The ubiquity of modern smartphones means that nearly ev-eryone has easy access to a camera at all times. In the event of a crime, the photographic evidence that these cam-eras leave in a smartphone’s memory becomes vital pieces of digital evidence, and forensic investigators are tasked with recovering and analyzing this evidence. Unfortunately, few existing forensics tools are capable of systematically recov-ering and inspecting such in-memory photographic evidence produced by smartphone cameras. In this paper, we present VCR, a memory forensics technique which aims to fill this void by enabling the recovery of all photographic evidence produced by an Android device’s cameras. By leveraging key aspects of the Android framework, VCR extends existing memory forensics techniques to improve vendor-customized Android memory image analysis. Based on this, VCR tar-gets application-generic artifacts in an input memory image which allow photographic evidence to be collected no matter which application produced it. Further, VCR builds upon the Android framework’s existing image decoding logic to both automatically recover and render any located evidence. Our evaluation with commercially available smartphones shows that VCR is highly effective at recovering all forms of photo-graphic evidence produced by a variety of applications across several different Android platforms.

An Android app’s graphical user interface (GUI) displays rich semantic and contextual information about the smart-phone’s owner and app’s execution. Such information pro-vides vital clues to the investigation of crimes in both cyber and physical spaces. In real-world digital forensics however, once an electronic device becomes evidence most manual in-teractions with it are prohibited by criminal investigation protocols. Hence investigators must resort to “image-and-analyze ” memory forensics (instead of browsing through the subject phone) to recover the apps ’ GUIs. Unfortunately, GUI reconstruction is still largely impossible with state-of-the-art memory forensics techniques, which tend to fo-cus only on individual in-memory data structures. An An-droid GUI, however, displays diverse visual elements each built from numerous data structure instances. Furthermore, whenever an app is sent to the background, its GUI struc-ture will be explicitly deallocated and disintegrated by the Android framework. In this paper, we present GUITAR, an app-independent technique which automatically reassembles and redraws all apps ’ GUIs from the multitude of GUI data elements found in a smartphone’s memory image. To do so, GUITAR involves the reconstruction of (1) GUI tree topol-ogy, (2) drawing operation mapping, and (3) runtime envi-ronment for redrawing. Our evaluation shows that GUITAR is highly accurate (80-95 % similar to original screenshots) at reconstructing GUIs from memory images taken from a vari-ety of Android apps on popular phones. Moreover, GUITAR is robust in reconstructing meaningful GUIs even when fac-ing GUI data loss.

Two-factor authentication has been widely used due to the vulnerabilities associated with traditional text-based pass-word. One-time password (OTP) plays an indispensable role on authenticating mobile users to critical web services that demand a high level of security. As the smartphones are increasingly gaining popularity nowadays, software-based OTP generators have been developed and installed into smartphones as software apps, which bring great conve-nience to the users without introducing extra burden. How-ever, software-based OTP solutions cannot guarantee the confidentiality of the generated passwords or even the seeds when the mobile OS is compromised. Moreover, they also suffer from denial-of-service attacks when the mobile OS crashes. Hardware-based OTP tokens can solve these secu-