Mobile devices, like tablets and smartphones, are common place in everyday life. Thus, the degree of security these\ndevices can provide against digital forensics is of particular interest. A common method to access arbitrary data in\nmain memory is the cold boot attack. The cold boot attack exploits the remanence effect that causes data in DRAM\nmodules not to lose the content immediately in case of a power cut-off. This makes it possible to restart a device and\nextract the data in main memory.\nIn this paper, we present a novel framework for cold boot-based data acquisition with a minimal bare metal\napplication on a mobile device. In contrast to other cold boot approaches, our forensics tool overwrites only a\nminimal amount of data in main memory. This tool requires no more than three kilobytes of constant data in the\nkernel code section. We hence sustain all of the data relevant for the analysis of the previously running system. This\nmakes it possible to analyze the memory with data acquisition tools. For this purpose, we extend the memory\nforensics tool Volatility in order to request parts of the main memory dynamically from our bare metal application. We\nshow the feasibility of our approach on the Samsung Galaxy S4 and Nexus 5 mobile devices along with an extensive\nevaluation. First, we compare our framework to a traditional memory dump-based analysis. In the next step, we show\nthe potential of our framework by acquiring sensitive user data.
Loading....