New forensic tool will recover data from smartphone RAM, encrypted or not

Encryption or not, your smartphone data will now be easily recovered with this forensic tool

If you remember the hullabaloo created over Apple being asked by FBI to unlock a locked iPhone 5c belonging to a terrorist. The news generated such hype and opinions that it was dominating world tech news for almost a week before FBI quietly contracted an Israel-based firm to unlock the terrorist’s iPhone.

Now FBI or for that matter, any law enforcement agency does not have to go anywhere to recover data from locked or encrypted smartphones as researchers have developed a new forensic tool which recovers data from smartphone RAM called Retroscope.

The researchers from Purdue University have developed a new tool to recover information stored in smartphone’s volatile memory could give investigators important clues to solve criminal cases. Instead of trying to unlock the encrypted smartphone’s hardrive, which holds information after the phone is shut down, the researchers instead thought of delving in RAM which is volatile. It is generally thought that the contents of RAM (Random Access Memory) are gone as soon as the smartphone is shut down but the researchers found that they could recover surprising amount of data from the RAM even if it was switched off. The team’s early research resulted in work that could recover the last screen displayed by an Android application.

“We argue this is the frontier in cyber crime investigation in the sense that the volatile memory has the freshest information from the execution of all the apps,” said lead researcher Dongyan Xu. “Investigators are able to obtain more timely forensic information toward solving a crime or an attack,” Xu noted.

Building on their research, Xu said, it was discovered that apps left a lot of data in the volatile memory long after that data was displayed. RetroScope makes use of the common rendering framework used by Android to issue a redraw command and obtain as many previous screens as available in the volatile memory for any Android app.

What is more important for the law enforcement agencies is that Retroscope requires no previous information about an app’s internal data. The screens recovered, beginning with the last screen the app displayed, are presented in the order they were seen previously. “Anything that was shown on the screen at the time of use is indicated by the recovered screens, offering investigators a litany of information,” Xu said.

During testing, RetroScope was able to recover anywhere from three to 11 previous screens in 15 different apps, an average of five pages per app. The findings were presented during the USENIX Security Symposium in Austin, Texas. “We feel without exaggeration that this technology really represents a new paradigm in smart phone forensics,” he said.

“It is very different from all the existing methodologies for analysing both hard drives and volatile memories,” Xu noted.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Read More

Suggested Post