SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
The increasing use of encryption and obfuscation within the malware development arena has necessitated the use of volatile memory acquisition on smartphone platforms. Current smartphone forensics research lacks a well-formulated process for the acquisition of volatile memory. This research evaluates and contrasts three differing tools for acquisition of volatile memory from the Android platform: Live Response, Linux Memory Extractor (LiME) and Mem Tool. Evaluation is conducted through practical examination during the analysis of an infected device. The results demonstrate a combination of LiME and the Volatility Framework provides the most robust findings. Complexities due to the nature of LiME prevent it from being a feasible tool for real-world use. In contrast, Live Response is found to be reliable and applicable to real-world scenarios. In all evaluations, it was found that the forensic practitioner must take care to understand and be aware of the impact to data stored within volatile memory caused by the acquisition process.