Streamlining Extraction and Analysis of Android RAM Images

Simon Broenner

Abstract

As the Android operating system becomes more and more popular with each passing day, it is becoming increasingly important in day-to-day IT forensics. Streamlined techniques and tools for extracting and analyzing the contents of nonvolatile memory from Android devices are necessary to enable forensic technicians and analysts to acquire the data necessary for their work.
This thesis provides a reproducible set of instructions for extraction and analysis of memory from Android devices, with extensive background information and additional troubleshooting measures for devices which require their own unique approach. The examples given here are intended as a basis for the trial and error process required for approaching a given new target Android device in the wild. They include specific, extensive examples of the exact command lines required for building the tools necessary for performing memory extraction and analysis on Android, including custom kernels, loadable kernel modules and memory analysis profiles.
During the course of the project accompanying the thesis, the VOLIX II frontend for the Volatility Framework was extended to include support for Android memory images, allowing efficient basic analysis of the memory images extracted with the methods explained here.


Keywords: analysis, android, extraction, IT forensics, LiME, memory, mobile, RAM, smartphone, tablet

x