INCIDENT RESPONSE MODEL FOR PROACTIVE MALWARE DETECTION IN SMART DEVICES

Abstract

Extensive usage of the Internet is increasing the risk of malware attacks on smart devices. Implementing security controls in these devices is challenging due to their limited processing and computation power. Different methods detect malware in smart devices through live forensics, memory analysis, and timeline reconstruction. However, these solutions provide only a limited number of artifacts and techniques. There is a need for a forensic investigation model that identify the most suitable set of paths and artifacts to detect the malware presence effectively. This study proposed an incident response model for detecting malware by employing a digital forensic methodology. The proposed model consists of three phases: proactive, reactive, and forensic process. The study extends the smart device forensic process into four modules (1) acquire & extract, (2) detect, (3) investigate and, (4) validate & report. The experiments are conducted on Android devices with the latest APKs malware. The proposed model carefully examined and identified 11 different folder paths such as /data/data, /data/app, /system/app, /system/data. These paths contain useful artifacts for investigation. The systematic examination of paths and corresponding artifacts helps to construct the timeline of APK download URI, installation, traces, activity, intent, and system permissions acquired by user-installed applications. The proposed model also correlates the changes in system paths and files made by different user-installed applications. Similarly, the proposed system is capable to identify the user-installed malware and benign applications. To prove the effectiveness of results these suspicious applications are verified by Cuckoo Sandbox for validation purposes.