[Vol-users] LiME in real world Android forensics

Andrew Case atcuno at gmail.com
Thu May 29 20:33:07 CDT 2014


If phone is rooted you can then just insmod the compiled LiME module
into it.

If the phone is not rooted then the best case is temporarily rooting the
phone (using an exploit that does not require a reboot), and then using
the temp root access to load the module.

Thanks,
Andrew (@attrc)

On 5/17/2014 8:10 AM, masdif wrote:
> Hi all,
> 
> Android Memory acquisition will be part of a paper I have to write. So
> far I have no problem to follow the description for an AVD on
> https://code.google.com/p/volatility/wiki/AndroidMemoryForensic
> 
> Please excuse this noob question (and my bad English) but I'm going
> crazy figuring this out:
> 
> Can LiME be used in real life Android forensics that is Android memory
> is acquired without having to reboot the Android device beforehand?
> 
> Let's say:
> I get an running Android mobile phone and for some lucky reason it is
> both rooted and the user interface unlocked. (Are there any statistics
> available how often this is the case?) My task is to acquire its RAM.
> 
> As far as I understood in order to use Lime for RAM acquisition I have to
> a) get the Android kernel's source code from the manufacturer,
> b) cross compile a new kernel with some settings for later being able to
> insmod the LiME kernel module,
> c) flash the compiled kernel onto the phone and
> d) reboot the phone to get the new kernel running, which
> e) destroys all the RAM I wanted to acquire, before I can
> f) insmod LiME.
> 
> Please be patient and give me a hint where I'm going wrong?!
> 
> All papers I found so far used prepared phones.
> 
> 
> Thanks a lot and have a nice weekend,
> Philipp
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 


More information about the Vol-users mailing list