[Vol-users] Samsung Galaxy Nexus RAM Analysis Issue

Quentin Chaki Cha quenberry at hotmail.com
Wed Sep 25 21:05:59 CDT 2013


Hi People, so over here i have used LiME to extract RAM information out of my Samsung Galaxy Nexus, but I'm currently facing some issues in terms of analyzing as shown below:

root at akicha-VirtualBox:~/majorProject/trunk# python vol.py -f /root/majorProject/Nexus.lime --profile LinuxNexusARM linux_pslist
Volatile Systems Volatility Framework 2.3_beta
Offset     Name                 Pid             Uid             Gid    DTB        Start Time
---------- -------------------- --------------- --------------- ------ ---------- ----------

Regardless of the volatility plugin i use (linux_pslist, linux_lsof), im always getting empty data. I ran the same command with the -dd flag as shown below. Any advice/help in this area would be greatly appreciated thank you :)


root at akicha-VirtualBox:~/majorProject/trunk# python vol.py -f /root/majorProject/Nexus.lime --profile LinuxNexusARM -dd linux_pslist
Volatile Systems Volatility Framework 2.3_beta
DEBUG   : volatility.plugins.overlays.linux.linux: Nexus: Found dwarf file root/majorProject/omap/System.map with 453 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Nexus: Found system file root/majorProject/omap/System.map with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset     Name                 Pid             Uid             Gid    DTB        Start Time
---------- -------------------- --------------- --------------- ------ ---------- ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: need base
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: need base
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x605bad0>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 0x2C800040, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x605ba90>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: 0x81ed
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxNexusARM selected
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Failed valid Address Space check
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x605be50>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 0x00000000, instantiating HPAK_HEADER
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 0x00000000, instantiating _VMWARE_HEADER
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: -
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxNexusARM selected
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Can not stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Can not stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Can not stack over another paging address space
DEBUG1  : volatility.obj      : None object instantiated: Pointer next invalid

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130926/bc1eddef/attachment-0001.html


More information about the Vol-users mailing list