[Vol-users] LiME in real world Android forensics

Pasquale Stirparo pstirparo at gmail.com
Fri May 30 08:02:19 CDT 2014


Hi Philipp

If you are interested, take also a look at my publication of 2013 on
retrieving user credentials from Android memory
"Data-in-use leakages from Android Memory"
http://scholar.google.it/scholar?cluster=12705537352149207082&hl=en&as_sdt=0,5

Cheers

P.



On Fri, May 30, 2014 at 12:55 PM, masdif <masdif at posteo.net> wrote:

> Thank you both, Andrew and Joe!
>
> My fault: of course it sometimes is possible to get root access without
> rebooting. So my initial question is answered: Yes, you can use LiME with
> an initially un-rooted device.
>
> --- tl;dr ---
> But this is not always the case, is it? Is it imaginable to somehow
> quantify how often we can overcome the challenges of rooting, get kernel
> source, unlock screen, …?
>
> Is it a waltz in general for average law enforcement forensics section?
>
> Or do they have an address book of specialists for each device/ROM/version
> combination?
>
> --- full length ---
> I’m writing about Android volatile memory dump forensics. Even if this
> will be a thesis for a scientific degree, my goal is to include work on
> real world stuff. So the use case Joe asked for is that an examiner gets a
> running Android device with locked screen and is asked to forensically
> acquire the volatile memory ASAP. That is without changing the memory too
> much; neither by him nor by keeping the device in a safe for a few weeks
> while finding out how to handle his mission. At least I want to try to
> quantify stochastically how often this is possible and how often this is an
> unfeasible task respectively.
>
> To my mind there are quite a few factors making examiner's live hard:
>
> a) The device’s manufacturer and model should be determinable from the
> device’s body. Ok, easy in general if the device is not too exotic.
>
> b) Next to find out is the operating system and version. You can guess
> that the manufacturer’s up-to-date standard ROM is on the device and no e.
> g. CyanogenMod or any other custom ROM. But how can you be sure?
>
> c-a) For device and guessed ROM the examiner finds an exploit to root
> without reboot. How likely is that?
>
> c-b) The rooting solutions I found up to now require interaction via touch
> screen. But in our case the screen is locked.
>
> c-c) How about rooting really new devices like an “OnePluse One”? On the
> other side I myself got a low-cost retro “HTC Magic” to play with; and all
> sources I found on the internet about exploiting/rooting end in dead links
> or do not work anymore (Androot, Framaroot).
>
> d) For device and guessed ROM the examiner finds the kernel sources to
> compile the LiME module against. This should not be a problem due to the
> open source license if we do not have to deal with a very exotic device.
>
> e) How to switch on debugging with the screen locked?
>
>
> In papers I found so far these questions were not really examined but
> circumvented by just using prepared devices. Examples:
>
> Thing et al. [1] just mention: “The mobile phone used in our investigation
> was an Android mobile phone, the Google development set”. No further
> modifications are discussed.
>
> Sylve [2] mentions “[…] an investigator should only use rooting techniques
> that have been verified to work reliably on a particular device and
> furthermore, verified not to have undesirable consequences, such as
> introduction of malicious code. The chosen rooting technique should also
> not require the device to be reset, which will likely wipe volatile
> memory.” But the paper’s focus is not on “rooting toolkit quality
> management”. This aspect Sylve skipped in [3].
>
> Ali-Gombe [4] gets root access without rebooting on two Motorola devices
> with Androot. (But “Universal Androot v1.6.1” did not work for my own retro
> “HTC Magic”.)
>
> Macht [5] writes: “What method works depends heavily on the device and the
> Android version it is powered by. […] Because of this, this thesis assumes
> that an unlocked, rooted device is already available […]”
>
> Xenakis et al. [6] work with DDMS on emulator and phones without
> mentioning how they were prepared. Later in [7] they described using LiME
> but mentioned some of the limitations I see: “1. It requires rooted devices
> […] 2. […] The source code of kernel is not always available […]3. It
> requires the config.gz file […].”
>
>
>
> [1] Thing et al. (2010-08) - Live memory forensics of mobile phones
>     http://dfrws.org/2010/proceedings/2010-309.pdf
> [2] Sylve (2011-12) - Android Memory Capture and Applications for Security
> and Privacy
>     http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=
> 2348&context=td
> [3] Sylve (2012-02) - Acquisition and analysis of volatile memory from
> android devices
>     http://www.504ensics.com/uploads/publications/android-
> memory-analysis-DI.pdf
> [4] Ali-Gombe (2012-01) - Volatile Memory Message Carving - A per process
> basis Approach
>     http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=
> 2614&context=td
> [5] Macht (2013-01) - Live Memory Forensics on Android with Volatility
>     https://www1.informatik.uni-erlangen.de/filepool/
> publications/Live_Memory_Forensics_on_Android_with_Volatility.pdf
> [6] Xenakis et al. (2013-04) - Discovering Authentication Credentials in
> Volatile Memory of Android Mobile Devices
>     http://cgi.di.uoa.gr/~xenakis/Published/49-I3E-2013/2013-I3E-AMNX.pdf
> [7] Xenakis et al. (2013-12) - Acquisition and Analysis of Android Memory
>     http://www.ucd.ie/cci/cync/Acquisition%20and%20Analysis%
> 20of%20Android%20Memory.pdf
>
>
>
> Thanks a lot and have a great weekend,
> Philipp
>
>
> ________________________________________________________________
> From:    Joe Sylve
> Sent:    Friday, May 30, 2014 3:41AM
> To:      Andrew Case
> Cc:      Vol-users, Masdif
> Subject: Re: [Vol-users] LiME in real world Android forensics
>
>
>  What andrew said us completely accurate.  What is your specific use case
>> (if I may ask)?
>> On May 29, 2014 8:33 PM, "Andrew Case" <atcuno at gmail.com> wrote:
>>
>>  If phone is rooted you can then just insmod the compiled LiME module
>>> into it.
>>>
>>> If the phone is not rooted then the best case is temporarily rooting the
>>> phone (using an exploit that does not require a reboot), and then using
>>> the temp root access to load the module.
>>>
>>> Thanks,
>>> Andrew (@attrc)
>>>
>>> On 5/17/2014 8:10 AM, masdif wrote:
>>>
>>>> Hi all,
>>>>
>>>> Android Memory acquisition will be part of a paper I have to write. So
>>>> far I have no problem to follow the description for an AVD on
>>>> https://code.google.com/p/volatility/wiki/AndroidMemoryForensic
>>>>
>>>> Please excuse this noob question (and my bad English) but I'm going
>>>> crazy figuring this out:
>>>>
>>>> Can LiME be used in real life Android forensics that is Android memory
>>>> is acquired without having to reboot the Android device beforehand?
>>>>
>>>> Let's say:
>>>> I get an running Android mobile phone and for some lucky reason it is
>>>> both rooted and the user interface unlocked. (Are there any statistics
>>>> available how often this is the case?) My task is to acquire its RAM.
>>>>
>>>> As far as I understood in order to use Lime for RAM acquisition I have
>>>> to
>>>> a) get the Android kernel's source code from the manufacturer,
>>>> b) cross compile a new kernel with some settings for later being able to
>>>> insmod the LiME kernel module,
>>>> c) flash the compiled kernel onto the phone and
>>>> d) reboot the phone to get the new kernel running, which
>>>> e) destroys all the RAM I wanted to acquire, before I can
>>>> f) insmod LiME.
>>>>
>>>> Please be patient and give me a hint where I'm going wrong?!
>>>>
>>>> All papers I found so far used prepared phones.
>>>>
>>>>
>>>> Thanks a lot and have a nice weekend,
>>>> Philipp
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users at volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>
>>>>  _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>>
>>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



-- 
Pasquale Stirparo, MEng
GCFA, GREM, OPST, OWSE, ECCE

Mobile Security and Digital Forensics Engineer
Founder @ SefirTech

PGP Key: 0x4C589FB2
Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140530/eb5b17e4/attachment-0001.html


More information about the Vol-users mailing list