The majority of RetroScope's code is in the dalvik/vm/zombie directory.
Please be sure to read the RetroScope paper before working with RetroScope.
A demo of RetroScope recovering a suspect's chat session from a memory image of the Telegram app is available on YouTube at: https://youtu.be/bsKTmZEgxiE.
This code is provided as is. If you extend it in any way/fix any bugs, then please reach out to me. I will be glad to incorporate any upgrades and give you due credit! :)
To build RetroScope,
-
Setup a build environment as described here: https://source.android.com/source/initializing.html
-
Clone the RetroScope repo (we have had some problems building from the downloaded zip file).
-
Build RetroScope with the typical Android build commands:
$ source build/envsetup.sh
$ lunch aosp_arm-eng
$ make -j4 RetroScope
$ lunch aosp_arm-eng
$ make -j4 -
Use the emulator-MAGIC binary. This will require overwriting the prebuilt emulator-arm or emulator64-arm binary with emulator-MAGIC.
Do not use the prebuilt emulator binaries. They fail to boot. I do not know why, if you figure out then please email me! -
Push a memory image:
If using pmd format (pmd code is in tools/pmd): -
Push the map file to the emulator's /system/usr/data/ directory
-
Push the mem file to the emulator's sdcard
RetroScope can be extended to handle any other memory image formats. -
Run the 'emulator' command. Hardware rendering should be enabled. The size of the emulator's screen should be at least as large as the subject device.