A Novel Android Memory Forensics for Discovering Remnant Data

Gandeva Bayu Satrya, Febrian Kurniawan


As recently updated on the vulnerability statistics shown in 2019, Android-driven smartphones, tablet PCs, and other Android devices are vulnerable, whether from internal or external threats. Most users store sensitive data like emails, photos, cloud storage access, and contact lists on Android smartphones. This information holds a growing-importance for the digital investigation process of mobile devices, e.g., internal memory or random-access memory (RAM) forensics, or external memory or read-only memory (ROM) forensics on Android smartphones. Internal memory retrieval is considered flawed and difficult by some researchers as it alters the digital evidence in an intrusive way. On the other hand, external memory retrieval also called logical acquisition that implies the image of logical storage items (e.g., files, database, directories, etc.) that locate on logical storage. This research provides a novel methodology that focuses only on internal memory forensic in a forensically sound manner. This research also contributes two algorithms, e.g., collect raw information (CRI) for parsing the raw data, and investigate raw information (IRI) for extracting the digital evidence to be more readable. This research conducted with fourteenth events to be analyzed, and each event was captured by SHA-1 as digital evidence. By using GDrive as the case study, the authors concluded that the proposed methodology could be used as guidance by forensics analyst(s), cyberlaw practitioner(s), and expert witness(es) in the court.


vulnerability; investigation; memory forensics; guidance; Android.

Full Text:



Statcounter. (2019) Mobile Operating System Market Share Worldwide. [Online]. Available: http://gs.statcounter.com/os-market-share/mobile/worldwide.

Google Drive. (2019) Google Drive Terms of Service. [Online]. Available: https://www.google.com/drive/terms-of-service/.

Holt, Thomas J., Adam M. Bossler, and Kathryn C. Seigfried-Spellar. Cybercrime and digital forensics: An introduction. Routledge, 2017.

Caviglione, Luca, Steffen Wendzel, and Wojciech Mazurczyk. "The future of digital forensics: Challenges and the road ahead," IEEE Security & Privacy, vol. 15, issue 6, pp. 12-17, 2017.

Ogazi-Onyemaechi, Bernard Chukwuemeka, Ali Dehghantanha, and K-KR Choo. "Performance of android forensics data recovery tools," Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, Syngress, pp. 91-110, 2017.

Lin, Xiaodong. "Android Forensics." Introductory Computer Forensics. Springer, Cham, pp. 335-371, 2018.

Nisioti, Antonia, et al. "You can run but you cannot hide from memory: Extracting IM evidence of Android apps," 2017 IEEE Symposium on Computers and Communications (ISCC). IEEE, 2017.

Satrya, Gandeva Bayu, and Soo Young Shin. "Proposed Method for Mobile Forensics Investigation Analysis of Remnant Data on Google Drive Client," Journal of Internet Technology, vol. 19, issue 6, pp. 1741-1751, 2018.

McKemmish, Rodney. What is forensic computing? Canberra: Australian Institute of Criminology, 1999.

Årnes, André, ed. Digital forensics. John Wiley & Sons, 2017.

Scrivens, Nathan, and Xiaodong Lin. "Android digital forensics: data, extraction and analysis." Proceedings of the ACM Turing 50th Celebration Conference, China, 2017, pp. 1-10.

Gandeva Bayu Satrya, A. Ahmad Nasrullah, and Soo Young Shin. “Identifying artefact on Microsoft OneDrive client to support Android forensics”, International Journal of Electronic Security and Digital Forensics, vol 9, issue 3, 269-291, 2017.

Sylve, Joseph T. "Towards real-time volatile memory forensics: frameworks, methods, and analysis." Dissertation Thesis. University of New Orleans, 2017.

C. Tien, J. Liao, S. Chang and S. Kuo, "Memory forensics using virtual machine introspection for Malware analysis," 2017 IEEE Conference on Dependable and Secure Computing, Taipei, 2017, pp. 518-519.

Park, Juhyun, Yun-Hwan Jang, and Yongsu Park. "New flash memory acquisition methods based on firmware update protocols for LG Android smartphones," Digital Investigation, vol. 25, pp. 42-54, 2018.

Cheng, Yingxin, et al. "A lightweight live memory forensic approach based on hardware virtualization," Information Sciences, vol. 379, pp. 23-41, 2017.

Casey, Peter, et al. "Inception: Virtual Space in Memory Space in Real Space–Memory Forensics of Immersive Virtual Reality with the HTC Vive," Digital Investigation, vol. 29, pp. S13-S21, 2019.

Vella, Mark, and Rachel Cilia. "Memory Forensics of Insecure Android Inter-app Communications." ICISSP, Porto, 2017, pp.481-486.

Yang, Seung Jei, et al. "Live acquisition of main memory data from Android smartphones and smartwatches," Digital Investigation, vol. 23, pp. 50-62, 2017.

Ali-Gombe, Aisha, et al. "DroidScraper: A Tool for Android In-Memory Object Recovery and Reconstruction." 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Beijing, 2019, pp. 547-559.

P. Feng, Q. Li, P. Zhang and Z. Chen, "Private Data Acquisition Method Based on System-Level Data Migration and Volatile Memory Forensics for Android Applications," in IEEE Access, vol. 7, pp. 16695-16703, 2019.

DOI: http://dx.doi.org/10.18517/ijaseit.10.3.9363


  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development