Comparison of Live Response, Linux Memory Extractor (LiME) and Mem tool for acquiring android’s volatile memory in the malware incident

Authors

Andri Heriyanto, Security Research Institute, Edith Cowan UniversityFollow
Craig Valli, Security Research Institute, Edith Cowan UniversityFollow
Peter Hannay, Security Research Institute, Edith Cowan UniversityFollow

Document Type

Conference Proceeding

Publisher

SRI Security Research Institute, Edith Cowan University, Perth, Western Australia

Abstract

The increasing use of encryption and obfuscation within the malware development arena has necessitated the use of volatile memory acquisition on smartphone platforms. Current smartphone forensics research lacks a well-formulated process for the acquisition of volatile memory. This research evaluates and contrasts three differing tools for acquisition of volatile memory from the Android platform: Live Response, Linux Memory Extractor (LiME) and Mem Tool. Evaluation is conducted through practical examination during the analysis of an infected device. The results demonstrate a combination of LiME and the Volatility Framework provides the most robust findings. Complexities due to the nature of LiME prevent it from being a feasible tool for real-world use. In contrast, Live Response is found to be reliable and applicable to real-world scenarios. In all evaluations, it was found that the forensic practitioner must take care to understand and be aware of the impact to data stored within volatile memory caused by the acquisition process.

Comments

13th Australian Digital Forensics Conference, held from the 30 November – 2 December, 2015 (pp. 5-14), Edith Cowan University Joondalup Campus, Perth, Western Australia.

DOI

10.4225/75/57b3f143fb884