During the USENIX Security Symposium, that was held on August 10-12, 2016 in Austin, Texas, a research team led by Professor Dongyan Xu, from Purdue University, publicised the new technique they researched on called RetroScope.
The memory of smart phones is a very important evidence in crime scenes as mobile phone plays a major role in our day to day life. According to this research, the focus moves from a smart phone’s hard drive, which holds information after the phone is shut down, to the device’s RAM, which is volatile memory.
“We argue this is the frontier in cybercrime investigation in the sense that the volatile memory has the freshest information from the execution of all the apps. Thus, investigators are able to obtain more timely forensic information toward solving a crime or an attack,” said Xu.
Although the contents of volatile memory are gone as soon as the phone is shut down, RetroScope makes use of the common rendering framework used by Android to issue a redraw command and obtain as many previous screens as available in the volatile memory for any Android app. “Anything that was shown on the screen at the time of use is indicated by the recovered screens, offering investigators a litany of information,” Xu said.
While conducting trial, RetroScope recovered around 3 to 11 previous screens in 15 different apps, an average of five pages per app by using this method that analyses both hard drives and volatile memories.
Though this technology is a boon for investigators, it reveals lack of in-memory app data protection. Read more.