Overview

Malware is defined as computer programs that are used by an attacker to execute malicious code on the computer of a victim. In today’s Internet malware constitutes a major problem and effective safety measures against this harassment are necessary. This problem looms as a new and future threat to smartphones, too. They contain many information which are of great interest for attackers. Several hundred dierent versions of malware for this type of device have already been noticed and it is expected that this number will increase even further within next years. Thus, effective and ecient protection measures against malware on mobile devices (mobile malware) become necessary, in order to have procedures for detecting and repelling these threats right from the beginning. Moreover, todays there is almost no criminal action in which information technology does not play a role. Increasingly, mobile devices become an object of investigation in the context of crime detection. Due to this reason two major research aspects have been defined within the scope of a BMBF project named MobWorm.

Automated Malware Analyses:

In the scope of this question a prototype will be further developed. Therefore it is investigated which information from a mobile sandbox need to be collected. Afterwards, the corresponding implementation is executed. Moreover, methods are investigated, in how far the mobile sandbox may be used as a security measure, e.g. as a reference monitor for downloaded applications. Here, the mobile sandbox monitors activities of a program and terminates it directly if an unauthorized sequence of action occurs (e.g. the opening of a permitted network connection or the dialing of an expensive service number).

Mobile Phone Forensics:

Within the frame of this research question we develop several methods to conduct forensic analysis on smart phones. In this context a major focus is put on Googles Android platform. In a rst step various methods are researched how to create a memory dump of a mobile phone (e.g. with the help of Twister-Box, via JTAG or with specic software). These are documented in forensic processes, i.e. in detailed and exact activity rules. In a second step  the methods for analyzing memory dumps are developed. As a result the usability and effectiveness of standard procedures like le carving and hash-value databases in the area of mobile phones should be investigated. The focus of the application examples is always put to the corresponding investigation of malware-infections. The methods and tools developed within the scope of this research question are intended to be an addition to already existing propriety systems and their functions which are often not well documented. With respect to the development we put great emphasis on the compliance with forensic principles and we gear to scientic standards in this area of research. The developed prototype as well as the fundamental research is important in order to understand the behavior of mobile devices and software in a detailed way in terms of malware analysis.

Publications

• Felix Freiling, Sven Schmitt, Michael Spreitzenbarth: Forensic Analysis of Smartphones: The Android Data Extractor Lite (ADEL). The 2011 ADFSL Conference on Digital Forensics, Security and Law , Richmond, Virginia USA, 2011-05-27.
• Michael Spreitzenbarth. Tools and Processes for Forensic Analyses of Smartphones and Mobile Malware. In Sebastian Uellenbeck, editor, Proceedings of the Sixth GI SIG SIDAR Graduate Workshop on Reactive Security (SPRING). Technical Report SR-2011-01, page 10. GI FG SIDAR, Bochum, March 2011.
• Michael Spreitzenbarth, Sven Schmitt, Felix Freiling: Forensic Acquisition of Location Data on Android smartphones. In: Peterson, Bert ; Shenoi, Sujeet (Hrsg.) : Advances in Digital Forensics VIII. New York : Springer Science+Business Media, 2012, S. 0-0.
• Michael Spreitzenbarth, Sven Schmitt: Is data retention still necessary in the age of smartphones? In Hakin9 Extra 03/12.