A team of researchers from the USENIX VID University has created a new mobile application for Android that extracts information from the most popular messaging apps. RetroScope is a forensics tool that aids investigators from retrieving screenshots from applications like Skype, Signal, Gmail, WeChat, Facebook, WhatsApp and Telegram. The software has been tested on the Samsung Galaxy S4, LG G3 and the HTC One.
Forensic Capabilities of RetroScope
The team has discovered that the lack of in-memory application data management has produced a number of issues in relation to privacy protection. RetroScope by itself is a proof of concept of a powerful smartphone memory forensic technique which recovers multiple previous screens of a launched Android application. The tool uses specific spatial-forensic methods which reveals the progression of the user’s interaction with the target app. This means that potentially every investigator can have access to sensitive information if the user uses mobile payment services, bank software or private chats. The team indicates that “RetroScope achieves near perfect accuracy in both the recreation and ordering of reconstructed screens”.
The technology utilizes the way memory management is handled by Android – internal application data of accessed screens is preserved much longer in the device’s memory than the GUI structures. This fact has given the researchers a basis on which to construct the algorithms which power RetroScope. The tool can fully recover temporally-ordered sets of screens (between 3-11 images per app) on popular Android devices.
Retroscope’s Evidence Reproduction
The RetroScope team produced an extensive study on several popular Android applications. The resulting data were used to track the allocation and destruction (overwriting) of the two relevant types of data. The researchers noted that they could extract pieces of information from the GUI data structures and app-internal data from memory. The way data flows is by overwriting (and not “shredding”) the screens on the Android devices. This means that data does not get destroyed with every swipe or modification of the screen values, but accumulated in size.
The Android system is designed in such a way that short-lived data gets overwritten every time a change is needed. And while the information changes are stored in the device’s memory they can be accessed and reproduced by forensics tools such as RetroScope.
The application itself is fully automated and only requires entering the target app to start scanning the memory image. RetroScope was able not only to reproduce and show how a target user has interacted with an application, but it also was able to show previously deleted messages from apps like Facebook Messenger.
This possesses serious privacy implications if the tool is used improperly by malicious users as it allows a very efficient way of showing not only the information that has been entered in private conversations, mobile banking apps and other applications, but also the user behavior.
The detailed information, experiments and case studies are published in the paper produced by the team titled “Screen after Previous Screens: Spatial-Temporal Recreation of Android App Displays from Memory Images”.
RetroScope itself is available on GitHub.