[Vol-users] LiME in real world Android forensics

Joe Sylve joe.sylve at gmail.com
Thu May 29 20:41:50 CDT 2014


What andrew said us completely accurate.  What is your specific use case
(if I may ask)?
On May 29, 2014 8:33 PM, "Andrew Case" <atcuno at gmail.com> wrote:

> If phone is rooted you can then just insmod the compiled LiME module
> into it.
>
> If the phone is not rooted then the best case is temporarily rooting the
> phone (using an exploit that does not require a reboot), and then using
> the temp root access to load the module.
>
> Thanks,
> Andrew (@attrc)
>
> On 5/17/2014 8:10 AM, masdif wrote:
> > Hi all,
> >
> > Android Memory acquisition will be part of a paper I have to write. So
> > far I have no problem to follow the description for an AVD on
> > https://code.google.com/p/volatility/wiki/AndroidMemoryForensic
> >
> > Please excuse this noob question (and my bad English) but I'm going
> > crazy figuring this out:
> >
> > Can LiME be used in real life Android forensics that is Android memory
> > is acquired without having to reboot the Android device beforehand?
> >
> > Let's say:
> > I get an running Android mobile phone and for some lucky reason it is
> > both rooted and the user interface unlocked. (Are there any statistics
> > available how often this is the case?) My task is to acquire its RAM.
> >
> > As far as I understood in order to use Lime for RAM acquisition I have to
> > a) get the Android kernel's source code from the manufacturer,
> > b) cross compile a new kernel with some settings for later being able to
> > insmod the LiME kernel module,
> > c) flash the compiled kernel onto the phone and
> > d) reboot the phone to get the new kernel running, which
> > e) destroys all the RAM I wanted to acquire, before I can
> > f) insmod LiME.
> >
> > Please be patient and give me a hint where I'm going wrong?!
> >
> > All papers I found so far used prepared phones.
> >
> >
> > Thanks a lot and have a nice weekend,
> > Philipp
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140529/866155ce/attachment.html


More information about the Vol-users mailing list