This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
3. Digital Forensics (1)
• 3 main phases
– Data Acquisition
– Data Analysis
• Searching for artifacts
– Data Presentation (reports, timelines)
• Proving that results are accurate
– Usage of hash functions (md5, sha256)
4. Digital Forensics (2)
• Traditional Digital Forensics deal with non-
volatile δεδομένα (HDD, removable
media)
• Live Memory Forensics deal only with
volatile data (RAM dump/image)
• RAM dumps must be forensically sound
• Best approach?
– Do both!
• Data may reside in different types of memory
• Demand Paging, Swap Space
5. Why Live Memory Forensics?
(1)
• Everything executes or goes through RAM
eventually (procs, sockets, kernel)
• Some data reside only in RAM
– buffers, sockets, encryption keys
• Sensitive data (credentials) can be usually
found unencrypted
• RAM.size < HDD.size
– Firstly do RAM forensics which is quicker
6. Why Live Memory Forensics?
(2)
• Malware Analysis
– Behavioral analysis
– Reverse Engineering
• We can dump the executable
• Malware can’t slip away from RAM
forensics that easy
– It has to leave traces in order to execute
properly!
8. Android basics (1)
• Android is a Software
Stack
• Search for artifacts in
Application & Kernel side
• We can search in
Runtime layer too
– Lots of trouble!
– Dalvik VM != ART
• Zygote process preloads
every library
– Every app is a zygote fork
– Hence, it has every lib
loaded in its Virtual
Address Space
• App Life Cycle
– Every app remains in a
ready-steady state
9. Android basics (2)
• Android apps’ .apk [Android Application
Package] file gives nice hints
• Disassemble the .apk file (apktool)
• AndroidManifest.xml: permissions, Ιntents
• classes.dex: Reversing the app
– DEX Smali assembly (Dalvik’s assembly)
– DEX Java with a decompiler
• Android’s filesystem
– data/ storage/ app-cache/ …
– One can dump the filesystem from RAM.dump
11. Working Environment
• LiME (Linux Memory Extractor) – LKM
• Copies RAM’s pages content to a local dump file
• 99% efficiency, main developer: Joe Sylva
• Volatility framework
• Works for RAM dumps for any OS
• Open Source, great community, many plugins
• Python �
• Other tools
• Android SDK tools (ADB), Android emulator(S)
• GNU/Linux Command−Line Tools (grep, strings)
14. Process Analysis (1)
• Volatility plugins for procs
– linux_pslist, linux_psaux, linux_pstree,
linux_threads, linux_psxview
• They traverse OS structures
– Active Process list, kmem_cache, PID hash
table
• Check parent-child relations
15. Process Analysis (2)
• Check apps’ UIDs
– Android assigns a unique UID in each app
– User installed apps have UID > 10000
– Process Hollowing could be detected
• Check Linuxes standards for process
names, environment variables
– Kernel threads must be enclosed in []
– They cannot have environment variables
– A malware could masquerade in [] but still
have environment variables
20. Searching & Dumping files (2)
$ python vol.py -f ~/android-dumps/infostealer.dump linux_find_file -F
/data/data/com.savemebeta/databases/user_info4
Volatility Foundation Volatility Framework 2.4
Inode Number Inode File Path
---------------- ---------- ---------
6815 0xde7c8a00 /data/data/com.savemebeta/databases/user_info4
$ python vol.py -f ~/android-dumps/infostealer.dump linux_find_file -i 0xde7c8a00 -O userinfo4.dump
Volatility Foundation Volatility Framework 2.4
$ file userinfo4.dump
userinfo4.dump: SQLite 3.x database, user version 1
$ sqlite3 userinfo4.dump
SQLite version 3.8.10.2 2015-05-10 18:17:19
Enter ".help" for usage hints.
sqlite> .tables
android_metadata credentials reg_info4
• We can extract a file with linux_find_file
• Finds and extracts a file out of OS caches
• It is obvious that savemebeta is a keylogging malware!
• One can dump the savemebeta.apk and proceed with Reversing
22. Searching & Dumping files (4)
$ python vol.py -f ~/android-dumps/sms-contacts.dump linux_find_file -i 0xd844f350 -O mmssms.db
Volatility Foundation Volatility Framework 2.4
$ sqlite3 mmssms.db
SQLite version 3.8.5 2014-08-15 22:37:57
Enter ".help" for usage hints.
sqlite> .tables
addr pdu threads
android_metadata pending_msgs words
attachments rate words_content
canonical_addresses raw words_segdir
drm sms words_segments
part sr_pending
sqlite> select * from sms;
1|1|6980012345|2|1437138595606|1437138594000|0|1|-1|1|0||"Hello, this is a test sms message"||0|0|1
2|2|6980000000||1437138617752|1437138616000|0|1|-1|1|0||"This is a second sms message for testing
purposes"||0|0|1
• Extracting SMSes
• Firstly, get the inode offset
• Then dump the file again with linux_find_file
23. Searching for LKM rootkits (1)
$ python vol.py -f ~/android-dumps/infected.dump linux_kernel_opened_files
Volatility Foundation Volatility Framework 2.4
Offset (V) Partial File Path
---------- -----------------
0x306e5800 /root/.keylog
• Check for files opened in the kernel-land with
linux_kernel_opened_files
• Search for LKMs with linux_lsmod: traverses the kernel’s
global list with loaded kernel modules
• 1-line C code for a rootkit to delete itself from that list…
$ python vol.py -f ~/android-dumps/infected.dump linux_lsmod -P
Volatility Foundation Volatility Framework 2.4
bf0007f0 lime 9349
format=lime
dio=0
path=tcp:12345
• The only LKM found is LiME…
24. Searching for LKM rootkits (2)
$ python vol.py -f infected.dump linux_hidden_modules
Volatility Foundation Volatility Framework 2.4
Offset (V) Name
---------- ----
0xa03a15d0 suterusu
• linux_hidden_modules: looks for LKMs using the Carving
technique
• It looks for byte sequences that define a kernel module
structure in RAM
• Suterusu is an open source Linux/Android rootkit
• We can dump it with the linux_moddump plugin
• Reverse Engineering ARM 32bit executables
IDA pro
HopperApp
25. Recovering filesystems (1)
$ python vol.py -f ~/android-dumps/example.dump linux_tmpfs –L
Volatility Foundation Volatility Framework 2.4
1 -> /dev
2 -> /app-cache
3 -> /mnt/obb
4 -> /mnt/asec
$ mkdir appcacheoutput
$ python vol.py -f ~/android-dumps/example.dump linux_tmpfs -S 2 -D appcacheoutput
• Volatility provides many linyx plugins that recover filesystems
• They can be recovered even if they locked with a user
specified password
• We can extract the tmpfs filesystems
– Those reside only in RAM
– They are being used for optimization reasons
26. Recovering filesystems (2)
$ sudo python vol.py -f ~/android-dumps/Evo4GRodeo.lime --profile=LinuxEvo4GARM linux_recover_filesystem –D
fs-example-output
$ cd fs-example-output/
$ echo */
acct/ app-cache/ data/ dev/ mnt/ proc/ sys/ system/
$ cd app-cache/com.android.browser/cache/webviewCache
$ sudo chmod -R 777 .
$ file *
0107b850: ASCII English text, with very long lines
19dde20c: HTML document text
28ca44b8: GIF image data, version 89a, 1 x 100
29b5cf95: JPEG image data, JFIF standard 1.02
29f711e8: JPEG image data, JFIF standard 1.02
301c338b: PNG image data, 1000 x 90, 8-bit/color RGBA, non-interlaced
[snip]
• linux_recover_filesystem: extracts part of the device’s whole
filesystem structure (the % of data that was cached in RAM)
• One then can apply traditional Digital Forensics techniques
• Android’s stock browser uses the app-cache tmpfs
filesystem to store its webviewCache
28. Volatility plugin dev (1)
• Volatility framework provides some useful
API
– Quick byte sequences (needles) searching in
RAM data
– Easy data parsing, formatting and printing
• What would be a useful plugin?
– Facebook: 1.31 billion mobile users [22/4/15]
– 1.31 billion / 7.3 billion ~= 0.179
29. Facebook plugin (1)
• Required tools
– Hex Editor, python IDE, patience
• Technique being used
– Carving with many sanity checks
• 3 main functions (text, csv)
– Find facebook friends
– Find owner’s personal info
– Find messages
• https://github.com/ngkogkos/volatility-plugins
30. Facebook plugin (2)
• “Trapping” a message
• One can check all these sequences to
guarantee that the message is valid
31. Facebook plugin (3)
• Many issues arise in the beginning
• Many random findings..
– Eliminate them with more sanity checks
• What if 2+ users were logged in?
– The plugin user provides the proper user ID
• Sometimes we get duplicate messages
– Remove them with --strip-duplicates argument
33. Facebook plugin (5)
• facebookgrabinfo
• python vol.py –f RAM.dump
facebookgrabinfo –format=visualizer
• In real accounts this JSON structure
contains the person’s phone number
35. Why is it useful?
• So why not simply open the facebook app
to get the messages?
• Scenario
– Criminal acts through the facebook app
– Deletes the messages before device falls into
the investigators’ hands
– If they get a RAM.dump the messages can be
retrieved
• Provided the device wasn’t rebooted..
• No need to know their facebook credentials
36. Conclusions
• We did some experiments with many
facebook test accounts.. and guess what?
• Facebook doesn’t care about users’
privacy (top secret )
• Many critical apps (e-banking, e-shops)
still store data plaintext in RAM
– Solution: explicitly overwrite sensitive data
– However: this situation helps forensics’ guys
37. Special Thanks
• Andrew Case @attrc &&
Jamie Levy @gleeda
– For answering my questions
– Being the great devs of Volatility
• Dave @superponible
– Assisting me with the plugin dev
• Peter Fousteris @lostpfg
– Doing the art stuff