Responding to Living-Off-the-Land Tactics using Just-in-Time Memory Forensics (JIT-MF) for Android
This work addresses the problem of limited forensic evidence for incident responders investigating stealthy attacks on Android devices, though it is incremental as it builds on an existing framework.
The paper tackled the challenge of detecting stealthy Living-Off-the-Land attacks on Android by proposing Just-in-Time Memory Forensics drivers, which enabled investigators to generate forensic timelines that were on average 26% closer to ground truth in case studies involving hijacked messaging apps.
Digital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when Living-Off-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26% closer to ground truth.