MSAB’s new whitepaper by Dave Lauder explores the often-overlooked value of mobile device RAM in digital investigations. Once considered too volatile or inaccessible to be useful, RAM can in fact hold fleeting but crucial data—such as user input, app activity, and system information—that may never be stored elsewhere.
Read an excerpt below and download the full whitepaper to discover how RAM analysis can uncover new sources of digital evidence.
Dumping RAM from a mobile device is often seen as hard and not very useful since the established methods to perform the dump often include rooting the device. While rooting a device will give you access to RAM dumps, they will not contain any information useful to an investigation since the device has been rebooted and any data of worth to an investigation has been overwritten.
This has become established knowledge, passed from senior to junior investigators and analysts in training and into procedures for data collection, and goes unchallenged since that is the way things work. But technology doesn’t stand still, and this knowledge should be challenged from time to time because things can change. Still, dumping RAM from a mobile device is difficult to achieve, but the techniques are improving, and this established knowledge is becoming more out of date as the techniques to capture the RAM become more established.
Putting aside the capture of a RAM dump for the moment, the next question should be, why would I want it? In data analysis we often think of data, in general, as two types. The first is data “at rest”. This type of data is typically found on storage of some kind which provides long term access for both reading, updating or creating new data. For a mobile device, this is the typical filesystem data found within a normal handset dump.
As time moves on, this is becoming more and more inaccessible due to the use of encryption and other techniques for hiding data. This also means that there is a lot of effort required to discover the encryption method and keys or the data hiding technique used for this “at rest” data. This might mean that there is a lag between an app data structure update and the means to examine this. This is problematic in two ways, the first being that apps update at will, which might mean that a data structure might only exist in this small timeframe.
An example of a short timeframe is that Facebook once changed a data structure in one update, then changed it again in another update two hours later. If the handset was seized between these updates, that short lived data structure would exist on that handset. Would the forensic tool you are using to analyse the data understand this? The other problem with this effort is that sometimes there are bespoke apps for communication, so the data structure might only exist on five handsets in the world.
If data is not “at rest” then it is “in transit”. This describes data that is actively being used and changed and may only live for milliseconds as useful data within a device. This is often the kind of data we find in RAM. The data may only have a useful life of milliseconds for the app using it, but memory management within a device may not reuse the area where the data resides for some extended period, so it will exist in the RAM dump still.
The app requires this data in a raw, unencrypted or de-obfuscated format so that it can work on it, then encrypt/obfuscate it again for storage “at rest”. It may also have a different structure to the data stored at rest. An example of this is a SMS text message. These can be found in PDU format in RAM but will be stored as database entries “at rest”. The app will transform the PDU format to its own data structure for storage in a database, but the memory within the app potentially has both data structure types within it.
For data “at rest”, there is a lot of knowledge and research that goes on, both within tool makers and within the industry itself to solve the challenges of obfuscation and encryption. Some analysts also end up as tool makers as they write scripts and programs of their own to solve some niche problem that is rarely seen. For data “in transit”, the problem has always been obtaining data to examine these data structures, which is now possible with the use of RAM dumps.
To access the complete version and dive deeper into the findings, visit Guides & Whitepapers – MSAB.
