In some cases it may be desirable to find information stored in memory on mobile devices that is no longer accessible logically, particularly deleted data. The fourth day of the course focuses on forensic examination and analysis of full physical memory dumps extracted from mobile devices.

Acquiring full memory contents is one the more challenging aspects of mobile device forensics, and may not be feasible in all cases. We demonstrate the various mechanisms for acquiring memory, including Flasher boxes, and we assess their strengths and limitations from a forensic perspective. We will step you through the process of acquiring the full contents of physical memory from a mobile device. In addition, we will inspect the resulting output with an eye to assessing its completeness and accuracy.

Later in day 4, we guide you through a series of hands-on exercises to teach forensic examination of physical memory in mobile devices. These exercises begin with locating and interpreting data previously observed in logical examination to confirm the accuracy and completeness of findings. We then teach you how to use various tools and techniques for salvaging data from a mobile device memory dump, and confirming key findings by examining them in their original context in hexadecimal form.