AMExtractor

Introduction

Memory forensic tools provide a thorough way to detect malwares and ferret out cyber crimes. AMExtractor is one such tool that can dump out the physical content of your Android device even without kernel source code.

How it Works

0. ROOT access required

1. Define target phone's configuration in config.h. Preset configurations are available for Galaxy Nexus, Nexus 4, Nexus 5, and Samsung Galaxy S4 (I9500).

2. Configure options

   • memory_model: one of FLAT_MEM, SPARSE_MEM, or DISCONTIG_MEM.
   • sizeof(struct page): typical size is 32.
   • trigger_method: one of USE_SYNC_PTMX or USE_SEEK_ZERO.

3. Compile and push the code to the device.

4. Test and Run

   • First test execution in kernel.
   • Start dump: on Android side, run ./AMExtractor -d. On PC side, forward a TCP connection from the device to localhost and capture the output.

Key Features

• Can dump out physical content of an Android device without kernel source code.
• Tested on several devices shipped with different versions of Android.

> Visit AMExtractor Website <