Mobile device forensics
Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology
Android malware is a well-known challenging problem and many researchers/vendors/practitioners have tried to address this issue through application analysis techniques. In order to analyze Android applications, tools decompress APK files and extract relevant data from the Dalvik EXecutable (DEX) files. To acquire the data, investigators either use decompiled intermediate code generated by existing tools, e.g., Baksmali or Dex2jar or write their own parsers/dissemblers. Thus, they either need additional time because of decompiling the application into an intermediate representation and then parsing text files, or they reinvent the wheel by implementing their own parsers. In this article, we present Rapid Android Parser for Investigating DEX files (RAPID) which is an open source and easy-to-use JAVA library for parsing DEX files. RAPID comes with well-documented APIs which allow users to query data directly from the DEX binary files. Our experiments reveal that RAPID outperforms existing approaches in terms of runtime efficiency, provides better reliability (does not crash) and can support dynamic analysis by finding critical offsets. Notably, the processing time for our sample set of 22.35 GB was only 1.5 h with RAPID while the traditional approaches needed about 23 h (parsing and querying).
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.
Zhang, Xiaolu; Breitinger, Frank; and Baggili, Ibrahim, "Rapid Android Parser for Investigating DEX Files (RAPID)" (2016). Electrical & Computer Engineering and Computer Science Faculty Publications. 53.
Xiaolu Zhang, Frank Breitinger, and Ibrahim Baggili. “Rapid Android Parser for Investigating DEX files (RAPID)”. In: Digital Investigation 17 (2016), pp. 28 –39.