Jump to content

Acquisition and Analysis of Volatile Memory from Android Devices

Recommended Posts


[h=3]Acquisition and Analysis of Volatile Memory from Android Devices[/h]

[h=2]Monday, January 9, 2012[/h]

We are happy to announce that our paper on Android memory forensics has just been published in the Journal of Digital Investigations! This paper covers a number of topics that we believe will be of interest to both practitioners and researchers in the memory forensics field.

The two main contributions of the paper are:

  1. A kernel module that is able to acquire a complete memory capture from Android devices as well as other Linux computers. This module is also unique in that it operates solely within the kernel and does not require userland interaction. This preserves memory much more effectively than other kernel modules, and a complete comparison of the efficiency is given in the paper. The kernel module can also acquire memory over the network, which prevents the investigator from having to save to the phone’s internal storage or SD card.
  2. Additions to the Volatility memory analysis framework that allow it to analyze Android kernel memory. This allows all of the Linux analysis plugins to be used against Android memory captures.

There is also discussion on the difficulty of performing generic memory analysis of Android devices as well as the differences of the ARM versus Intel architecture, where a majority of previous memory forensics research has been performed.

If you are interested in this research and are going to be at Shmoocon, Joe Sylve (@jtsylve) will be there presenting the memory acquisition module as well as the Volatility capabilities. You can also leave comments on the blog or find us on Twitter.



Sursa: Digital Forensics Solutions: New Paper - Acquisition and Analysis of Volatile Memory from Android Devices

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...