Forensic Analysis of Android Runtime (ART) Application Heap Objects in Emulated and Real Devices

  • Alberto Magno Muniz Soares
  • Rafael Timoteo de Sousa Junior
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 867)


Each new release of a mobile device operating system represents a renewed challenge for the forensics analyst. Even a small modification or fault correction of such basic software requires the revision of forensic tools and methods, frequently yielding to the development of new investigation tools and the consequent adaptation of methods. Forensic analysts then need to preserve each tool set and related methods and associate these sets to the specific mobile operating system release. This paper describes a case of transition consequent to the Android Runtime (ART) operating system release. The introduction of this system in the market required the development of a new forensic technique for analyzing ART memory objects using a volatile memory data extraction. Considering the Android Open Source Project (AOSP) source code, a method and associated software tools were developed allowing the location, extraction and interpretation of arbitrary ART memory instances with the respective object classes and their data properties. The proposed technique and tools were validated both for emulated and real devices, illustrating the difficulties related to the forensics analysis for the target system due to its particular implementations by multiple manufacturers of mobile devices.


Mobile device forensics Memory forensics Memory analysis Android 



This research work has the support of the Brazilian Research, Development and Innovation Agencies CAPES – Coordination for the Improvement of Higher Education Personnel (Grant 23038.007604/2014-69 FORTE – Tempestive Forensics Project), FINEP – Funding Authority for Studies and Projects (Grant 01.12.0555.00 RENASIC/PROTO – Secure Protocols Laboratory of the National Information Security and Cryptography Network), and CNPq – National Council for Scientific and Technological Development (Grant 465741/2014-2 Science and Technology National Institute – INCT on Cybersecurity), as well as the Brazilian Federal Police (Contract 36/10 DITEC/DPF/MJ-FUB) and the Civil Police of the Brazilian Federal District (IC/PCDF).


  1. 1.
    Soares, A.M.M., de Sousa Jr., R.T.: A technique for extraction and analysis of application heap objects within Android Runtime (ART). In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), pp. 147–156. SciTePress (2017)Google Scholar
  2. 2.
    IDC Smartphone OS Market Share (2017). Q1 Homepage: Accessed 04 Sept 2017
  3. 3.
    Simão, A.M.L., Sícoli, F.C., Melo, L.P., Deus, F.E., de Sousa Jr, R.T.: Acquisition and analysis of digital evidence in Android smartphones. Int. J. Forensic Comput. Sci. 1, 28–43 (2011). Scholar
  4. 4.
    Brezinski, D., Killalea, T.: Guidelines for evidence collection and archiving. RFC 3227. IETF (2002)Google Scholar
  5. 5.
    Carrier, B.D.: Defining digital forensic examination and analysis tools using abstraction layers. IJDE 1(4), 1–12 (2003)Google Scholar
  6. 6.
    Wächter, P., Gruhn, M.: Practicability study of Android volatile memory forensic research. In: 2015 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6. IEEE (2015)Google Scholar
  7. 7.
    Sylve, J., Case, A., Marziale, L., Richard, G.G.: Acquisition and analysis of volatile memory from Android devices. Digit. Invest. 8(3), 175–184 (2012)CrossRefGoogle Scholar
  8. 8.
    Apostolopoulos, D., Marinakis, G., Ntantogian, C., Xenakis, C.: Discovering authentication credentials in volatile memory of Android mobile devices. In: Douligeris, C., Polemi, N., Karantjias, A., Lamersdorf, W. (eds.) I3E 2013. IAICT, vol. 399, pp. 178–185. Springer, Heidelberg (2013). Scholar
  9. 9.
    Hilgers, C., Macht, H., Müller, T., Spreitzenbarth, N.: Post-mortem memory analysis of cold-booted Android devices. In: Eighth International Conference on IT Security Incident Management & IT Forensics (IMF), pp. 62–75. IEEE (2014)Google Scholar
  10. 10.
    Backes, M., Bugiel, S., Schranz, O., von Styp-Rekowsky, P., Weisgerber, S.: ARTist: the Android runtime instrumentation and security toolkit. Cornell University Library. arXiv:1607.06619 (2016)
  11. 11.
    Google. Android Open Source Project - AOSP. Accessed 04 Sept 2017
  12. 12.
    Yaghmour, K.: Embedded Android: Porting, Extending, and Customizing. O’Reilly Media Inc., Newton (2011)Google Scholar
  13. 13.
    Drake, J.J., Lanier, Z., Mulliner, C., Fora, P.O., Ridley, S.A., Wicherski, G.: Android Hacker’s Handbook. Wiley, Hoboken (2014)Google Scholar
  14. 14.
    Ligh, M.H., Case, A., Levy, J., Walters, A.: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley, Hoboken (2014)Google Scholar
  15. 15.
    Sabanal, P.: State of the ART. Exploring the New Android KitKat Runtime (2014). Accessed 20 Oct 2016
  16. 16.
    Sabanal, P.: Hiding Behind ART (2015). Accessed 20 Oct 2016
  17. 17.
    Høgset, E.S.: Investigating the security issues surrounding usage of Ephemeral data within Android environments. Master thesis. UiT The Arctic University of Norway (2015)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Alberto Magno Muniz Soares
    • 1
  • Rafael Timoteo de Sousa Junior
    • 1
  1. 1.Cyber Security INCT Unit 6, Electrical Engineering DepartmentUniversity of BrasíliaBrasíliaBrazil

Personalised recommendations