Application-Level Memory Forensics for Dalvik

October 24, 2012

Dalvik is the process Virtual Machine used by Android that powers all non-native applications used on Android devices. Through Dalvik memory analysis, a wealth of insight can be gained into the workings of a running application, including all instantiated objects (classes) and the variables, methods, and other per-instance class information. Analysis of structures at this level will allow investigators to see internal application-level state in its “native” form. This is an important evolution in state of cutting edge memory forensics, which allows the investigator to move above the kernel level and see higher-level structures in readable form and with broad context.

504ENSICS Labs is currently researching methods for parsing Dalvik-level constructs from memory captures of Android devices, and is leveraging this research to develop technologies that will facilitate deep, standalone analysis of Android application-internal structures.  These technologies will be immediately useful for malware analysis, incident response, and traditional forensics investigations.