1. OAR@UM
  2. Faculty of Information and Communication Technology
  3. Department of Computer Science
  4. Scholarly Works - FacICTCS
Please use this identifier to cite or link to this item: https://www.um.edu.mt/library/oar/handle/123456789/91088
Full metadata record
DC FieldValueLanguage
dc.contributor.authorBellizzi, Jennifer-
dc.contributor.authorVella, Mark Joseph-
dc.contributor.authorColombo, Christian-
dc.contributor.authorHernandez-Castro, Julio-
dc.date.accessioned2022-03-10T11:10:46Z-
dc.date.available2022-03-10T11:10:46Z-
dc.date.issued2021-
dc.identifier.citationBellizzi, J., Vella, M., Colombo, C., & Hernandez-Castro, J. (2021). Responding to living-off-the-land tactics using just-in-time memory forensics (JIT-MF) for Android. International Conference on Security and Cryptography (SECRYPT 2021), Milan. 356-369.en_GB
dc.identifier.urihttps://www.um.edu.mt/library/oar/handle/123456789/91088-
dc.description.abstractDigital investigations of stealthy attacks on Android devices pose particular challenges to incident responders. Whereas consequential late detection demands accurate and comprehensive forensic timelines to reconstruct all malicious activities, reduced forensic footprints with minimal malware involvement, such as when Living- Off-the-Land (LOtL) tactics are adopted, leave investigators little evidence to work with. Volatile memory forensics can be an effective approach since app execution of any form is always bound to leave a trail of evidence in memory, even if perhaps ephemeral. Just-in-Time Memory Forensics (JIT-MF) is a recently proposed technique that describes a framework to process memory forensics on existing stock Android devices, without compromising their security by requiring them to be rooted. Within this framework, JIT-MF drivers are designed to promptly dump in-memory evidence related to app usage or misuse. In this work, we primarily introduce a conceptualized presentation of JIT-MF drivers. Subsequently, through a series of case studies involving the hijacking of widely-used messaging apps, we show that when the target apps are forensically enhanced with JIT-MF drivers, investigators can generate richer forensic timelines to support their investigation, which are on average 26% closer to ground truth.en_GB
dc.language.isoenen_GB
dc.publisherSCITEPRESS Digital Libraryen_GB
dc.rightsinfo:eu-repo/semantics/restrictedAccessen_GB
dc.subjectDigital forensic scienceen_GB
dc.subjectForensic sciencesen_GB
dc.subjectDigital preservationen_GB
dc.subjectComputer software -- Security measuresen_GB
dc.titleResponding to living-off-the-land tactics using just-in-time memory forensics (JIT-MF) for Androiden_GB
dc.typeconferenceObjecten_GB
dc.rights.holderThe copyright of this work belongs to the author(s)/publisher. The rights of this work are as defined by the appropriate Copyright Legislation or as modified by any successive legislation. Users may access this work and can make use of the information contained in accordance with the Copyright Legislation provided that the author must be properly acknowledged. Further distribution or reproduction in any format is prohibited without the prior permission of the copyright holder.en_GB
dc.bibliographicCitation.conferencenameInternational Conference on Security and Cryptography (SECRYPT 2021)en_GB
dc.bibliographicCitation.conferenceplaceMilan, Italy, 06-08/07/2021en_GB
dc.description.reviewedpeer-revieweden_GB
dc.identifier.doi10.5220/0010603603560369-
Appears in Collections:Scholarly Works - FacICTCS

Files in This Item:
File Description SizeFormat 
Responding_to_living-off-the-land_tactics_using_just-in-time_memory_forensics_JIT-MF_for_Android_2021.pdf
  Restricted Access		7.37 MBAdobe PDFView/Open Request a copy
Show simple item record Statistics


Items in OAR@UM are protected by copyright, with all rights reserved, unless otherwise indicated.