Android Forensics with volatility and LiME - Andrew Case





The interactive transcript could not be loaded.



Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Dec 9, 2012

Android powered phones dominate the mobile phone market, and Android powered devices, such as tablets, E-readers, and netbooks, have substantial shares in their respective markets. The ability of the forensics community to perform deep forensic analysis of Android devices is essential and will become a desirable skill of all forensics investigators. In this presentation, Andrew Case walks through new research into memory forensics against Android devices and discuss its application to real investigations. These capabilities include:

- Capturing physical memory from the devices
- Memory analysis of in-kernel data structures related to processes, memory maps, network connections, and more
- Memory analysis of Android's application virtual machine, Dalvik, in order to perform deep recovery of application-specific information
- Recovery of the tmpfs in-memory filesystem in order to recover the data store used by many applications to hold artifacts such as browser caches and configuration options

Combined, these capabilities provide the investigator with the ability to recover a wealth of runtime information and to gain deep insight into both the actions that were occurring on the phone when the memory capture was taken as well as historical actions.

The Volatility memory analysis framework will be used to showcase these forensics capabilities. Volatility is an open source project, written in Python, that allows investigators to write plugins capable of deep memory analysis. All of the functionality and plugins covered in the talk will be available on the Volatility Google code page for download.

Links from the presentation: [1] http://code.google.com/p/lime-forensics/ [2] http://www.memoryanalysis.net/researc... [3] http://volatility-labs.blogspot.com/2... [4] http://volatility-labs.blogspot.com/2... [5] http://code.google.com/p/volatility/w... [6] http://code.google.com/p/volatility/w... [7] http://volatility-labs.blogspot.com/

Andrews blog:


DFIROnline is a monthly online meeting of digital forensic and incident response professionals. The purpose of these meetups is to enable information sharing among the DFIR community. These session are open to anyone, and occur on the third Thursday of every month at 2000 US eastern time. If you would like to get involved and present something please email meetup at writeblocked.org.

If you would like to recieve emails about the schedule and upcoming events you can subscribe to the DFIROnline mailing list http://mail.writeblocked.org/mailman/.... The list is only used for announcements and reminders and should not generate more than a few emails a month. The schedule of upcoming events is at: http://www.writeblocked.org/dfironlin...


When autoplay is enabled, a suggested video will automatically play next.

Up next

to add this to Watch Later

Add to

Loading playlists...