The goal of cyber attack investigation is to fully reconstruct the details of an attack, so we can trace back to its origin, and recover the system from the damage caused by the attack. However, it is often difficult and requires tremendous manual efforts because attack events occurred days or even weeks before the investigation and detailed information we need is not available anymore. Consequently, forensic logging is significantly important for cyber attack investigation. In this paper, the authors present DroidForensics, a multi-layer forensic logging technique for Android. Their goal is to provide the user with detailed information about attack behaviors that can enable accurate post-mortem investigation of Android attacks. DroidForensics consists of three logging modules. API logger captures Android API calls that contain high-level semantics of an application. Binder logger records interactions between applications to identify causal relations between processes, and system call logger efficiently monitors low-level system events. They also provide the user interface that the user can compose SQL-like queries to inspect an attack. Their experiments show that Droid Forensics has low runtime overhead (2.9% on average) and low space overhead (105 ~ 169 MByte during 24 hours) on real Android devices. It is effective in the reconstruction of real world Android attacks they have studied.
asiaccs17Home Science DroidForensics: Accurate Reconstruction of Android Attacks via Multi-layer Forensic Logging
-
50 Shades of Ransomware
Ransomware is still one of the most common types of malware deployed during cyberattacks. … -
Tools up: the best software and hardware tools for computer forensics
Igor Mikhailov is a digital forensic analyst of the digital forensic laboratory at Group-I… -
Following the RTM
Researchers became aware of the activities of the RTM group in December 2015. Since then, …
Load More Related Articles
-
Detection of Malicious Activities in Internet of Things Environment Based on Binary Visualization and Machine Intelligence
Internet of Things (IoT) devices are increasingly deployed for different purposes such as … -
Characteristics and detectability of Windows auto-start extensibility points in memory forensics
Computer forensics is performed during a security incident response process on disk device… -
Detection of Algorithmically Generated Malicious Domain
In recent years, many malware writers have relied on Dynamic Domain Name Services (DDNS) t…
Load More In Science