Open AccessFine-grained analysis method for Android volatile memory
Author(s) -
Peijun Feng,
Qingbao Li,
Zhifeng Chen
Publication year - 2020
Publication title -
iop conference series. materials science and engineering
Language(s) - English
Resource type - Journals
eISSN - 1757-899X
pISSN - 1757-8981
DOI - 10.1088/1757-899x/715/1/012043
Subject(s) - computer science , android (operating system) , operating system , mobile device , allocator , embedded system
Android dominates the mobile operating system market. Volatile memory analysis of Android devices has been the focus of research on mobile forensics technology. However, due to the semantic gap between the kernel and the volatile memory allocator, existing Android volatile memory analysis methods are coarse-grained. With the volatile memory capacity of Android devices increasing, these methods cannot satisfy the need of Android volatile memory analysis accuracy. In this paper, we first discuss the address space layout of Android processes and the management mechanism of Jemalloc, the default Android volatile memory allocator. Then, we bridge the semantic gap by utilizing the boundary auto alignment feature of the data structure of Jemalloc. Finally, we propose a Fine-grained Analysis Method for Android volatile Memory, called FAMAM. Experimental results shows that FAMAM has an accurate data analysis capability as well as a good robustness. In addition, we successfully use FAMAM to discover new storage patterns for username and password of Wechat.