[Vol-users] Re: Any actual LiME and Android Memory analysis on REAL devices?

Andrew Case atcuno at gmail.com
Fri Mar 29 14:12:46 CDT 2013


Could you send us the profile you created? Also, could you re-run
linux_pslist but add -dd before it and send us that output?

If the memory capture is something you are willing to share with the Vol
devs then we can really debug the issue with the profile and help you get
it sorted. We have a FTP server we could give you access to in order to
upload it.

On Sun, Mar 10, 2013 at 7:00 PM, Pasquale Stirparo <pstirparo at gmail.com>wrote:

> Hi,
>
> I was wondering: did anyone ever managed to do an analysis with a real
> device? I know the answer is Yes.
> The thing is that I've seen around many nice examples and tutorials
> working... but all of them with the emulator. The only real device sample
> "in the wild" seems to be the Evo4GRodeo samples from DFWRS Challenge.
>
> This time I'm pretty sure I did (almost?) everything right. Although if it
> doesn't work, probably it's not.
> I've tried also with another smartphone other than the HTC One X, the
> Galaxy Nexus, getting the correct kernel version. No compilation errors, no
> module errors, no lime module crashing on the phone, no volatility profiles
> error, nothing. Everything (looks) right.
>
> But still, when trying to run volatility I still keep getting empty
> results like this:
>
> hydra:volatility-read-only paco$ python vol.py
> --profile=LinuxGalaxyNexus-3_0_1x86 -f ~/memdump/test-lime-4.7.lime
> linux_pslist
> Volatile Systems Volatility Framework 2.3_alpha
> WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present
> in vtypes
> Offset     Name                 Pid             Uid             Gid    DTB
>        Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
>
>
> Now I start wondering two things:
> - Is it my lime dump the issue? the header looks fine, if I look inside
> with hexdump it seems reasonable, if I strings it I find my data.
> - Is it the volatility profile? Maybe, because I've event tried to dump
> the memory of my Galaxy Nexus with FROST (which uses LiME) and the result
> looks the same. So I started believing my problem is in the profile,
> although I cannot seem to find any other way to understand where the
> problem could be.
>
> So if anyone who successfully analyzed Android memory dumps from any real
> life device is willing to share his experience and/or Volatility profile,
> it would be great.
>
> Thanks
>
> P.
>
>
>
>
> --
> Pasquale Stirparo, MEng
> GCFA, OPST, OWSE, ECCE
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130329/45b1cb09/attachment-0001.html


More information about the Vol-users mailing list