RetroScope tool can recover smartphone’s information to help investigators

Researchers have developed a new tool called RetroScope, which aims to recover information stored in smartphones. This tool can come handy to investigators in solving criminal cases.

  • Published: August 13, 2016 4:12 PM IST

With the rise in smartphone usage, information stored in the memory has become important evidence, especially in criminal cases. To aid law enforcement and investigators, researchers from Purdue University are working on a new technique for retrieving the vital information from smartphone’s volatile memory. The team has continuously worked for over nine months to build the RetroScope tool.

“We argue this is the frontier in cyber crime investigation in the sense that the volatile memory has the freshest information from the execution of all the apps,” said lead researcher Dongyan Xu. He further added saying “investigators are able to obtain more timely forensic information toward solving a crime or an attack.”

Although the contents of volatile memory are gone as soon as the phone is shut down, it can reveal surprising amounts of forensic data if the device is up and running. The team’s early research resulted in work that could recover the last screen displayed by an Android application.

ALSO READ: Researchers unlock a dead man’s smartphone with 2D fingerprints

Building on that, Xu said, it was discovered that apps left a lot of data in the volatile memory long after that data was displayed. RetroScope makes use of the common rendering framework used by Android to issue a redraw command and obtain as many previous screens as available in the volatile memory for any Android app.  The device requires no previous information about an app’s internal data.

ALSO READ: Researchers develop software to let you control smartphone with eyes

The screens recovered, beginning with the last screen the app displayed, are presented in the order they were seen previously. “Anything that was shown on the screen at the time of use is indicated by the recovered screens, offering investigators a litany of information,” Xu said.

ALSO READ: Smartphone apps could improve emergency care for heart attack patients: Study

In testing, RetroScope recovered anywhere from three to 11 previous screens in 15 different apps, an average of five pages per app. The findings were presented during the USENIX Security Symposium in Austin, Texas.

“We feel without exaggeration that this technology really represents a new paradigm in smartphone forensics,” he said. “It is very different from all the existing methodologies for analyzing both hard drives and volatile memories,” Xu noted.

  • Published Date: August 13, 2016 4:12 PM IST