Hi all,

Android Memory acquisition will be part of a paper I have to write. So
far I have no problem to follow the description for an AVD on
https://code.google.com/p/volatility/wiki/AndroidMemoryForensic

Please excuse this noob question (and my bad English) but I'm going
crazy figuring this out:

Can LiME be used in real life Android forensics that is Android memory
is acquired without having to reboot the Android device beforehand?

Let's say:
I get an running Android mobile phone and for some lucky reason it is
both rooted and the user interface unlocked. (Are there any statistics
available how often this is the case?) My task is to acquire its RAM.

As far as I understood in order to use Lime for RAM acquisition I have to
a) get the Android kernel's source code from the manufacturer,
b) cross compile a new kernel with some settings for later being able to
insmod the LiME kernel module,
c) flash the compiled kernel onto the phone and
d) reboot the phone to get the new kernel running, which
e) destroys all the RAM I wanted to acquire, before I can
f) insmod LiME.

Please be patient and give me a hint where I'm going wrong?!

All papers I found so far used prepared phones.


Thanks a lot and have a nice weekend,
Philipp
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users