Public release of the RetroScope Android memory forensics framework
Switch branches/tags
Nothing to show
Clone or download

README.md

RetroScope

The majority of RetroScope's code is in the dalvik/vm/zombie directory.

Please be sure to read the RetroScope paper before working with RetroScope.

A demo of RetroScope recovering a suspect's chat session from a memory image of the Telegram app is available on YouTube at: https://youtu.be/bsKTmZEgxiE.

This code is provided as is. If you extend it in any way/fix any bugs, then please reach out to me. I will be glad to incorporate any upgrades and give you due credit! :)

To build RetroScope,

  1. Setup a build environment as described here: https://source.android.com/source/initializing.html

  2. Clone the RetroScope repo (we have had some problems building from the downloaded zip file).

  3. Build RetroScope with the typical Android build commands:
    $ source build/envsetup.sh
    $ lunch aosp_arm-eng
    $ make -j4 RetroScope
    $ lunch aosp_arm-eng
    $ make -j4

  4. Use the emulator-MAGIC binary. This will require overwriting the prebuilt emulator-arm or emulator64-arm binary with emulator-MAGIC.
    Do not use the prebuilt emulator binaries. They fail to boot. I do not know why, if you figure out then please email me!

  5. Push a memory image:
    If using pmd format (pmd code is in tools/pmd):

  6. Push the map file to the emulator's /system/usr/data/ directory

  7. Push the mem file to the emulator's sdcard
    RetroScope can be extended to handle any other memory image formats.

  8. Run the 'emulator' command. Hardware rendering should be enabled. The size of the emulator's screen should be at least as large as the subject device.