory forensics tool Volatility in order to request parts of the main memory dynamically from our bare metal application. We show the feasibility of our approach by comparing it to a traditional memory dump based analysis using the Samsung Galaxy S4 mobile device.
KW - Cold Boot
KW - Digital Forensics
KW - Mobile Device Security
KW - Smartphones
KW - Virtual Machine Introspection
UR - http://www.scopus.com/inward/record.url?scp=84961675424&partnerID=8YFLogxK
U2 - 10.1109/ARES.2015.47
DO - 10.1109/ARES.2015.47
M3 - Conference contribution
AN - SCOPUS:84961675424
T3 - Proceedings - 10th International Conference on Availability, Reliability and Security, ARES 2015
SP - 120
EP - 128
BT - Proceedings - 10th International Conference on Availability, Reliability and Security, ARES 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 10th International Conference on Availability, Reliability and Security, ARES 2015
Y2 - 24 August 2015 through 27 August 2015
ER -