Using Volatility on Android

To analyze volatile memory from Android devices, you will first need LiME. LiME is a Loadable Kernel Module (LKM) that gives access to the whole RAM of the device and can dump it to a physical SD card or network. After acquiring the volatile memory dump with LiME, we will show you how to install and configure Volatility to parse the RAM dump. In the last section, we will demonstrate how to get specific information out of the RAM dump.

LiME and the recovery image

LiME is a Loadable Kernel Module (LKM) that allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique, as it is the first tool that allows for full memory captures on Android devices. It also minimizes its ...

Get Mastering Python Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Python Forensics by Dr. Michael Spreitzenbarth, Dr. Johann Uhrmann

Using Volatility on Android

LiME and the recovery image

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly