RetroScope opens doors to the past in smart phone investigations

From Purdue University:

WEST LAFAYETTE, Ind. — Purdue University researchers are working on a new technique that could aid law enforcement in gathering data from smart phones when investigating crimes.

A research team led by Professor Dongyan Xu, a computer science professor and interim executive director of Center for Education and Research in Information Assurance and Security, and fellow Purdue computer science professor Xiangyu Zhang will detail findings of the technique, called RetroScope, during the USENIX Security Symposium in Austin, Texas, Aug. 10-12.

The increasing use of mobile technology in today’s society has made information stored in the memory of smart phones just as important as evidence recovered from traditional crime scenes.

Xu said RetroScope was developed in the last nine months as a continuation of the team’s work in smart phone memory forensics. The research moves the focus from a smart phone’s hard drive, which holds information after the phone is shut down, to the device’s RAM, which is volatile memory.

“We argue this is the frontier in cybercrime investigation in the sense that the volatile memory has the freshest information from the execution of all the apps,” he said. “Investigators are able to obtain more timely forensic information toward solving a crime or an attack.”

Although the contents of volatile memory are gone as soon as the phone is shut down, it can reveal surprising amounts of forensic data if the device is up and running.

The team’s early research resulted in work published late last year that could recover the last screen displayed by an Android application. Building on that, Xu said, it was discovered that apps left a lot of data in the volatile memory long after that data was displayed.

To uncover that data, Purdue doctoral student Brendan Saltaformaggio theorized that rather than focusing on searching …

Continue Reading