1150 25th USENIX Security Symposium USENIX Association
RetroScope shares the philosophy of leveraging exist-
ing code for memory content rendering with our prior
memory forensics technique DSCRETE [37]. However,
DSCRETE renders a single application data structure,
whereas RetroScope renders full app display screens in
temporal order. More importantly, DSCRETE requires
application-specific (actually, data structure-specific)
identification and extraction of data rendering code,
while RetroScope is totally app-agnostic, requiring no
analysis of app-internal data or rendering logic. Fi-
nally, DSCRETE works on Linux/x86 whereas Retro-
Scope works on the Android/ARM platform.
Many prior memory forensics techniques leverage
memory image scanning and data structure signature
generation approaches [11,12,16,26,32,34,38,41]. Data
structure signatures can be content-based [16] or “points-
to” structure-based [13, 15, 25, 26, 30]. For binary pro-
grams without source code, a number of reverse en-
gineering techniques have been proposed to infer data
structure definitions [24, 27, 39]. As a fundamentally
new memory forensics technique, RetroScope requires
neither data structure signature generation nor memory
scanning.
7 Conclusion
We have presented RetroScope, a spatial-temporal mem-
ory forensics technique (and new paradigm) that recov-
ers multiple previous screens of an app from an Android
phone’s memory image. RetroScope is based on a novel
interleaved re-execution engine which selectively rean-
imates an app’s screen redrawing functionality without
requiring any app-specific knowledge. Our evaluation
results show that RetroScope can recover visually accu-
rate, temporally ordered screens (ranging from 3 to 11
screens) for a variety of apps on three different Android
phones.
Acknowledgments
We thank the anonymous reviewers for their insightful
comments and suggestions. This work was supported in
part by NSF under Award 1409668.
References
[1] Advanced jtag mobile device forensics training. http:
//www.teeltech.com/mobile-device-forensics-
training/jtag-forensics/, 2015.
[2] Forensics wiki - memory imaging tools. http:
//forensicswiki.org/wiki/Tools:Memory_Imaging,
2015.
[3] ISIS still using Telegram channels - Business Insider.
http://www.businessinsider.com/isis-telegram-
channels-2015-11, 2015.
[4] Signal, the Snowden-Approved Crypto App, Comes to Android.
http://www.wired.com/2015/11/signals-snowden-
approved-phone-crypto-app-comes-to-android/,
2015.
[5] Apple vs. the FBI: Google, WhatsApp, John McAfee and
more are taking sides - LA Times. http://www.latimes.
com/business/technology/la-fi-tn-tech-response-
apple-20160218-snap-htmlstory.html, 2016.
[6] 504ENSICS L
ABS. Dalvik Inspector. http://www.
504ensics.com/automated-volatility-plugin-
generation-with-dalvik-inspector/, 2013.
[7] 504ENSICS L
ABS. LiME Linux Memory Extractor. https:
//github.com/504ensicsLabs/LiME, 2013.
[8] A
POSTOLOPOULOS, D., MARINAKIS, G., NTANTOGIAN, C.,
AND XENAKIS, C. Discovering authentication credentials in
volatile memory of android mobile devices. In Collaborative,
Trusted and Privacy-Aware e/m-Services. 2013.
[9] A
SHCROFT, J., DANIELS, D. J., AND HART, S. V. Forensic
examination of digital evidence: A guide for law enforcement.
U.S. National Institute of Justice, Office of Justice Programs, NIJ
Special Report NCJ 199408 (2004).
[10] B
ECHER, M., DORNSEIF, M., AND KLEIN, C. Firewire: all
your memory are belong to us. CanSecWest (2005).
[11] B
ETZ, C. Memparser forensics tool. http://www.dfrws.org/
2005/challenge/memparser.shtml, 2005.
[12] B
UGCHECK, C. Grepexec: Grepping executive objects from pool
memory. In Proc. Digital Forensic Research Workshop (2006).
[13] C
ARBONE, M., CUI,W.,LU, L., LEE,W.,PEINADO, M., AND
JIANG, X. Mapping kernel objects to enable systematic integrity
checking. In Proc. CCS (2009).
[14] C
ARRIER, B. D., AND GRAND, J. A hardware-based memory
acquisition procedure for digital investigations. Digital Investi-
gation 1 (2004).
[15] C
ASE, A., CRISTINA, A., MARZIALE, L., RICHARD, G. G.,
AND ROUSSEV, V. FACE: Automated digital evidence discovery
and correlation. Digital Investigation 5 (2008).
[16] D
OLAN-GAVITT, B., SRIVASTAVA, A., TRAYNOR, P., AND
GIFFIN, J. Robust signatures for kernel data structures. In Proc.
CCS (2009).
[17] G
OOGLE,INC. Android dashboards - platform versions.
https://developer.android.com/about/dashboards/
index.html, 2015.
[18] G
RU HN, M. Windows nt pagefile. sys virtual memory analysis.
In Proc. IT Security Incident Management & IT Forensics (IMF)
(2015).
[19] H
ALDERMAN, J. A., SCHOEN, S. D., HENINGER, N., CLARK-
SON, W., PAUL, W., CALANDRINO, J. A., FELDMAN, A. J.,
A
PPELBAUM, J., AND FELTEN, E. W. Lest we remember:
cold-boot attacks on encryption keys. In Proc. USENIX Security
(2008).
[20] H
ILGERS, C., MACHT, H., MULLER, T., AND SPREITZEN-
BARTH, M. Post-mortem memory analysis of cold-booted an-
droid devices. In Proc. IT Security Incident Management & IT
Forensics (IMF) (2014).
[21] J
ARRETT, H. M., BAILIE, M. W., HAGEN, E., AND JUDISH,
N. Searching and seizing computers and obtaining electronic ev-
idence in criminal investigations. U.S. Department of Justice,
Computer Crime and Intellectual Property Section Criminal Di-
vision (2009).
[22] K
OLL
´
AR, I. Forensic ram dump image analyser. Master’s Thesis,
Charles University in Prague (2010).