Responding to Living-Off-the-Land Tactics using Just-in-Time Memory Forensics (JIT-MF) for Android

TL;DR

This paper introduces a framework called JIT-MF for Android memory forensics that enables detailed investigation of stealthy attacks, especially those using Living-Off-the-Land tactics, without requiring device rooting.

Contribution

The work presents a conceptual design of JIT-MF drivers and demonstrates their effectiveness in improving forensic timelines in Android investigations.

Findings

JIT-MF drivers enable richer forensic evidence collection.

Investigations with JIT-MF are on average 26% closer to ground truth.

Framework works on stock Android devices without rooting.

Abstract

Digital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when Living-Off-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26% closer to ground truth.