Forensic Memory Analysis of Android's Dalvik Virtual Machine
-
Upload
source-conference -
Category
Technology
-
view
5.401 -
download
3
description
Transcript of Forensic Memory Analysis of Android's Dalvik Virtual Machine
![Page 1: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/1.jpg)
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew CaseDigital Forensics Solutions
![Page 2: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/2.jpg)
2
Who Am I?• Security Analyst at Digital Forensics Solutions– Also perform wide ranging forensics investigations
• Volatility Developer• Former Blackhat and DFRWS speaker
![Page 3: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/3.jpg)
3
Agenda• What is Dalvik / why do we care?• Brief overview of memory forensics• Extracting allocated and historical data from
Dalvik instances• Target specific Android applications
![Page 4: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/4.jpg)
4
What is Dalvik?• Dalvik is the software VM for all Android
applications• Nearly identical to the Java Virtual Machine
(JVM) [1]• Open source, written in C / Java
![Page 5: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/5.jpg)
5
Why do we care?• Android-based phones leading in US mobile
market– Which makes for many phones to investigate
• Memory forensics capabilities against Android applications have numerous uses/implications
• Entire forensics community (LEO, .gov, private firms) already urging development of such capabilities
![Page 6: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/6.jpg)
6
Memory Forensics Introduction• Memory forensics is vital to orderly recovery of
runtime information• Unstructured methods (strings, grep, etc) are
brittle and only recover superficial info• Structured methods allow for recovery of data
structures, variables, and code from memory• Previous work at operating system level led to
recovery of processes, open files, network connections, etc [4,5]
![Page 7: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/7.jpg)
7
Memory Analysis Process• First, need to acquire memory– Acquisition depends on environment [6]
• Next, requires locating information in memory and interpreting it correctly– Also requires re-implementing functionality offline
• Then it needs to be displayed in a useful way to the investigator
![Page 8: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/8.jpg)
8
Dalvik Memory Analysis
![Page 9: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/9.jpg)
9
Acquiring Memory – Approach 1• The normal method is to acquire a complete
capture of physical RAM• Works well when analyzing kernel data
structures as their pages are not swapped out• Allows for recovery of allocated and historical
processes, open files, network connections, and so on
![Page 10: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/10.jpg)
10
Approach 1 on Android• Without /dev/mem support, need a LKM to
read memory• No current module works for Android (ARM)• We developed our own (mostly by @jtsylve)• Benefits of full capture:– Can target any process (including its mappings)– Can recover information from unmapped pages in
processes
![Page 11: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/11.jpg)
11
Acquiring Memory – Approach 2• Memory can be acquired on a per-process
basis• Ensures that all pages of the process will be
acquired• Easiest to perform with memfetch[8]– After a few small changes, was statically compiled
for ARM• No unmapped pages will be recovered though– Heap and GC don’t munmap immediately
![Page 12: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/12.jpg)
12
Analyzing C vs Java• Most previous forensics research has had the
“luxury” of analyzing C– Nearly 1:1 mapping of code/data to in-memory
layout• Declaration of a C “string”– char buffer[] = “Hello World”;
• Memory Layout (xxd)– 4865 6c6c 6f20 576f 726c 6400 Hello World.
![Page 13: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/13.jpg)
13
A Dalvik String in Memory• First, need the address of the “StringObject”• Next, need the offsets of the
“java/lang/String” value and byte offset members
• StringObject + value offset leads us to an “ArrayObject”
• ArrayObject + byte offset leads to an UTF-16 array of characters
• … finally we have the string (in Unicode)
![Page 14: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/14.jpg)
14
Now for the memory analysis…• The real goal of the research was to be able to
locate arbitrary class instances and fields in memory
• Other goals included replicating commonly used features of the Android debugging framework
![Page 15: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/15.jpg)
15
Locating Data Structures• The base of Dalvik loads as a shared library
(libdvm.so)• Contains global variables that we use to locate
classes and other information• Also contains the C structures needed to parse
and gather evidence we need
![Page 16: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/16.jpg)
16
Gathering libdvm’s Structures1) Grab the shared library from the phone (adb)
2) Use Volatility’s dwarfparse.py:• Builds a profile of C structures along with
members, types, and byte offsets• Records offsets of global variables
3) Example structure definition'ClassObject': [ 0xa0, { Class name and size
'obj': [0x0, ['Object']], member name, offset, and type
![Page 17: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/17.jpg)
17
Volatility Plugin Sample•Accessing structures is as simple as knowing the type and offset
intval = obj.Object(“int”, offset=intOffset, ..)•Volatility code to access ‘descriptor’ of an ‘Object’:
o = obj.Object("Object", offset=objectAddress, ..)c = obj.Object("ClassObject", offset=o.clazz, …)desc = linux_common.get_string(c.descriptor)
![Page 18: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/18.jpg)
18
gDvm• gDvm is a global structure of type DvmGlobals• Holds info about a specific Dalvik instance• Used to locate a number of structures needed
for analysis
![Page 19: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/19.jpg)
19
Locating Loaded Classes• gDvm.loadedClasses is a hash table of
ClassObjects for each loaded class• Hash table is stored as an array• Analysis code walks the backing array and
handles active entries– Inactive entries are NULL or have a pointer value
of 0xcbcacccd
![Page 20: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/20.jpg)
20
Information Per Class• Type and (often) name of the source code file• Information on backing DexFile– DexFile stores everything Dalvik cares about for a
binary• Data Fields– Static– Instance
• Methods– Name and Type– Location of Instructions
![Page 21: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/21.jpg)
21
Static Fields
• Stored once per class (not instance)• Pre-initialized if known• Stored in an array with element type
StaticField• Leads directly to the value of the specific field
![Page 22: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/22.jpg)
22
Instance Fields• Per instance of a Class• Fields are stored in an array of element type
InstField• Offset of each field stored in byteOffset
member– Relative offset from ClassObject structure
![Page 23: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/23.jpg)
23
Listing Instance MembersSource file: ComposeMessageActivity.java Class: Lcom/android/mms/ui/ComposeMessageActivity;Instance Fields:
name: m_receiver signature: Landroid/content/BroadcastReceiver;
name: m_filter signature: Landroid/content/IntentFilter;
name: mAppContext signature: Landroid/content/Context;
name: mAvailableDirPath signature: Ljava/lang/String;
![Page 24: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/24.jpg)
24
Analyzing Methods• We can enumerate all methods (direct, virtual)
and retrieve names and instructions• Not really applicable to this talk• Can be extremely useful for malware analysis
though– If .apk is no longer on disk or if code was changed
at runtime
![Page 25: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/25.jpg)
25
Methods in Memory vs on Disk• Dalvik makes a number of runtime
optimizations [1]• Example: When class members are accessed
(iget, iput) the field table index is replaced with the direct byte offset
• Would likely need to undo some of the optimizations to get complete baksmali output
![Page 26: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/26.jpg)
26
Analyzing Specific Applications
![Page 27: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/27.jpg)
27
Recovery Approach• Best approach seems to be
locating data structures of UI screens– UI screens represented by
uniform (single type) lists of displayed information
– Data for many views are pre-loaded
![Page 28: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/28.jpg)
28
Finding Data Structures• Can save substantial time by using adb’s logcat
(next slide)– Shows the classes and often methods involved in
handling UI events• Otherwise, need to examine source code– Some applications are open source– Others can be “decompiled” with baksmali [9]
![Page 29: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/29.jpg)
29
logcat exampleThe following is a snippet of output when clicking on the text message view:
D/ConversationList(12520): onResume StartD/ComposeMessageActivity(12520): onConatctInfoChangeD/RecipientList(12520): mFilterHandler not nullD/RecipientList(12520): get recipient: 0D/RecipientList(12520): r.name: John SmithD/RecipientList(12520): r.filter() return resultD/RecipientList(12520): indexOf(r)0D/RecipientList(12520): prepare set, index/name: 0/John Smith
![Page 30: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/30.jpg)
30
Phone Call History• Call history view controlled
through a DialerContactCard$OnCardClickListener
• Each contact stored as a DialerContactCard
• Contains the name, number, convo length, and photo of contact
![Page 31: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/31.jpg)
31
Per Contact Call History• Can (sometimes) retrieve call history per-
contact• Requires the user to actually view a contact’s
history before being populated
![Page 32: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/32.jpg)
32
Text Messages• Recovery through ComposeMessageActivity &
TextMessageView• Complete conversations can be recovered • Not pre-populated
![Page 33: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/33.jpg)
33
Voicemail• Audio file is open()’ed• Not mapped contiguously into the process
address space• No method to recover deleted voicemails..
![Page 34: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/34.jpg)
34
Browser (Opera Mini)• Opera Mini is the most used mobile browser• Can recover some session information– The history file is always mapped in memory
(including information from current session)• HTTP requests and page information is
(possibly) recoverable– Can recover <title> information– Stored in Opera Binary Markup Language– Not publicly documented?
![Page 35: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/35.jpg)
35
Recovering Wireless Information• Screenshot on the right
shows results of a scan for wireless networks
• Recovery of this view provides the SSID, MAC address, and enc type for routers found
• Recovery of “Connected” routers show which were associated with
![Page 36: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/36.jpg)
36
Other Wireless Information
• Potentially interesting information:– Wireless keys– Connection stats
• These are not controlled by Dalvik– Keys only initially entered through Dalvik, but then
saved• Stored by the usual Linux applications– wpa_supplicant, dhcpd, in-kernel stats
![Page 37: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/37.jpg)
37
Location Recovery• Associating location & time not always
important– But makes for better slides *hint*
• Interesting for a number of reasons– Forensics & Privacy concerns– Not part of a “standard” forensics investigation
![Page 38: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/38.jpg)
38
Google Maps• Did not do source code analysis– Most phones won’t be using Google Maps while
being seized– Wanted to find ways to get historical data cleanly
• Found two promising searches– mTime=TIME,mLatitude=LAT,mLongitude=LON– point: LAT,LON … lastFix: TIME• TIME is the last location, extra work needed to verify
![Page 39: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/39.jpg)
39
“Popular” Weather Application
• The weather application uses your location to give you relevant information
• http://vendor.site.com/widget/search.asp? lat=LAT&lon=LON&nocache=TIME
![Page 40: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/40.jpg)
40
More GPS Fun• All of the following applications do not clear
GPS data from memory, and all send their lat/lon using GET with HTTP– Urban Spoon– Weather Channel– WeatherBug– Yelp– Groupon– Movies
![Page 41: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/41.jpg)
41
Implementation• Recovery code written as Volatility [7] plugins– Most popular memory analysis framework– Has support for all Windows versions since XP and
2.6 Intel Linux– Now also supports ARM Linux/Android
• Makes rapid development of memory analysis capabilities simple
• Also can be used for analyzing other binary formats
![Page 42: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/42.jpg)
42
Testing• Tested against a HTC EVO 4G– No phone-specific features used in analysis– Only a few HTC-specific packages were analyzed
• Visually tested against other Dalvik versions– No drastic changes in core Dalvik functionality
![Page 43: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/43.jpg)
43
Research Applications• Memory forensics (obviously)• Testing of privacy assurances• Malware analysis– Can enumerate and recover methods and their
instructions
![Page 44: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/44.jpg)
44
Future Avenues of Research• Numerous applications with potentially
interesting information– Too much to manually dig through – Need automation– Baksmali/Volatility/logcat integration?
• Automated determination of interesting evidence across the whole system– Combing work done in [2] and [3]
![Page 46: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/46.jpg)
46
References - 1[1] http://bit.ly/dalvikvsjava[2] Brendan Dolan-Gavitt, et al, “Virtuoso: Narrowing
the Semantic Gap in Virtual Machine Introspection”, IEEE Security and Privacy, 2011[3] TaintDroid, http://www.appanalysis.org/[4] http://bit.ly/windowsmemory [5] http://bit.ly/linuxmem [6] http://bit.ly/memimaging[7] http://code.google.com/p/volatility/[8] http://lcamtuf.coredump.cx/soft/memfetch.tgz
![Page 47: Forensic Memory Analysis of Android's Dalvik Virtual Machine](https://reader036.fdocuments.net/reader036/viewer/2022062300/555c4369d8b42a2c068b4f01/html5/thumbnails/47.jpg)
47
References - 2
[9] baksmali - http://code.google.com/p/smali/