Hi all,

We (Alex Joss and Dario Schwab) worked on a set of Volatility plugins for a generic and automated analysis of Android apps that we would like to share with you. This work resulted from our bachelor thesis at Security Engineering Lab of Bern University of Applied Sciences in Switzerland. For now, this is just a proof of concept and it will be developed further in the future.

 

Our approach is based on the dalvik-plugins from Holger Macht, published to this mailing list on 2012-10-16.

Our plugins are the following:

- android_find_class_instances (scans the heap of the app)

- android_app_generic (analyses the contents of the found objects)

There are a few more files which have to be added or modified. Under the following link you will find the complete Volatility 2.3-alpha framework with our plugins and modifications already intergrated: https://dl.dropbox.com/u/12931232/volatility-2.3-devel-android.zip

Unfortunately we can't provide a patch set, because our work's based on Volatility 2.3-alpha, which can't be downloaded anymore as reference. Maybe someone could do this for us.

The Plugins, their usage and each needed modification of existing files are explained in the attached README file.

Please let us know if you need help to get things running or if you have any suggestions.

Regards Alex and Dario