We are pleased to announce the release of LiME Forensics 1.1.
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
LiME 1.1 now supports three different output formats, including a new LiME format, which works with the new LiME address space which was recently added to the linux version of volatility. The LiME format allows you to create compact RAM images, which contain information about the physical RAM's layout. No more padding your images to fill the entire 4GB address space range, just because your 256MB of RAM is mapped at a high address! The new LiME format allows easier analysis with Volatility and we're hoping other tools will adopt the format as well.
Head over to our Google Code page to download LiME 1.1!
Senior Security Researcher, Joe Sylve (@jtsylve), will be giving a presentation about LiME and Android Memory Analysis with Volatility at the SANS Digital Forensics and Incident Response Summit on Tuesday, June 26, 2012. If you're attending, we'd love to meet you and hear what you think about LiME.