[Vol-users] Android Memory Forensics without System.map

Andrew Case atcuno at gmail.com
Mon Oct 7 14:15:29 CDT 2013


Hello,

You do need the System.map file (or at least the subset of values that
Volatility uses from it). We are currently exploring ways to reduce
this dependency, but there is no timeframe of when it may be done as
it requires a bit of extra research and is proving somewhat difficult.

On Wed, Oct 2, 2013 at 9:52 PM, Quentin Chaki Cha <quenberry at hotmail.com> wrote:
> Hi guys, i'm working on a project to analyze memory dumps of Android devices
> with Volatility. But it seems that it isn't possible to do so if the source
> code does not provide me with the System.map file. I can't compile my own
> System.map file using commands like "make ARCH=arm CROSS_COMPILE=$CCOMPILER"
> (this would give me inaccurate addresses) nor can i use the /proc/kallsyms
> (this does not have symbols required for volatility to prepare) file from
> the Android device itself. I just wanna verify, is it actually still
> possible for me to use volatility to analyze this memory dump if the
> System.map file wasn't distributed with the headers/source? Thanks.
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list