[Vol-users] How to generate a volatility profile for android? It's possible?

Andrew Case atcuno at gmail.com
Tue Sep 4 11:13:16 CDT 2012


Could you please send your module.dwarf that was produced by the
'make' in tools/linux and also send your profile zip? You can send
directly to me if you do not want to send to the list.

On Tue, Sep 4, 2012 at 11:06 AM, neofito <vjaviergarcia at ono.com> wrote:
> I`m using the trunk code because the volatility devel branch is not working
> for me:
>
> # python vol.py --info
> Volatile Systems Volatility Framework 2.2_alpha
> *** Failed to import volatility.plugins.overlays.linux.linux (ValueError:
> too many values to unpack)
> ...
>
> I already have a memory dump obtained with lime.
>
> In the cross-compilation of module.c and pmem.c I'm getting errors with
> certain linux headers. For solve this problems I add extra include lines in
> the file pmem.c and, finally, the source code compile fine, but it not
> works:
>
> # python vol.py -f ram_sdcard.lime --profile=Linuxandroid-2_3_7x86
> linux_pslist
> Volatile Systems Volatility Framework 2.2_alpha
> No suitable address space mapping found
> Tried to open image as:
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  JKIA32PagedMemory: No base Address Space
>  JKIA32PagedMemoryPae: No base Address Space
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  FileAddressSpace - EXCEPTION: too many values to unpack
>
> All modified files are attached (but sure the modifications are wrong).
>
> Thanks for your support (and sorry for my english)!
>
>
>
> El 04/09/2012 17:51, Andrew Case escribió:
>>
>> Hello,
>>
>> Can you explain what did not work in the cross compilation step?
>>
>> Also, I have CC'ed Joe Sylve who could help more. Besides the profile,
>> you will need to use LiME to get a memory capture from the device:
>>
>> https://code.google.com/p/lime-forensics/
>>
>> Also, once you have the profile and memory capture, you will need to
>> check out the 2.3-devel branch as it has the ARM support:
>>
>>
>> http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2F2.3-devel
>>
>> On Tue, Sep 4, 2012 at 10:38 AM, neofito <vjaviergarcia at ono.com> wrote:
>>>
>>> I'm trying to generate a profile for my android device. This profile just
>>> included the System.map file, obtained from /proc/kallsyms.
>>>
>>> How to get a module.dwarf file? I make a new Makefile for the
>>> cross-compilation of module.c and pmem.c for Android but, obviously, is
>>> not
>>> working.
>>>
>>> Thanks in advance!
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>> -----
>> No se encontraron virus en este mensaje.
>> Comprobado por AVG - www.avg.com
>> Versión: 2012.0.2197 / Base de datos de virus: 2437/5247 - Fecha de
>> publicación: 09/03/12
>>
>>
>>
>


More information about the Vol-users mailing list