[Vol-users] LiME in real world Android forensics

Pasquale Stirparo pstirparo at gmail.com
Fri May 30 06:13:14 CDT 2014


Hi,

As Andrew said, you don't need to flash the kernel into the phone.
You need the kernel source code in order to cross compile LiME module for
that specific kernel version, then get root access to the phone and load
LiME via insmod.

The difficult here is to find exactly the kernel version you need,
especially if you are talking about android phones heavily customised by
the vendor.
For standard google phones you should not have problems, as for other big
vendors (HTH for example let you subscribe to their dev portal and then you
get access to the kernel source of your device).

HTH

P.




On Sat, May 17, 2014 at 3:10 PM, masdif <masdif at posteo.net> wrote:

> Hi all,
>
> Android Memory acquisition will be part of a paper I have to write. So
> far I have no problem to follow the description for an AVD on
> https://code.google.com/p/volatility/wiki/AndroidMemoryForensic
>
> Please excuse this noob question (and my bad English) but I'm going
> crazy figuring this out:
>
> Can LiME be used in real life Android forensics that is Android memory
> is acquired without having to reboot the Android device beforehand?
>
> Let's say:
> I get an running Android mobile phone and for some lucky reason it is
> both rooted and the user interface unlocked. (Are there any statistics
> available how often this is the case?) My task is to acquire its RAM.
>
> As far as I understood in order to use Lime for RAM acquisition I have to
> a) get the Android kernel's source code from the manufacturer,
> b) cross compile a new kernel with some settings for later being able to
> insmod the LiME kernel module,
> c) flash the compiled kernel onto the phone and
> d) reboot the phone to get the new kernel running, which
> e) destroys all the RAM I wanted to acquire, before I can
> f) insmod LiME.
>
> Please be patient and give me a hint where I'm going wrong?!
>
> All papers I found so far used prepared phones.
>
>
> Thanks a lot and have a nice weekend,
> Philipp
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



-- 
Pasquale Stirparo, MEng
GCFA, GREM, OPST, OWSE, ECCE

Mobile Security and Digital Forensics Engineer
Founder @ SefirTech

PGP Key: 0x4C589FB2
Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140530/68aa2192/attachment.html


More information about the Vol-users mailing list