Emulator Forensics Investigation Model (EFIM)

Emulator Forensics Investigation Model (EFIM)

Emulator forensics has become critical in combating cybercrime, providing deep insight into digital artifacts generated within virtual environments. This study introduces the Emulator Forensics Investigation Model (EFIM), a nine-phase, platform-agnostic forensic framework designed to guide systemati...

Full description

Saved in:
Bibliographic Details
Main Authors: Sedat Sen, Harun Artuner
Format: Article
Language:English
Published: IEEE 2025-01-01
Series:IEEE Access
Subjects:
Emulator forensics
digital forensics
forensic investigation model
anti-forensics
virtual environments
forensic tools
Online Access:https://ieeexplore.ieee.org/document/11062911/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Emulator forensics has become critical in combating cybercrime, providing deep insight into digital artifacts generated within virtual environments. This study introduces the Emulator Forensics Investigation Model (EFIM), a nine-phase, platform-agnostic forensic framework designed to guide systematic investigations across Android emulator platforms. To implement this model, we developed the Emulator Forensics Tool (EFT), a lightweight, modular tool that supports the detection and analysis of widely used emulators, including Bluestacks, NoxPlayer, and Waydroid. EFT achieved a <inline-formula> <tex-math notation="LaTeX">$48\times $ </tex-math></inline-formula> speed improvement over commercial tools on Windows and a <inline-formula> <tex-math notation="LaTeX">$7\times $ </tex-math></inline-formula> gain on Unix systems, while also demonstrating lower RAM usage (80 MB vs. 1811 MB) and higher disk I/O throughput. EFIM formalizes its process via Set Theory and Finite State Machines (FSMs), ensuring auditability and reproducibility. EFT supports the binary-level extraction of encrypted BLOB artifacts (e.g., Gmail, Telegram), enabling deferred cryptographic analysis. The model is resilient to anti-forensic techniques such as timestomping and emulator fingerprinting and is validated through controlled experiments with synthetic datasets and statistical analysis. EFIM&#x2019;s modular design enables future support for iOS simulators and game emulators. All non-sensitive EFT components are open-sourced to promote transparency. This research significantly enhances the forensic community&#x2019;s capabilities in analyzing evasive emulator environments and contributes to legally reliable, scalable investigation practices.
ISSN:2169-3536

Similar Items