IMF 2024 - Two papers accepted

16 September 2024

Our article on Data Synthesis is Going Mobile – On Community-driven Dataset Generation for Android Device was accepted at IMF 2024. This article presents a novel approach for the automatic generation of forensically sound Android smartphone dumps, which completely controls the GUI of the smartphone and is based on Android Studio and Android View Client. The paper will be presented at the 13th International Conference on IT Security Incident Management & IT Forensics (IMF) 2024 in Saarbrücken, Germany in September 2024.

Authors: Markus Demmel and Thomas Göbel (Universität der Bundeswehr München), Patrik Gonçalves (Zentrale Stelle für Informationstechnik im Sicherheitsbereich (ZITiS)), Harald Baier (Universität der Bundeswehr München)

Abstract:

Personal electronic devices such as smartphones and smartwatches have become indispensable daily companions, collecting a multitude of personal and sensitive data. As a result, they are of paramount importance in digital forensic examinations. However, there is a lack of publicly available and ready-to-use digital forensic datasets, especially in mobile forensics. This work presents a concept and an open-source proof-of-concept implementation, which simplifies and automates the creation of mobile forensic datasets within the scope of the Android operating system. In contrast to previous approaches, which populate the most common databases of an Android device, our concept is based on community-driven playbooks and makes use of interaction with the actual smartphone GUI. Hence, we are able to generate coherent and realistic traces as they occur in real-world human usage. Our proof-of-concept implementation is based on the standard Android emulation environment and borrows tools from the user interface testing community. Our evaluation shows that our approach actually generates realistic Android datasets. For instance, we can generate traces that cannot be simulated by gestures (e.g., changing the GPS position or triggering incoming phone calls). Recording the actual data synthesis process allows users to either create and share their own playbooks (i.e., the exact instructions for the data synthesis process rather than having to share the full image) or reproduce Android images with different scenarios using playbooks previously created and shared by the community.

 

Furthermore, our article on Causal Inconsistencies are Normal in Windows Memory Dumps (too) was accepted at IMF 2024. This article performs a systematic assessment of causal inconsistencies in memory dumps taken on a Windows 10 machine using the kernel-level acquisition tool WinPmem. The paper will be presented at the 13th International Conference on IT Security Incident Management & IT Forensics (IMF) 2024 in Saarbrücken, Germany in September 2024.

Authors: Lisa Rzepka (Universität der Bundeswehr München), Jenny Ottmann and Felix Freiling (Friedrich-Alexander-Universität Erlangen-Nürnberg), Harald Baier (Universität der Bundeswehr München)

Abstract: 

Main memory contains valuable information for criminal investigations, e.g., process information or keys for disk encryption. Taking snapshots of memory is therefore common practice during a digital forensic examination. Inconsistencies in such memory dumps can, however, hamper their analysis. In this paper, we perform a systematic assessment of causal inconsistencies in memory dumps taken on a Windows 10 machine using the kernel-level acquisition tool WinPmem. We use two approaches to measure the quantity of inconsistencies in Windows 10: (1) causal inconsistencies within self-injected memory data structures using a known methodology transferred from the Linux operating system, and (2) inconsistencies in the memory management data structures of the Windows kernel using a novel measurement technique based on properties of the virtual address descriptor (VAD) tree. Our evaluation is based on a dataset of more than 180 memory dumps. As a central result, both types of inconsistency measurement reveal that a high number of inconsistencies is the norm rather than the exception. We also correlate workload and execution time of the memory acquisition tool to the number of inconsistencies in the respective memory snapshot. By controlling these factors it is possible to (somewhat) control the level of inconsistencies in Windows memory dumps.