Private Data Acquisition Method Based on System-Level Data Migration and Volatile Memory Forensics for Android Applications

Nowadays, many Android applications enable data encryption to protect the security of private data, making it difficult for investigators to access the clear data even if they have already obtained the application database. Volatile memory dynamically presents the current state of applications and OS, which contains a store of valuable information including the plain text of application data, and it is a significant analysis object in the field of digital forensics. Over the past decade, some forensics researchers have proposed a number of volatile memory acquisition methods for Android mobile devices and have made valuable contributions. However, most of the existing methods are subjecting to severe restrictions in real investigation environment and only can be applied to pre-prepared devices, resulting in these methods are impractical. In order to address this problem, this paper proposes an Android application memory data acquisition method, called PASM, which can be applied to unprepared Android devices. PASM makes use of system-level data migration function provided by Android manufacturers to migrate and load the application private data into an intermediate device. The intermediate device is pre-flashed with a custom kernel providing the function of volatile memory forensics, so that the application private data can be acquired from the volatile memory of the intermediate device. We select thirty privacy-sensitive applications as the test objects and build seven different experiment scenarios to acquire the private data stored in memory image dumped by PASM. The experiment results show that PASM is able to acquire part of private data stored in volatile memory, and more importantly, PASM has the ability to overcome most of the limitations in the real world, which is more practical than existing Android memory acquisition methods.