Android Forensics with volatility and LiME - Andrew Case

14 Dec 2012

Android powered phones dominate the mobile phone market, and Android powered devices, such as tablets, E-readers, and netbooks, have substantial shares in their respective markets. The ability of the forensics community to perform deep forensic analysis of Android devices is essential and will become a desirable skill of all forensics investigators. In this presentation, Andrew Case walks through new research into memory forensics against Android devices and discuss its application to real investigations. These capabilities include:

  • Capturing physical memory from the devices
  • Memory analysis of in-kernel data structures related to processes, memory maps, network connections, and more
  • Memory analysis of Android's application virtual machine, Dalvik, in order to perform deep recovery of application-specific information
  • Recovery of the tmpfs in-memory filesystem in order to recover the data store used by many applications to hold artifacts such as browser caches and configuration options

Combined, these capabilities provide the investigator with the ability to recover a wealth of runtime information and to gain deep insight into both the actions that were occurring on the phone when the memory capture was taken as well as historical actions.

The Volatility memory analysis framework will be used to showcase these forensics capabilities. Volatility is an open source project, written in Python, that allows investigators to write plugins capable of deep memory analysis. All of the functionality and plugins covered in the talk will be available on the Volatility Google code page for download.

The volatility labs blog:

Andrews blog: