AmpleDroid Recovering Large Object Files from Android Application Memory

Analysis of app-specific behavior has become an increasingly important capability in the fields of digital forensics and incident response. The ability to determine the precise actions performed by a user, such as URLs visited, files downloaded, messages sent and received, images and video viewed, and personal files accessed can be the difference between a successful analysis and one that fails to meet its goals. Unfortunately, proper analysis of volatile app-specific evidence, especially the recovery of large objects such as multimedia and large text files stored in memory has not been explored. This is mainly because the allocation function in the various Android memory management algorithms handles large objects differently and in separate memory regions than small objects. Thus, in this paper our effort is focused on developing an app-agnostic memory analysis tool capable of recovering and reconstructing large objects from process memory captures. We present AmpleDroid, a tool that identifies and extracts large objects loaded in an application memory space. Our methodology involves the inspection of the process image to identify vital Android runtime data structures utilized during large object allocation. AmpleDroid is evaluated on a number of apps and the results shows the recovery of almost 91% of the allocated large objects from process memory.