Procedures and tools for acquisition and analysis of volatile memory on android smartphones

Document Type

Conference Proceeding


Edith Cowan University


Faculty of Health, Engineering and Science


School of Computer and Security Science




Heriyanto A.P. (2014). Procedures and tools for acquisition and analysis of volatile memory on android smartphones. Proceedings of the 11th Australian Digital Forensics Conference, ADF 2013. (pp. 84-95). Edith Cowan University. Available here


Mobile phone forensics have become more prominent since mobile phones have become ubiquitous both for personal and business practice. Android smartphones show tremendous growth in the global market share. Many researchers and works show the procedures and techniques for the acquisition and analysis the non-volatile memory inmobile phones. On the other hand, the physical memory (RAM) on the smartphone might retain incriminating evidence that could be acquired and analysed by the examiner. This study reveals the proper procedure for acquiring the volatile memory inthe Android smartphone and discusses the use of Linux Memory Extraction (LiME) for dumping the volatile memory. The study also discusses the analysis process of the memory image with Volatility 2.3, especially how the application shows its capability analysis. Despite its advancement there are two major concerns for both applications. First, the examiners have to gain root privileges before executing LiME. Second, both applications have no generic solution or approach. On the other hand, currently there is no other tool or option that might give the same result as LiME and Volatility 2.3.

Access Rights