This article provides a detailed explanation of how to obtain a complete capture of memory of an Android device
Analysis of volatile memory of personal computers has become common practice by forensic investigators and malware analysts, and for a good reason. The memory contains a wealth of information that cannot be obtained from the disk, such as information about running processes, network connections, passwords and various traces of user and malware activity. This information can be extremely valuable during forensic investigations and malware analysis. However, in contrast to personal computers, the analysis of memory of mobile devices is rarely done. This is despite the fact that mobile devices are ubiquitous and often contain sensitive information such as private conversations, pictures and location data.
This article provides a detailed explanation of how to obtain a complete capture of memory of an Android device, and demonstrates several techniques to extract valuable information such as browser artefacts, instant messages and secrets from the memory image. It is a demonstration of what is possible, but also an explanation of the limitations that come into play, especially within the context of a forensic investigation in which the original contents of memory should be safeguarded. This article is a must-read for forensic investigators who wish to deepen their knowledge in mobile forensics, and for security researchers and malware analysts looking for a detailed view of the data in Android memory.