Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings

Research Article

Coriander: A Toolset for Generating Realistic Android Digital Evidence Datasets

  • @INPROCEEDINGS{10.1007/978-3-319-73697-6_18,
        author={Irvin Homem},
        title={Coriander: A Toolset for Generating Realistic Android Digital Evidence Datasets},
        proceedings={Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings},
        proceedings_a={ICDF2C},
        year={2018},
        month={1},
        keywords={Android forensics Digital forensics Mobile forensics Memory forensics Digital evidence Datasets Metadata Machine learning Triage},
        doi={10.1007/978-3-319-73697-6_18}
    }
    
  • Irvin Homem
    Year: 2018
    Coriander: A Toolset for Generating Realistic Android Digital Evidence Datasets
    ICDF2C
    Springer
    DOI: 10.1007/978-3-319-73697-6_18
Irvin Homem1,*
  • 1: Stockholm University
*Contact email: irvin@dsv.su.se

Abstract

Triage has been suggested as a means to prioritize and identify sources and artifacts of evidence that might be of most interest when faced with large amounts of digital evidence. Memory Forensics has long relied on simple string matching to triage evidence sources. In this paper, we describe the early developments into our study on Machine Learning-based triage for Memory Forensics. To start off, there are no large datasets of memory captures available. We thus, develop a toolset to enable the automated creation of realistic Android process memory dumps. Using our toolset we generate a dataset of 2375 process memory string dumps from both malicious and benign Android applications, classified by VirusTotal, and sourced from the AndroZoo project. Our dataset and toolset are made available online to help promote research in this field and related areas.