Pulling Android memory is not applicable in a great many cases, due to the fact that it requires root access. Most public root processes involve rebooting the phone, which erases volatile RAM, meaning that by the time an examiner gains root access to image the RAM, it's too late because the RAM has been erased. Because of this, and possibly other reasons, there is not great support for Android RAM imaging and analysis in the commercial forensic world. However, there are cases where imaging RAM is applicable, and may prove invaluable to a case. If a device is already rooted when it is seized, imaging the RAM should be a mandatory step in the seizure process. As powering the phone off will erase the RAM, the device should be placed in Airplane Mode (and any other network connections such as Wi-Fi and Bluetooth should be disabled) and the RAM should be imaged immediately to avoid the device battery dying before the RAM can be pulled.

The main challenge when it comes to RAM is the analysis. RAM is completely raw, unstructured data; there is no file system. When viewed in a hex editor, RAM appears to just be a giant blob of data with very little rhyme or reason to help examiners figure out what they are looking at. This difficulty is compounded by the fact that modern devices commonly have gigabytes' worth of RAM. RAM can easily be searched for by keywords using traditional forensic tools and methods, but that presumes that an examiner knows exactly what they are looking for.