The overarching aim of the DETECTIF is to improve on state-of-the-art mobile forensics when dealing with cybercrime incidents involving Android malware employed for financial theft and the compromise of personal safety. We intend to evolve a novel technique - Just-In-Time Memory Forensics (JIT-MF) to attain this aim by exposing otherwise non-available evidence.
Even though security protection mechanisms are present in Android app stores and devices, certain malware still makes its way to devices by leveraging stealthy evasion techniques. Kaspersky Labs reported 3.4 million malicious package installations in 2021 alone, with an upward trend towards stealthy, sophisticated malware that leaves little to no evidence by misusing benign app functionality to attain their goals. Such tactics make it more difficult for incident responders to analyse, identify and respond to the actions carried out by the malware itself whenever an incident is flagged. The main consequence is compromised societal security regarding the invasion of privacy, financial loss, and even personal safety.
JIT-MF addresses the challenges that arise with the timely collection of short-lived evidence in volatile memory to solve the stealthiest cyberattacks targeting smartphones. JIT-MF tools can collect elusive attack steps from volatile memory while remaining compatible with stock devices. They take an incident response-centric approach, focusing on protecting the device users rather than treating them as potential perpetrators. However, JIT-MF does not scale well to extend its protection scope in its current form. Rather, a painstaking manual process is currently required to develop JIT-MF drivers, which enable the generation of JIT-MF functionality customised for specific incidents. Another challenge is installing these drivers on stock devices whenever the targeted victim apps are not compatible with protective instrumentation.
Digital Evidence Targeting covErt Cyberattacks through Timely Information Forensics (DETECTIF) aims to improve state-of-the-art mobile forensics by exploring possible answers to the following research question: "How can JIT-MF be available with minimal manual effort for new investigative scenarios and pre-installed apps to expose otherwise undetectable Android cyberattacks?"