Pulling Android memory is not applicable in a very large number of cases due to the fact that it requires root access. Most public root processes involve rebooting the phone, which erases volatile RAM, meaning that by the time an examiner gains root to image the RAM, it's too late because the RAM has been erased. Because of this and possibly other reasons, there is not great support for Android RAM imaging and analysis in the commercial forensic world. However, there are cases where imaging RAM is applicable, and may prove invaluable. If a device is already rooted when it is seized, imaging the RAM should be a mandatory step in the seizure process. As powering the phone off will erase the RAM, the device should be placed in Airplane mode (any other network connections such as Wi-Fi and Bluetooth disabled), and the RAM should be imaged immediately to avoid the device battery dying before the RAM can be pulled.
Learning Android Forensics
Learning Android Forensics
Overview of this book
Related Content you might be interested in
Current Title:
Learning Android Forensics
No titles found
Table of Contents (15 chapters)
Learning Android Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface
Free Chapter
Introducing Android Forensics
Setting Up an Android Forensic Environment
Understanding Data Storage on Android Devices
Extracting Data Logically from Android Devices
Extracting Data Physically from Android Devices
Recovering Deleted Data from an Android Device
Forensic Analysis of Android Applications
Android Forensic Tools Overview
Index
Customer Reviews