[Vol-users] Volatility Cannot Analyze Samsung Galaxy Nexus RAM (LiME)

Andrew Case atcuno at gmail.com
Wed Sep 18 13:42:51 CDT 2013


The /proc/kallsyms file is not a substitute for System.map, even if you
change the format around. It does not have all of the symbols that are
needed for Volatility to operate. How did you obtain athe kernel
headers/source for your kernel? Was a System.map file distributed with the
headers/source?


On Mon, Sep 16, 2013 at 4:35 AM, Quentin Chaki Cha <quenberry at hotmail.com>wrote:

> Hi people,
>
> Currently I'm trying to use Volatility to analyze a memory image that i
> have acquired from my Samsung Galaxy Nexus using LiME. I saw somewhere on
> this forum(?) that the System.map file pulled out from /proc/kallsyms is
> unusable due to those lines that contain "[lime]" but can be addressed by
> removing those lines.
>
> I managed to built the profile and verified it against the following
> command:
> # python vol.py --info | grep ProfileVolatile Systems Volatility Framework
> 2.3_beta
> Profiles
> Linuxsamsungx86 - A Profile for Linux samsung x86
> VistaSP0x64     - A Profile for Windows Vista SP0 x64
> VistaSP0x86     - A Profile for Windows Vista SP0 x86
> VistaSP1x64     - A Profile for Windows Vista SP1 x64
> VistaSP1x86     - A Profile for Windows Vista SP1 x86
> VistaSP2x64     - A Profile for Windows Vista SP2 x64
> VistaSP2x86     - A Profile for Windows Vista SP2 x86
> Win2003SP0x86   - A Profile for Windows 2003 SP0 x86
> Win2003SP1x64   - A Profile for Windows 2003 SP1 x64
> Win2003SP1x86   - A Profile for Windows 2003 SP1 x86
> Win2003SP2x64   - A Profile for Windows 2003 SP2 x64
> Win2003SP2x86   - A Profile for Windows 2003 SP2 x86
> Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
> Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
> Win2008SP1x64   - A Profile for Windows 2008 SP1 x64
> Win2008SP1x86   - A Profile for Windows 2008 SP1 x86
> Win2008SP2x64   - A Profile for Windows 2008 SP2 x64
> Win2008SP2x86   - A Profile for Windows 2008 SP2 x86
> Win7SP0x64      - A Profile for Windows 7 SP0 x64
> Win7SP0x86      - A Profile for Windows 7 SP0 x86
> Win7SP1x64      - A Profile for Windows 7 SP1 x64
> Win7SP1x86      - A Profile for Windows 7 SP1 x86
> WinXPSP1x64     - A Profile for Windows XP SP1 x64
> WinXPSP2x64     - A Profile for Windows XP SP2 x64
> WinXPSP2x86     - A Profile for Windows XP SP2 x86
> WinXPSP3x86     - A Profile for Windows XP SP3 x86
>
>
> However, when i run the command:
>
> #python vol.py --profile=Linuxsamsungx86 -f /root/majorProject/ram.lime
> linux_pslist
>
> I get the following error:
>
> Volatile Systems Volatility Framework 2.3_beta
> WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present
> in vtypes
> Offset     Name                 Pid             Uid             Gid
> DTB        Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> No suitable address space mapping found
> Tried to open image as:
>  MachOAddressSpace: mac: need base
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  HPAKAddressSpace: No base Address Space
>  VirtualBoxCoreDumpElf64: No base Address Space
>  VMWareSnapshotFile: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  IA32PagedMemoryPae: No base Address Space
>  IA32PagedMemory: No base Address Space
>  MachOAddressSpace: MachO Header signature invalid
>  MachOAddressSpace: MachO Header signature invalid
>  LimeAddressSpace: Invalid Lime header signature
>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>  WindowsCrashDumpSpace64: Header signature invalid
>  HPAKAddressSpace: Invalid magic found
>  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
>  VMWareSnapshotFile: Invalid VMware signature: 0x81ed
>  WindowsCrashDumpSpace32: Header signature invalid
>  AMD64PagedMemory: Incompatible profile Linuxsamsungx86 selected
>  IA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -:
> 'NoneType' and 'int'
>  IA32PagedMemory - EXCEPTION: unsupported operand type(s) for -:
> 'NoneType' and 'int'
>  FileAddressSpace: Must be first Address Space
>  ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -:
> 'NoneType' and 'int'
>
>
> It's the same regardless of the volatility plugin i'm using. Any idea
> where i'm wrong over here? Anyway attached is zip folder that contains the
> System.map file as well as my module.dwarf file. Any help or advise in this
> area would be greatly appreciated thank you very much :)
>
> Oh yes, do let me know if there's any other information required that
> might help solve this issue, i'm quite desperate over here =P
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130918/3f39b570/attachment-0001.html


More information about the Vol-users mailing list