Exploring Runtime Evolution in Android: A Cross-Version Analysis and Its Implications for Memory Forensics

TL;DR

This study systematically analyzes how Android Runtime structures evolve across versions, revealing significant changes that challenge existing memory forensics tools and suggesting the need for adaptive, hybrid analysis methods.

Contribution

It provides the first empirical analysis of Android Runtime structural evolution across multiple versions and architectures, highlighting its impact on forensic reliability.

Findings

Over 73.2% of structure members change position across versions

Structural evolution affects core forensic operations like thread enumeration and object reconstruction

Traditional static and symbol-based methods are increasingly unreliable for Android memory forensics

Abstract

Userland memory forensics has become a critical component of smartphone investigations and incident response, enabling the recovery of volatile evidence such as deleted messages from end-to-end encrypted apps and cryptocurrency transactions. However, these forensics tools, particularly on Android, face significant challenges in adapting to different versions and maintaining reliability over time due to the constant evolution of low-level structures critical for evidence recovery and reconstruction. Structural changes, ranging from simple offset modifications to complete architectural redesigns, pose substantial maintenance and adaptability issues for forensic tools that rely on precise structure interpretation. Thus, this paper presents the first systematic study of Android Runtime (ART) structural evolution and its implications for memory forensics. We conduct an empirical analysis of critical Android runtime structures, examining their evolution across six versions for four different architectures. Our findings reveal that over 73.2% of structure members underwent positional changes, significantly affecting the adaptability and reliability of memory forensic tools. Further analysis of core components such as Runtime, Thread, and Heap structures highlights distinct evolution patterns and their impact on critical forensic operations, including thread state enumeration, memory mapping, and object reconstruction. These results demonstrate that traditional approaches relying on static structure definitions and symbol-based methods, while historically reliable, are increasingly unsustainable on their own. We recommend that memory forensic tools in general and Android in particular evolve toward hybrid approaches that retain the validation strength of symbolic methods while integrating automated structure inference, version-aware parsing, and redundant analysis strategies.