Acquiring volatile memory from Android based devices with LiME Forensics, Part I

Android Memory AcquisitionMy first guest post on the Open Security Research Blog was published yesterday. In this post I walk through the steps required to install and compile LiME Forensics, a Loadable Kernel Module that allows you to dump the full contents of memory of an Android based device. The instructions have been tested successfully on Ubuntu 11.10, with Java SE Development Kit 6 Update 31, the Android SDK r18, NDK r7c and with the emulator running an Android Viritual Device (avd) based on Android 4.0.3 (API 15).

If you spot any errors, typos or mistakes please let me know, as I spent endless hours dealing with “cross-compiling kernel modules for Android” headaches. Actually the aim of this post is to save you from “some” of that pain when compiling LiME.

Enjoy and stay tuned for Part II!

Published by

Ismael Valenzuela

Global Director, Foundstone Consulting Services at Intel Security, GSE #132 & SANS Instructor for Digital Forensics & Cyberdefense tracks

3 thoughts on “Acquiring volatile memory from Android based devices with LiME Forensics, Part I”

  1. Hi,

    As you mentioned you are experienced person for LiME. I need some info regarding how I can answer to, as you mentioned “cross-compiling kernel modules for Android”, questions. There are a lot of (y/n) and multi choice questions that I don’t have any idea about them.

Leave a Reply

Your email address will not be published. Required fields are marked *