Live Memory Forensics on Android devices

  • View

  • Download

Embed Size (px)

Text of Live Memory Forensics on Android devices

  • Gkogkos Nikos@ngkogkosLive Memory Forensics on Android devices

  • Agenda


  • Digital Forensics (1)3 main phasesData AcquisitionData AnalysisSearching for artifactsData Presentation (reports, timelines)Proving that results are accurateUsage of hash functions (md5, sha256)

  • Digital Forensics (2)Traditional Digital Forensics deal with non-volatile (HDD, removable media)Live Memory Forensics deal only with volatile data (RAM dump/image)RAM dumps must be forensically soundBest approach?Do both!Data may reside in different types of memoryDemand Paging, Swap Space

  • Why Live Memory Forensics? (1)Everything executes or goes through RAM eventually (procs, sockets, kernel)Some data reside only in RAMbuffers, sockets, encryption keysSensitive data (credentials) can be usually found unencryptedRAM.size < HDD.sizeFirstly do RAM forensics which is quicker

  • Why Live Memory Forensics? (2)Malware AnalysisBehavioral analysisReverse EngineeringWe can dump the executableMalware cant slip away from RAM forensics that easyIt has to leave traces in order to execute properly!

  • Agenda


  • Android basics (1)Android is a Software StackSearch for artifacts in Application & Kernel sideWe can search in Runtime layer tooLots of trouble!Dalvik VM != ART Zygote process preloads every libraryEvery app is a zygote forkHence, it has every lib loaded in its Virtual Address SpaceApp Life CycleEvery app remains in a ready-steady state

  • Android basics (2)Android apps .apk [Android Application Package] file gives nice hintsDisassemble the .apk file (apktool)AndroidManifest.xml: permissions, ntentsclasses.dex: Reversing the appDEX Smali assembly (Dalviks assembly)DEX Java with a decompilerAndroids filesystemdata/ storage/ app-cache/ One can dump the filesystem from RAM.dump

  • Agenda


  • Working EnvironmentLiME (Linux Memory Extractor) LKMCopies RAMs pages content to a local dump file99% efficiency, main developer: Joe SylvaVolatility frameworkWorks for RAM dumps for any OSOpen Source, great community, many pluginsPython Other toolsAndroid SDK tools (ADB), Android emulator(S)GNU/Linux CommandLine Tools (grep, strings)

  • Acquiring a RAM.dump

  • Agenda


  • Process Analysis (1)Volatility plugins for procslinux_pslist, linux_psaux, linux_pstree, linux_threads, linux_psxview They traverse OS structuresActive Process list, kmem_cache, PID hash tableCheck parent-child relations

  • Process Analysis (2)Check apps UIDsAndroid assigns a unique UID in each appUser installed apps have UID > 10000Process Hollowing could be detectedCheck Linuxes standards for process names, environment variablesKernel threads must be enclosed in []They cannot have environment variablesA malware could masquerade in [] but still have environment variables

  • Process Analysis (3)$ python -f ~/android-dumps/example.dump linux_psauxVolatility Foundation Volatility Framework 2.4Pid Uid Gid Arguments1 0 0 /init2 0 0 [kthreadd]3 0 0 [ksoftirqd/0]4 0 0 [kworker/0:0][snip]468 1023 1023 /system/bin/sdcard -u 1023 -g 1023 -d /mnt/media_rw/sdcard /storage/sdcard474 10005 10005 android.process.media523 10029 10029 1001 1001[snip]1138 10053 10053 com.savemebeta1157 0 0 /system/bin/sh -1164 0 0 insmod /sdcard/lime.ko path=tcp:12345 format=lime1381 0 0 [kworker/0:1]

  • Process Analysis (4)$ python -f ~/android-dumps/example.dump linux_psxviewVolatility Foundation Volatility Framework 2.4Offset(V) Name PID pslist pid_hash kmem_cache parents leaders---------- -------------------- ------ ------ -------- ---------- ------- -------0xde81bc00 init 1 True True True True True0xde81b800 kthreadd 2 True True True True True0xde81b400 ksoftirqd/0 3 True True True False True[snip]0xde071800 zygote 65 True True True True True0xde071400 drmserver 66 True True True False True0xde071000 mediaserver 67 True True True False True0xde0a7c00 installd 68 True True True False True0xde0a7800 keystore 69 True True True False True0xde0a7400 qemud 70 True True True False True0xde0a7000 sh 73 True True True False True0xde0e9800 adbd 74 True True True True TrueRequires strong internal knowledge of the Android OS and the Linux kernelTough for a rootkit to hide from every OS spot

  • Process Mappings Analysis1138 0x00000000aa0cb000 0x00000000aa2af000 r-- 0x0 31 1 6813 /data/dalvik-cache/data@app@com.savemebeta-1.apk@classes.dex1138 0x00000000b2a34000 0x00000000b2ceb000 rw- 0x0 0 4 2028 /dev/ashmem/dalvik-zygote1138 0x00000000b2ceb000 0x00000000b5a34000 rw- 0x0 0 4 2352 /dev/ashmem/dalvik-heap1138 0x00000000b5ae0000 0x00000000b5ae5000 rw- 0xaa000 31 0 671 /system/lib/libdvm.so1138 0x00000000b5ae7000 0x00000000b5ae8000 r-- 0x23000 31 0 485 /system/framework/conscrypt.jarlinux_proc_maps: displays a procs mappingsMemory segments allocated for libraries, stack/heap region

    $ python -f ~/android-dumps/example.dump linux_proc_maps -p 65 | grep -iF "/system/lib/" | awk '{print $9}' > zygote_libs.output$ python -f ~/android-dumps/example.dump linux_proc_maps -p 899 | grep -iF "/system/lib/" | awk '{print $9}' > dialer_libs.output$ diff zygote_libs.output dialer_libs.outputCross-Check zygotes libraries against a suspicious appsIf app has extra libs loaded, this is some good alarm

  • Searching & Dumping files (1)$ python -f ~/android-dumps/example.dump linux_lsof -p 1138Volatility Foundation Volatility Framework 2.4Pid FD Path-------- -------- ---- 1138 0 /dev/null 1138 1 /dev/null 1138 2 /dev/null 1138 3 /dev/log/main 1138 4 /dev/log/radio 1138 5 /dev/log/events 1138 6 /dev/log/system 1138 7 /system/framework/core.jar 1138 8 /dev/__properties__ 1138 9 socket:[1803][snip] 1138 47 /data/data/com.savemebeta/databases/user_info4linux_lsof: displays any open file (regular files, streams, logging buffers, sockets)

    The user_info4 file looks interesting..

  • Searching & Dumping files (2)$ python -f ~/android-dumps/infostealer.dump linux_find_file -F /data/data/com.savemebeta/databases/user_info4Volatility Foundation Volatility Framework 2.4Inode Number Inode File Path---------------- ---------- --------- 6815 0xde7c8a00 /data/data/com.savemebeta/databases/user_info4

    $ python -f ~/android-dumps/infostealer.dump linux_find_file -i 0xde7c8a00 -O userinfo4.dumpVolatility Foundation Volatility Framework 2.4

    $ file userinfo4.dumpuserinfo4.dump: SQLite 3.x database, user version 1

    $ sqlite3 userinfo4.dumpSQLite version 2015-05-10 18:17:19Enter ".help" for usage hints.sqlite> .tablesandroid_metadata credentials reg_info4

    We can extract a file with linux_find_fileFinds and extracts a file out of OS caches

    It is obvious that savemebeta is a keylogging malware!One can dump the savemebeta.apk and proceed with Reversing


  • Searching & Dumping files (3)$ python -f ~/android-dumps/infostealer.dump linux_enumerate_files --output=text --output-file=dump-files$ cat dump-files | grep "/data/app" | egrep ".apk$" 3628688208 0x5c /data/app/com.savemebeta-1.apk 3628158240 0x5a /data/app/[snip]$ cat dump-files | egrep ".db$" 3628510096 0x1a23 /data/data/ 3628425472 0x1a09 /data/data/ 3628945664 0x1a18 /data/data/ 3628947776 0x1a16 /data/data/ 3628948304 0x1a0c /data/data/ 3628924192 0x1a3b /data/data/ 3628163328 0x19c4 /data/data/ 3628820800 0x1a42 /data/data/ 3628473888 0x1a01 /data/data/ 3628394288 0x1a10 /data/data/ 3628554224 0x1a2c /data/data/ 3628536720 0x1a21 /data/data/ 3628406640 0x19d5 /data/data/ 3628494176 0x19d3 /data/data/ displays all files found in the filesystem cache


  • Searching & Dumping files (4)$ python -f ~/android-dumps/sms-contacts.dump linux_find_file -i 0xd844f350 -O mmssms.dbVolatility Foundation Volatility Framework 2.4$ sqlite3 mmssms.dbSQLite version 3.8.5 2014-08-15 22:37:57Enter ".help" for usage hints.sqlite> .tablesaddr pdu