[Vol-users] How to generate a volatility profile for android? It's possible?

neofito vjaviergarcia at ono.com
Tue Sep 4 11:06:02 CDT 2012

I`m using the trunk code because the volatility devel branch is not 
working for me:

# python vol.py --info
Volatile Systems Volatility Framework 2.2_alpha
*** Failed to import volatility.plugins.overlays.linux.linux 
(ValueError: too many values to unpack)

I already have a memory dump obtained with lime.

In the cross-compilation of module.c and pmem.c I'm getting errors with 
certain linux headers. For solve this problems I add extra include lines 
in the file pmem.c and, finally, the source code compile fine, but it 
not works:

# python vol.py -f ram_sdcard.lime --profile=Linuxandroid-2_3_7x86 
Volatile Systems Volatility Framework 2.2_alpha
No suitable address space mapping found
Tried to open image as:
  LimeAddressSpace: lime: need base
  WindowsHiberFileSpace32: No base Address Space
  WindowsCrashDumpSpace64: No base Address Space
  WindowsCrashDumpSpace32: No base Address Space
  AMD64PagedMemory: No base Address Space
  JKIA32PagedMemory: No base Address Space
  JKIA32PagedMemoryPae: No base Address Space
  IA32PagedMemoryPae: Module disabled
  IA32PagedMemory: Module disabled
  FileAddressSpace - EXCEPTION: too many values to unpack

All modified files are attached (but sure the modifications are wrong).

Thanks for your support (and sorry for my english)!

El 04/09/2012 17:51, Andrew Case escribió:
> Hello,
> Can you explain what did not work in the cross compilation step?
> Also, I have CC'ed Joe Sylve who could help more. Besides the profile,
> you will need to use LiME to get a memory capture from the device:
> https://code.google.com/p/lime-forensics/
> Also, once you have the profile and memory capture, you will need to
> check out the 2.3-devel branch as it has the ARM support:
> http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2F2.3-devel
> On Tue, Sep 4, 2012 at 10:38 AM, neofito <vjaviergarcia at ono.com> wrote:
>> I'm trying to generate a profile for my android device. This profile just
>> included the System.map file, obtained from /proc/kallsyms.
>> How to get a module.dwarf file? I make a new Makefile for the
>> cross-compilation of module.c and pmem.c for Android but, obviously, is not
>> working.
>> Thanks in advance!
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> -----
> No se encontraron virus en este mensaje.
> Comprobado por AVG - www.avg.com
> Versión: 2012.0.2197 / Base de datos de virus: 2437/5247 - Fecha de publicación: 09/03/12

-------------- next part --------------
A non-text attachment was scrubbed...
Name: modfiles.zip
Type: application/octet-stream
Size: 3450 bytes
Desc: not available
Url : https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120904/2024ca6d/modfiles.obj

More information about the Vol-users mailing list