Reliable and Trustworthy Memory Acquisition on Smartphones

With the wide usage of smartphones in our daily life, new malware is emerging to compromise the mobile OS and then steal or manipulate sensitive data from mobile applications. Forensic analysis tools demand a reliable and trustworthy memory acquisition of the operating systems running on the smartphones for further digital forensic analysis. However, a compromised OS may launch denial of service attacks to prevent a valid memory acquisition by forensic examiners. In this paper, we develop a TrustZone-based memory acquisition mechanism called TrustDump that is capable of reliably and securely obtaining the RAM memory and CPU registers of the mobile OS even if the OS has crashed or been compromised. TrustDump is isolated from the mobile OS by TrustZone. Instead of using a hypervisor to ensure the isolation between the OS and the memory acquisition tool, we rely on ARM TrustZone to achieve a hardware-assisted isolation with a small trusted computing base. TrustDump can include basic online analysis modules to catch malware in an early stage. Moreover, the acquired memory and register data can be sent to a remote server through a fast Micro-USB port for real-time forensics analysis when the OS runs or a slow serial port for further forensic analysis when the OS has crashed. A trusted graphical user interface is integrated in the TrustZone to authenticate the user and prevent the misuse of our memory acquisition tool. We build a TrustDump prototype on Freescale i.MX53 QSB.