![Page 1: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/1.jpg)
Memory Analysis of the Dalvik(Android) Virtual Machine
Andrew Case
Digital Forensics Solutions
![Page 2: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/2.jpg)
Who Am I?• Security Analyst at Digital Forensics Solutions
– Also perform wide ranging forensics investigations
• Volatility Developer
• Former Blackhat and DFRWS speaker
2
![Page 3: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/3.jpg)
Agenda• What is Dalvik / why do we care?
• Brief overview of memory forensics
• Extracting allocated and historical data from Dalvik instances
• Target specific Android applications
3
![Page 4: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/4.jpg)
What is Dalvik?
• Dalvik is the software VM for all Android applications
• Nearly identical to the Java Virtual Machine (JVM) [1]
• Open source, written in C / Java
4
![Page 5: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/5.jpg)
Why do we care?• Android-based phones leading in US mobile
market
– Which makes for many phones to investigate
• Memory forensics capabilities against Android applications have numerous uses/implications
• Entire forensics community (LEO, .gov, private firms) already urging development of such capabilities
5
![Page 6: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/6.jpg)
Memory Forensics Introduction• Memory forensics is vital to orderly recovery of
runtime information
• Unstructured methods (strings, grep, etc) are brittle and only recover superficial info
• Structured methods allow for recovery of data structures, variables, and code from memory
• Previous work at operating system level led to recovery of processes, open files, network connections, etc [4,5]
6
![Page 7: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/7.jpg)
Memory Analysis Process• First, need to acquire memory
– Acquisition depends on environment [6]
• Next, requires locating information in memory and interpreting it correctly
– Also requires re-implementing functionality offline
• Then it needs to be displayed in a useful way to the investigator
7
![Page 8: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/8.jpg)
Dalvik Memory Analysis
8
![Page 9: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/9.jpg)
Acquiring Memory – Approach 1
• The normal method is to acquire a complete capture of physical RAM
• Works well when analyzing kernel data structures as their pages are not swapped out
• Allows for recovery of allocated and historical processes, open files, network connections, and so on
9
![Page 10: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/10.jpg)
Approach 1 on Android
• Without /dev/mem support, need a LKM to read memory
• No current module works for Android (ARM)
• We developed our own (mostly by @jtsylve)
• Benefits of full capture:
– Can target any process (including its mappings)
– Can recover information from unmapped pages in processes
10
![Page 11: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/11.jpg)
Acquiring Memory – Approach 2• Memory can be acquired on a per-process
basis
• Ensures that all pages of the process will be acquired
• Easiest to perform with memfetch[8]
– After a few small changes, was statically compiled for ARM
• No unmapped pages will be recovered though
– Heap and GC don’t munmap immediately
11
![Page 12: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/12.jpg)
Analyzing C vs Java
• Most previous forensics research has had the “luxury” of analyzing C
– Nearly 1:1 mapping of code/data to in-memory layout
• Declaration of a C “string”
– char buffer*+ = “Hello World”;
• Memory Layout (xxd)
– 4865 6c6c 6f20 576f 726c 6400 Hello World.
12
![Page 13: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/13.jpg)
A Dalvik String in Memory• First, need the address of the “StringObject”
• Next, need the offsets of the “java/lang/String” value and byte offsetmembers
• StringObject + value offset leads us to an “ArrayObject”
• ArrayObject + byte offset leads to an UTF-16 array of characters
• … finally we have the string (in Unicode)
13
![Page 14: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/14.jpg)
Now for the memory analysis…• The real goal of the research was to be able to
locate arbitrary class instances and fields in memory
• Other goals included replicating commonly used features of the Android debugging framework
14
![Page 15: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/15.jpg)
Locating Data Structures
• The base of Dalvik loads as a shared library (libdvm.so)
• Contains global variables that we use to locate classes and other information
• Also contains the C structures needed to parse and gather evidence we need
15
![Page 16: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/16.jpg)
Gathering libdvm’s Structures
1) Grab the shared library from the phone (adb)
2) Use Volatility’s dwarfparse.py:
• Builds a profile of C structures along with members, types, and byte offsets
• Records offsets of global variables
3) Example structure definition
'ClassObject': [ 0xa0, { Class name and size
'obj': [0x0, ['Object']], member name, offset, and type
16
![Page 17: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/17.jpg)
Volatility Plugin Sample
• Accessing structures is as simple as knowing the type and offset
intval = obj.Object(“int”, offset=intOffset, ..)
• Volatility code to access ‘descriptor’ of an ‘Object’:
o = obj.Object("Object", offset=objectAddress, ..)
c = obj.Object("ClassObject", offset=o.clazz, …)
desc = linux_common.get_string(c.descriptor)
17
![Page 18: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/18.jpg)
gDvm
• gDvm is a global structure of type DvmGlobals
• Holds info about a specific Dalvik instance
• Used to locate a number of structures needed for analysis
18
![Page 19: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/19.jpg)
Locating Loaded Classes
• gDvm.loadedClasses is a hash table of ClassObjects for each loaded class
• Hash table is stored as an array
• Analysis code walks the backing array and handles active entries
– Inactive entries are NULL or have a pointer value of 0xcbcacccd
19
![Page 20: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/20.jpg)
Information Per Class• Type and (often) name of the source code file
• Information on backing DexFile– DexFile stores everything Dalvik cares about for a
binary
• Data Fields– Static
– Instance
• Methods– Name and Type
– Location of Instructions
20
![Page 21: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/21.jpg)
Static Fields
• Stored once per class (not instance)
• Pre-initialized if known
• Stored in an array with element type StaticField
• Leads directly to the value of the specific field
21
![Page 22: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/22.jpg)
Instance Fields• Per instance of a Class
• Fields are stored in an array of element type InstField
• Offset of each field stored in byteOffsetmember
– Relative offset from ClassObject structure
22
![Page 23: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/23.jpg)
Listing Instance MembersSource file: ComposeMessageActivity.java Class: Lcom/android/mms/ui/ComposeMessageActivity;Instance Fields:
name: m_receiversignature: Landroid/content/BroadcastReceiver;
name: m_filtersignature: Landroid/content/IntentFilter;
name: mAppContextsignature: Landroid/content/Context;
name: mAvailableDirPathsignature: Ljava/lang/String;
23
![Page 24: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/24.jpg)
Analyzing Methods
• We can enumerate all methods (direct, virtual) and retrieve names and instructions
• Not really applicable to this talk
• Can be extremely useful for malware analysis though
– If .apk is no longer on disk or if code was changed at runtime
24
![Page 25: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/25.jpg)
Methods in Memory vs on Disk
• Dalvik makes a number of runtime optimizations [1]
• Example: When class members are accessed (iget, iput) the field table index is replaced with the direct byte offset
• Would likely need to undo some of the optimizations to get complete baksmalioutput
25
![Page 26: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/26.jpg)
Analyzing Specific Applications
26
![Page 27: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/27.jpg)
Recovery Approach• Best approach seems to be
locating data structures of UI screens
– UI screens represented by uniform (single type) lists of displayed information
– Data for many views are pre-loaded
27
![Page 28: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/28.jpg)
Finding Data Structures• Can save substantial time by using adb’s
logcat (next slide)
– Shows the classes and often methods involved in handling UI events
• Otherwise, need to examine source code
– Some applications are open source
– Others can be “decompiled” with baksmali [9]
28
![Page 29: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/29.jpg)
logcat exampleThe following is a snippet of output when clicking on the text message view:
D/ConversationList(12520): onResume Start
D/ComposeMessageActivity(12520): onConatctInfoChange
D/RecipientList(12520): mFilterHandler not null
D/RecipientList(12520): get recipient: 0
D/RecipientList(12520): r.name: John Smith
D/RecipientList(12520): r.filter() return result
D/RecipientList(12520): indexOf(r)0
D/RecipientList(12520): prepare set, index/name: 0/John Smith
29
![Page 30: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/30.jpg)
Phone Call History
• Call history view controlled through a DialerContactCard$OnCardClickListener
• Each contact stored as a DialerContactCard
• Contains the name, number, convo length, and photo of contact
30
![Page 31: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/31.jpg)
Per Contact Call History
• Can (sometimes) retrieve call history per-contact
• Requires the user to actually view a contact’s history before being populated
31
![Page 32: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/32.jpg)
Text Messages
• Recovery through ComposeMessageActivity & TextMessageView
• Complete conversations can be recovered
• Not pre-populated
32
![Page 33: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/33.jpg)
Voicemail
• Audio file is open()’ed
• Not mapped contiguously into the process address space
• No method to recover deleted voicemails..
33
![Page 34: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/34.jpg)
Browser (Opera Mini)
• Opera Mini is the most used mobile browser
• Can recover some session information
– The history file is always mapped in memory (including information from current session)
• HTTP requests and page information is (possibly) recoverable
– Can recover <title> information
– Stored in Opera Binary Markup Language
– Not publicly documented?
34
![Page 35: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/35.jpg)
Recovering Wireless Information• Screenshot on the right
shows results of a scan for wireless networks
• Recovery of this view provides the SSID, MAC address, and enc type for routers found
• Recovery of “Connected” routers show which were associated with
35
![Page 36: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/36.jpg)
Other Wireless Information
• Potentially interesting information:
– Wireless keys
– Connection stats
• These are not controlled by Dalvik
– Keys only initially entered through Dalvik, but then saved
• Stored by the usual Linux applications
– wpa_supplicant, dhcpd, in-kernel stats
36
![Page 37: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/37.jpg)
Location Recovery
• Associating location & time not always important
– But makes for better slides *hint*
• Interesting for a number of reasons
– Forensics & Privacy concerns
– Not part of a “standard” forensics investigation
37
![Page 38: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/38.jpg)
Google Maps
• Did not do source code analysis
– Most phones won’t be using Google Maps while being seized
– Wanted to find ways to get historical data cleanly
• Found two promising searches
– mTime=TIME,mLatitude=LAT,mLongitude=LON
– point: LAT,LON … lastFix: TIME
• TIME is the last location, extra work needed to verify
38
![Page 39: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/39.jpg)
“Popular” Weather Application
• The weather application uses your location to give you relevant information
• http://vendor.site.com/widget/search.asp? lat=LAT&lon=LON&nocache=TIME
39
![Page 40: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/40.jpg)
More GPS Fun
• All of the following applications do not clear GPS data from memory, and all send their lat/lon using GET with HTTP
– Urban Spoon
– Weather Channel
– WeatherBug
– Yelp
– Groupon
– Movies
40
![Page 41: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/41.jpg)
Implementation• Recovery code written as Volatility [7] plugins
– Most popular memory analysis framework
– Has support for all Windows versions since XP and 2.6 Intel Linux
– Now also supports ARM Linux/Android
• Makes rapid development of memory analysis capabilities simple
• Also can be used for analyzing other binary formats
41
![Page 42: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/42.jpg)
Testing
• Tested against a HTC EVO 4G
– No phone-specific features used in analysis
– Only a few HTC-specific packages were analyzed
• Visually tested against other Dalvik versions
– No drastic changes in core Dalvik functionality
42
![Page 43: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/43.jpg)
Research Applications• Memory forensics (obviously)
• Testing of privacy assurances
• Malware analysis
– Can enumerate and recover methods and their instructions
43
![Page 44: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/44.jpg)
Future Avenues of Research
• Numerous applications with potentially interesting information
– Too much to manually dig through
– Need automation
– Baksmali/Volatility/logcat integration?
• Automated determination of interesting evidence across the whole system
– Combing work done in [2] and [3]
44
![Page 46: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/46.jpg)
References - 1[1] http://bit.ly/dalvikvsjava
[2] Brendan Dolan-Gavitt, et al, “Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection”, IEEE Security and Privacy, 2011
[3] TaintDroid, http://www.appanalysis.org/
[4] http://bit.ly/windowsmemory
[5] http://bit.ly/linuxmem
[6] http://bit.ly/memimaging
[7] http://code.google.com/p/volatility/
[8] http://lcamtuf.coredump.cx/soft/memfetch.tgz
46
![Page 47: Memory Analysis of the Dalvik (Android) Virtual Machine](https://reader037.vdocuments.net/reader037/viewer/2022100223/555c441dd8b42a0b038b5063/html5/thumbnails/47.jpg)
References - 2
[9] baksmali - http://code.google.com/p/smali/
47