Tools and Processes for Forensic Analyses of Smartphones and Mobile Malware
Loading...
Files
Date
2011-07-21
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Malware is defined as computer programs that are used by an attacker to execute malicious
code on the computer of a victim. In today's Internet malware constitutes a major problem and
effective safety measures against this harassment are necessary. This problem looms as a new and
future threat to smartphones, too. They contain many information which are of great interest for
attackers. Several hundred different versions of malware for this type of device have already been
noticed and it is expected that this number will increase even further within next years. Thus,
effective and efficient protection measures against malware on mobile devices (mobile malware)
become necessary, in order to have procedures for detecting and repelling these threats right from
the beginning. Moreover, todays there is almost no criminal action in which information technology
does not play a role. Increasingly, mobile devices become an object of investigation in the context
of crime detection. Due to this reason two major research aspects have been defined within the
scope of a BMBF project named 'MobWorm':
Automated Malware Analyses: In the scope of this question a prototype will be further developed.
Therefore it is investigated which information from a mobile sandbox need to be collected.
Afterwards, the corresponding implementation is executed. Moreover, methods are investigated,
in how far the mobile sandbox may be used as a security measure, e.g. as a reference monitor
for downloaded applications. Here, the mobile sandbox monitors activities of a program and terminates
it directly if an unauthorized sequence of action occurs (e.g. the opening of a permitted
network connection or the dialing of an expensive service number).
Mobile Phone Forensics: Within the frame of this research question we develop several
methods to conduct forensic analysis on smart phones. In this context a major focus is put on
Googles Android platform. In a first step various methods are researched how to create a memory
dump of a mobile phone (e.g. with the help of Twister-Box, via JTAG or with specific software).
These are documented in forensic processes, i.e. in detailed and exact activity rules. In a second step
the methods for analyzing memory dumps are developed. As a result the usability and effectiveness
of standard procedures like file carving and hash-value databases in the area of mobile phones
should be investigated. The focus of the application examples is always put to the corresponding
investigation of malware-infections. The methods and tools developed within the scope of this
research question are intended to be an addition to already existing propriety systems and their
functions which are often not well documented. With respect to the development we put great
emphasis on the compliance with forensic principles and we gear to scientific standards in this area
of research. The developed prototype as well as the fundamental research is important in order
to understand the behavior of mobile devices and software in a detailed way in terms of malware
analysis.
10