Practicability study of android volatile memory forensic research

As Android device and application storage encryption becomes more widespread, memory analysis becomes more important. Memory is often the only data immediately accessible without decryption and in most cases stores the encryption keys of persistent data currently in use. This work therefore investigates the practicability of current research in forensics with regard to acquiring and analyzing volatile memory of Android smartphones. To this end, we investigate 8 different Android smartphones in their stock vendor configurations. While we are able to recreate current research results by specifically preparing specific phones the same way as described in the relevant research publications, we are only able to conduct a full acquisition and full analysis against 1 of our 8 sample smartphones in its stock configuration. Because the stock configuration, as shipped by the manufacturer, i.e. non-rooted and locked boot loader, is the most likely configuration encountered by forensic investigators, we unfortunately must conclude that current research methods are not applicable in practice. We further present reasons for our conclusion and possible resolutions which should be endeavored by future research.