A research team led by Purdue University professors Dongyan Xu and Xiangyu Zhang detailed the findings of their RetroScope technology during the USENIX Security Symposium over the weekend.
RetroScope, developed in the last nine months, builds upon the research team’s earlier work in smart phone memory forensics. Focus was moved away from hard drives of smart phones to the device’s random access memory (RAM), which is a more volatile form of memory. While RAM contents are lost when a phone is shut down, the researchers said that the contents can reveal a surprising amount of forensic data if the device is up and running. Xu said that applications left a lot of data in the volatile memory long after that data was displayed.
“We argue this is the frontier in cybercrime investigation in the sense that the volatile memory has the freshest information from the execution of all the apps,” Xu said. “Investigators are able to obtain more timely forensic information toward solving a crime or an attack.”
RetroScope utilizes the common rendering framework used by Android devices to issue a redraw command to obtain as many previous screens as available in the volatile memory of an app. Xu said that this process takes away a lot of manual “dirty work” for a smart phone forensics investigator.
“I was personally amazed by the lack of in-memory app data protection,” Xu said. “One would expect these privacy-sensitive apps to have more completely shredded the information that was previously displayed.”