Extraction and Analysis of Volatile Memory in Android Systems: An Approach Focused on Trajectory Reconstruction Based on NMEA 0183 Standard

Abstract

Android devices are widely used in the world and can function as GPS receivers. Time and position information have great relevance in investigation, however, data stored in non-volatile media may be limited with respect to the reconstruction of trajectories, since data from GPS receivers usually remains in RAM and is not written on log files, databases, and other artifacts. A prospective method for recovering data with GPS-coordinates stored in RAM memory of Android mobile devices is presented. Experiments were performed in different scenarios, with different device architectures, to analyze the feasibility of reconstruction of trajectories based on the NMEA 0183 protocol sentences retrieved from RAM memory. In developing the technique, it was possible to verify issues that can hinder the process of extraction and analysis of data and also assess tools that have been developed to aid the process.