[Vol-users] Android memory image

Tim tvidas at gmail.com
Mon Jan 28 22:32:07 CST 2013


last year the DFRWS Rodeo was centered around an Android memory image
created with lime.

http://dfrws.org/2012/program.shtml  (Rodeo appears about 3/4 down the page)
the download contains "Volatility 2.3 (Development) which supports ARM, the
device image created with lime, and rodeo questions."

-tim


On Mon, Jan 28, 2013 at 9:55 PM, Mike Lambert <dragonforen at hotmail.com>wrote:

>  Great! Profile and image is very helpful.
>
> Ah! I saw imageinfo had 'LimeAddressSpace' listed, hence I thought it
> already looked for Linux. I'm getting ahead of things.
>
> (BTW, Linux profiles are here
> http://code.google.com/p/volatility/wiki/LinuxProfiles )
>
> Many thanks again, you are always very helpful,
> Mike
>
>  > Date: Mon, 28 Jan 2013 20:41:47 -0600
>
> > Subject: Re: [Vol-users] Android memory image
> > From: atcuno at gmail.com
> > To: dragonforen at hotmail.com
> > CC: vol-users at volatilityfoundation.org
> >
> > Yes, I will send you links for the profile and mem image shortly.
> >
> > We do not include linux profiles within the release, but they do exist
> > on the wiki. With that said, we currently do not have any Android ones
> > up, but will when 2.3 is officially released.
> >
> > Also, imageinfo only supports Windows memory samples at the moment,
> > which is why you did not get a valid suggestion back.
> >
> > On Mon, Jan 28, 2013 at 8:37 PM, Mike Lambert <dragonforen at hotmail.com>
> wrote:
> > > Hi Andrew,
> > >
> > > Thanks. Does your link include the profile? That would get me started
> using
> > > Volatility.
> > >
> > > I have an image from an emulator now, but it isn't useful without a
> profile.
> > > Or is there something I'm missing? (I don't see any Linux profiles.)
> > > (see below, after your message for output from me)
> > >
> > > I am building a system to sport a testing emulator for acquisitions and
> > > infecting. I'll use a memory image I get from it.
> > > Making the profile, that will be interesting.
> > >
> > > I thought it would be nice to get out ahead of this (Android memory
> > > analysis). I imagine the Android malware issue will heat up rather
> quickly
> > > this year.
> > >
> > > Thanks,
> > > Mike
> > >
> > >> Date: Mon, 28 Jan 2013 20:13:13 -0600
> > >> Subject: Re: [Vol-users] Android memory image
> > >> From: atcuno at gmail.com
> > >> To: dragonforen at hotmail.com
> > >> CC: vol-users at volatilityfoundation.org
> > >
> > >>
> > >> Replying to the list in case others have the same question...
> > >>
> > >> As far as I know, there are not any published Android memory images.
> > >> For our own testing, we generally use our own phones, which we won't
> > >> be sharing the samples of obviously, or we pull mem dumps from the
> > >> emulator..
> > >>
> > >> If you want to just test and use Volatility, then I can send you a
> > >> link to an emulator memory capture, but if you want more control
> > >> and/or are building your own plugins then I would suggest setting up
> > >> the emulator yourself or rooting a real physical device and building a
> > >> profile. The only downside to real devices is that you need to be able
> > >> to build a profile, and sometimes vendors are slow to release the
> > >> source code & config for a particular version...
> > >>
> > >> On Mon, Jan 28, 2013 at 1:02 PM, Mike Lambert <
> dragonforen at hotmail.com>
> > >> wrote:
> > >> > I am looking for an Android memory image to use Volatility on. Does
> > >> > anyone
> > >> > have (or know where I and get) a memory image I can look at?
> > >> >
> > >> > If you are imaging Androids, can you reply offlist?
> > >> >
> > >> > Thanks! Have a good week!
> > > ================================cut-here==============================
> > > ========from-mike================
> > >
> > > C:\Python27\volatility-2.2>vol.py imageinfo -f
> > > \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem
> > > Volatile Systems Volatility Framework 2.2
> > > Determining profile based on KDBG search...
> > > Suggested Profile(s) : No suggestion (Instantiated with no
> > > profile)
> > > AS Layer1 : LimeAddressSpace (Unnamed AS)
> > > AS Layer2 : FileAddressSpace
> > > (C:\temp\Android_4-0-3_CLEAN_SDK_Emulator.mem)
> > > PAE type : No PAE
> > >
> > >
> > > C:\Python27\volatility-2.2>vol.py imageinfo --info
> > > Volatile Systems Volatility Framework 2.2
> > >
> > > Profiles
> > > --------
> > > VistaSP0x64 - A Profile for Windows Vista SP0 x64
> > > VistaSP0x86 - A Profile for Windows Vista SP0 x86
> > > VistaSP1x64 - A Profile for Windows Vista SP1 x64
> > > VistaSP1x86 - A Profile for Windows Vista SP1 x86
> > > VistaSP2x64 - A Profile for Windows Vista SP2 x64
> > > VistaSP2x86 - A Profile for Windows Vista SP2 x86
> > > Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
> > > Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
> > > Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
> > > Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
> > > Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
> > > Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
> > > Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
> > > Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
> > > Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
> > > Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
> > > Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
> > > Win7SP0x64 - A Profile for Windows 7 SP0 x64
> > > Win7SP0x86 - A Profile for Windows 7 SP0 x86
> > > Win7SP1x64 - A Profile for Windows 7 SP1 x64
> > > Win7SP1x86 - A Profile for Windows 7 SP1 x86
> > > WinXPSP1x64 - A Profile for Windows XP SP1 x64
> > > WinXPSP2x64 - A Profile for Windows XP SP2 x64
> > > WinXPSP2x86 - A Profile for Windows XP SP2 x86
> > > WinXPSP3x86 - A Profile for Windows XP SP3 x86
> > >
> > > Address Spaces
> > > --------------
> > > AMD64PagedMemory - Standard AMD 64-bit address space.
> > > FileAddressSpace - This is a direct file AS.
> > > IA32PagedMemory - Legacy x86 non PAE address space (to use specify
> > > --use_old_as)
> > > IA32PagedMemoryPae - Legacy x86 PAE address space (to use specify
> > > --use_old_as)
> > > JKIA32PagedMemory - Standard x86 32 bit non PAE address space.
> > > JKIA32PagedMemoryPae - Standard x86 32 bit PAE address space.
> > > LimeAddressSpace - Address space for Lime
> > > WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
> > > WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
> > > WindowsHiberFileSpace32 - This is a hibernate address space for windows
> > > hibernation files.
> > >
> > > Scanner Checks
> > > --------------
> > > CheckHiveSig - Check for a registry hive signature
> > > CheckPoolIndex - Checks the pool index
> > > CheckPoolSize - Check pool block size
> > > CheckPoolType - Check the pool type
> > > CheckProcess - Check sanity of _EPROCESS
> > > CheckSocketCreateTime - Check that _ADDRESS_OBJECT.CreateTime makes
> sense
> > > CheckThreads - Check sanity of _ETHREAD
> > > KPCRScannerCheck - Checks the self referential pointers to find KPCRs
> > > MultiPrefixFinderCheck - Checks for multiple strings per page,
> finishing at
> > > theoffset
> > > MultiStringFinderCheck - Checks for multiple strings per page
> > > PoolTagCheck - This scanner checks for the occurance of a pool tag
> > >
> > > Plugins
> > > -------
> > > apihooks - Detect API hooks in process and kernel memory
> > > atoms - Print session and window station atom tables
> > > atomscan - Pool scanner for _RTL_ATOM_TABLE
> > > bioskbd - Reads the keyboard buffer from Real Mode memory
> > > callbacks - Print system-wide notification routines
> > > clipboard - Extract the contents of the windows clipboard
> > > cmdscan - Extract command history by scanning for
> > > _COMMAND_HISTORY
> > > connections - Print list of open connections [Windows XP and 2003
> > > Only]
> > > connscan - Scan Physical memory for _TCPT_OBJECT objects (tcp
> > > connections)
> > > consoles - Extract command history by scanning for
> > > _CONSOLE_INFORMATION
> > > crashinfo - Dump crash-dump information
> > > deskscan - Poolscaner for tagDESKTOP (desktops)
> > > devicetree - Show device tree
> > > dlldump - Dump DLLs from a process address space
> > > dlllist - Print list of loaded dlls for each process
> > > driverirp - Driver IRP hook detection
> > > driverscan - Scan for driver objects _DRIVER_OBJECT
> > > envars - Display process environment variables
> > > eventhooks - Print details on windows event hooks
> > > evtlogs - Extract Windows Event Logs (XP/2003 only)
> > > filescan - Scan Physical memory for _FILE_OBJECT pool allocations
> > > gahti - Dump the USER handle type information
> > > gditimers - Print installed GDI timers and callbacks
> > > gdt - Display Global Descriptor Table
> > > getservicesids - Get the names of services in the Registry and return
> > > Calcu
> > > lated SID
> > > getsids - Print the SIDs owning each process
> > > handles - Print list of open handles for each process
> > > hashdump - Dumps passwords hashes (LM/NTLM) from memory
> > > hibinfo - Dump hibernation file information
> > > hivedump - Prints out a hive
> > > hivelist - Print list of registry hives.
> > > hivescan - Scan Physical memory for _CMHIVE objects (registry
> > > hives)
> > > idt - Display Interrupt Descriptor Table
> > > imagecopy - Copies a physical address space out as a raw DD image
> > > imageinfo - Identify information for the image
> > > impscan - Scan for calls to imported functions
> > > kdbgscan - Search for and dump potential KDBG values
> > > kpcrscan - Search for and dump potential KPCR values
> > > ldrmodules - Detect unlinked DLLs
> > > linux_arp - Print the ARP table
> > > linux_bash - Recover bash history from bash process memory
> > > linux_check_afinfo - Verifies the operation function pointers of
> network
> > > protocols
> > > linux_check_creds - Checks if any processes are sharing credential
> > > structures
> > > linux_check_fop - Check file operation structures for rootkit
> > > modifications
> > > linux_check_idt - Checks if the IDT has been altered
> > > linux_check_modules - Compares module list to sysfs info, if available
> > > linux_check_syscall - Checks if the system call table has been altered
> > > linux_cpuinfo - Prints info about each active processor
> > > linux_dentry_cache - Gather files from the dentry cache
> > > linux_dmesg - Gather dmesg buffer
> > > linux_dump_map - Writes selected memory mappings to disk
> > > linux_find_file - Recovers tmpfs filesystems from memory
> > > linux_ifconfig - Gathers active interfaces
> > > linux_iomem - Provides output similar to /proc/iomem
> > > linux_lsmod - Gather loaded kernel modules
> > > linux_lsof - Lists open files
> > > linux_memmap - Dumps the memory map for linux tasks
> > > linux_mount - Gather mounted fs/devices
> > > linux_mount_cache - Gather mounted fs/devices from kmem_cache
> > > linux_netstat - Lists open sockets
> > > linux_pidhashtable - Enumerates processes through the PID hash table
> > > linux_pkt_queues - Writes per-process packet queues out to disk
> > > linux_proc_maps - Gathers process maps for linux
> > > linux_psaux - Gathers processes along with full command line and
> > > start t
> > > ime
> > > linux_pslist - Gather active tasks by walking the task_struct->task
> > > list
> > > linux_pslist_cache - Gather tasks from the kmem_cache
> > > linux_pstree - Shows the parent/child relationship between processes
> > > linux_psxview - Find hidden processes with various process listings
> > > linux_route_cache - Recovers the routing cache from memory
> > > linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
> > > linux_slabinfo - Mimics /proc/slabinfo on a running machine
> > > linux_tmpfs - Recovers tmpfs filesystems from memory
> > > linux_vma_cache - Gather VMAs from the vm_area_struct cache
> > > lsadump - Dump (decrypted) LSA secrets from the registry
> > > malfind - Find hidden and injected code
> > > memdump - Dump the addressable memory for a process
> > > memmap - Print the memory map
> > > messagehooks - List desktop and thread window message hooks
> > > moddump - Dump a kernel driver to an executable file sample
> > > modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
> > > modules - Print list of loaded modules
> > > mutantscan - Scan for mutant objects _KMUTANT
> > > netscan - Scan a Vista, 2008 or Windows 7 image for connections
> > > and
> > > sockets
> > > patcher - Patches memory based on page scans
> > > printkey - Print a registry key, and its subkeys and values
> > > procexedump - Dump a process to an executable file sample
> > > procmemdump - Dump a process to an executable memory sample
> > > pslist - Print all running processes by following the EPROCESS
> > > lists
> > > psscan - Scan Physical memory for _EPROCESS pool allocations
> > > pstree - Print process list as a tree
> > > psxview - Find hidden processes with various process listings
> > > raw2dmp - Converts a physical memory sample to a windbg crash
> > > dump
> > > screenshot - Save a pseudo-screenshot based on GDI windows
> > > sessions - List details on _MM_SESSION_SPACE (user logon
> > > sessions)
> > > shimcache - Parses the Application Compatibility Shim Cache
> > > registry key
> > > sockets - Print list of open sockets
> > > sockscan - Scan Physical memory for _ADDRESS_OBJECT objects (tcp
> > > sockets)
> > > ssdt - Display SSDT entries
> > > strings - Match physical offsets to virtual addresses (may take
> > > a while, VERY verbose)
> > > svcscan - Scan for Windows services
> > > symlinkscan - Scan for symbolic link objects
> > > thrdscan - Scan physical memory for _ETHREAD objects
> > > threads - Investigate _ETHREAD and _KTHREADs
> > > timers - Print kernel timers and associated module DPCs
> > > userassist - Print userassist registry keys and information
> > > userhandles - Dump the USER handle tables
> > > vaddump - Dumps out the vad sections to a file
> > > vadinfo - Dump the VAD info
> > > vadtree - Walk the VAD tree and display in tree format
> > > vadwalk - Walk the VAD tree
> > > volshell - Shell in the memory image
> > > windows - Print Desktop Windows (verbose details)
> > > wintree - Print Z-Order Desktop Windows Tree
> > > wndscan - Pool scanner for tagWINDOWSTATION (window stations)
> > > yarascan - Scan process or kernel memory with Yara signatures
> > >
> > >
> > > C:\Python27\volatility-2.2>vol.py linux_pslist -f
> > > \temp\Android_4-0-3_CLEAN_SDK_Emulator.mem
> > > Volatile Systems Volatility Framework 2.2
> > > Offset Name Pid Uid Start Time
> > > ---------- -------------------- --------------- ---------------
> ----------
> > > No suitable address space mapping found
> > > Tried to open image as:
> > > LimeAddressSpace: lime: need base
> > > WindowsHiberFileSpace32: No base Address Space
> > > WindowsCrashDumpSpace64: No base Address Space
> > > WindowsCrashDumpSpace32: No base Address Space
> > > AMD64PagedMemory: No base Address Space
> > > JKIA32PagedMemory: No base Address Space
> > > JKIA32PagedMemoryPae: No base Address Space
> > > IA32PagedMemoryPae: Module disabled
> > > IA32PagedMemory: Module disabled
> > > LimeAddressSpace: Invalid Lime header signature
> > > WindowsHiberFileSpace32: No xpress signature found
> > > WindowsCrashDumpSpace64: Header signature invalid
> > > WindowsCrashDumpSpace32: Header signature invalid
> > > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
> > > JKIA32PagedMemory: No valid DTB found
> > > JKIA32PagedMemoryPae: No valid DTB found
> > > IA32PagedMemoryPae: Module disabled
> > > IA32PagedMemory: Module disabled
> > > FileAddressSpace: Must be first Address Space
> > >
> > > C:\Python27\volatility-2.2>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130128/59b94566/attachment-0001.html


More information about the Vol-users mailing list