Tools and Processes for Forensic Analyses of Smartphones and Mobile Malware

Abstract

Malware is defined as computer programs that are used by an attacker to execute malicious code on the computer of a victim. In today's Internet malware constitutes a major problem and effective safety measures against this harassment are necessary. This problem looms as a new and future threat to smartphones, too. They contain many information which are of great interest for attackers. Several hundred different versions of malware for this type of device have already been noticed and it is expected that this number will increase even further within next years. Thus, effective and efficient protection measures against malware on mobile devices (mobile malware) become necessary, in order to have procedures for detecting and repelling these threats right from the beginning. Moreover, todays there is almost no criminal action in which information technology does not play a role. Increasingly, mobile devices become an object of investigation in the context of crime detection. Due to this reason two major research aspects have been defined within the scope of a BMBF project named 'MobWorm': Automated Malware Analyses: In the scope of this question a prototype will be further developed. Therefore it is investigated which information from a mobile sandbox need to be collected. Afterwards, the corresponding implementation is executed. Moreover, methods are investigated, in how far the mobile sandbox may be used as a security measure, e.g. as a reference monitor for downloaded applications. Here, the mobile sandbox monitors activities of a program and terminates it directly if an unauthorized sequence of action occurs (e.g. the opening of a permitted network connection or the dialing of an expensive service number). Mobile Phone Forensics: Within the frame of this research question we develop several methods to conduct forensic analysis on smart phones. In this context a major focus is put on Googles Android platform. In a first step various methods are researched how to create a memory dump of a mobile phone (e.g. with the help of Twister-Box, via JTAG or with specific software). These are documented in forensic processes, i.e. in detailed and exact activity rules. In a second step the methods for analyzing memory dumps are developed. As a result the usability and effectiveness of standard procedures like file carving and hash-value databases in the area of mobile phones should be investigated. The focus of the application examples is always put to the corresponding investigation of malware-infections. The methods and tools developed within the scope of this research question are intended to be an addition to already existing propriety systems and their functions which are often not well documented. With respect to the development we put great emphasis on the compliance with forensic principles and we gear to scientific standards in this area of research. The developed prototype as well as the fundamental research is important in order to understand the behavior of mobile devices and software in a detailed way in terms of malware analysis. 10