[Vol-users] Samsung Galaxy Nexus RAM Analysis Issue

Andrew Case atcuno at gmail.com
Wed Sep 25 22:07:34 CDT 2013


Hello,

Based on your previous email it still looks like you compiled a kernel yourself:

"#make ARCH=arm CROSS_COMPILE=$CCOMPILER EXTRA_CFLAGS=-fno-pic modules_prepare"

This will produce a different System.map than than produced by the
original kernel compilation. Can you see if the addresses of symbols
in your System.map file match those of /proc/kallsyms on the running
device?

On Wed, Sep 25, 2013 at 9:05 PM, Quentin Chaki Cha
<quenberry at hotmail.com> wrote:
> Hi People, so over here i have used LiME to extract RAM information out of
> my Samsung Galaxy Nexus, but I'm currently facing some issues in terms of
> analyzing as shown below:
>
> root at akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
> /root/majorProject/Nexus.lime --profile LinuxNexusARM linux_pslist
> Volatile Systems Volatility Framework 2.3_beta
> Offset     Name                 Pid             Uid             Gid    DTB
> Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
>
> Regardless of the volatility plugin i use (linux_pslist, linux_lsof), im
> always getting empty data. I ran the same command with the -dd flag as shown
> below. Any advice/help in this area would be greatly appreciated thank you
> :)
>
>
> root at akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
> /root/majorProject/Nexus.lime --profile LinuxNexusARM -dd linux_pslist
> Volatile Systems Volatility Framework 2.3_beta
> DEBUG   : volatility.plugins.overlays.linux.linux: Nexus: Found dwarf file
> root/majorProject/omap/System.map with 453 symbols
> DEBUG   : volatility.plugins.overlays.linux.linux: Nexus: Found system file
> root/majorProject/omap/System.map with 1 symbols
> DEBUG   : volatility.obj      : Applying modification from BashTypes
> DEBUG   : volatility.obj      : Applying modification from
> BasicObjectClasses
> DEBUG   : volatility.obj      : Applying modification from ELF64Modification
> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
> DEBUG   : volatility.obj      : Applying modification from LimeTypes
> DEBUG   : volatility.obj      : Applying modification from MachoTypes
> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
> DEBUG   : volatility.obj      : Applying modification from
> VMwareVTypesModification
> DEBUG   : volatility.obj      : Applying modification from
> VirtualBoxModification
> DEBUG   : volatility.obj      : Applying modification from
> LinuxKmemCacheOverlay
> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
> cache_chain not found in module kernel
>
> DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxObjectClasses
> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
> Offset     Name                 Pid             Uid             Gid    DTB
> Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac:
> need base
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime:
> need base
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsHiberFileSpace32: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace64: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> VirtualBoxCoreDumpElf64: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace32: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> DEBUG   : volatility.utils    : Succeeded instantiating
> <volatility.plugins.addrspaces.standard.FileAddressSpace object at
> 0x605bad0>
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
> MachO Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1  : volatility.obj      : None object instantiated: Invalid Address
> 0x2C800040, instantiating lime_header
> DEBUG   : volatility.utils    : Succeeded instantiating
> <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x605ba90>
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
> MachO Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
> Invalid Lime header signature
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace64: Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
> Invalid magic found
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile:
> Invalid VMware signature: 0x81ed
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace32: Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
> Incompatible profile LinuxNexusARM selected
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
> Failed valid Address Space check
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Failed
> valid Address Space check
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must
> be first Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> DEBUG   : volatility.utils    : Succeeded instantiating
> <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x605be50>
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
> MachO Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
> Invalid Lime header signature
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace64: Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> DEBUG1  : volatility.obj      : None object instantiated: Invalid Address
> 0x00000000, instantiating HPAK_HEADER
> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
> Invalid magic found
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> DEBUG1  : volatility.obj      : None object instantiated: Invalid Address
> 0x00000000, instantiating _VMWARE_HEADER
> DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile:
> Invalid VMware signature: -
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace32: Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
> Incompatible profile LinuxNexusARM selected
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Can
> not stack over another paging address space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Can
> not stack over another paging address space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must
> be first Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Can
> not stack over another paging address space
> DEBUG1  : volatility.obj      : None object instantiated: Pointer next
> invalid
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list