
Spatial-Temporal Recreation of Android App Displays from Memory Images [pdf] - schlowmo
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_saltaformaggio.pdf
======
schlowmo
TL;DR The researchers claim this is a new memory forensic method to gather
information from recently used apps from Android devices. Instead of
extracting GUI-data from memory images, they extract app-internal data from
them (which persists longer than the GUI-data) and restore the View from that
data. With this method they can recreate multiple views in the past instead of
only one if GUI-data is targeted directly. The method is app-agnostic and
doesn't need any knowledge about the targeted apps. They tested their attack
against at least 15 apps with success.

They call their method "RetroScope", sourcecode of their forensic tool can be
found at Github:

[https://github.com/ProjectRetroScope/RetroScope](https://github.com/ProjectRetroScope/RetroScope)

