[Vol-users] Samsung GT-I9023 Google Nexus S memory acquisition and analysis

Andrew Case atcuno at gmail.com
Thu Jul 24 12:37:59 CDT 2014


Hello,

Where are you located? Some foreign countries seem to be having shipping
delays.

As for the phone analysis..

1) Can you copy/paste uname -a from the phone
2) Can you copy/paste building the profile (cmdline input/output)
3) Can you copy paste running Volatiltiy with the "-dd" option set

These will greatly help debug the issue.

Thanks,
Andrew (@attrc)

On 07/24/2014 10:00 AM, masdif wrote:
> Hi all,
> 
> I pre-ordered “The Art of Memory Forensics” at March 22nd :-) and as of
> today delivery is estimated for September 1st :-(. I really hope there
> is a chapter about debugging the memory acquisition process. ;-)
> 
> Meanwhile may I kindly ask for your advice/hints how to debug the
> following? I am not able to successfully acquire and analyze a Nexus S
> Android memory dump.
> 
> Where could I start to look for errors?
> How can I assure that the dump is valid?
> How can I assure that the profile is valid?
> 
> Any hint is highly appreciated! :-)
> 
> 
> Thank you,
> Philipp
> 
> 
> 
> 
> ************************************************************
> 0  Where I failed :-(
> 
> Google at [1] offers three “Factory Images ‘soju’ for Nexus S (worldwide
> version, i9020t and i9023)”:
> 2.3.6 (GRK39F)
> 4.0.4 (IMM76D)
> 4.1.2 (JZO54K)
> 
> Up to now I tried the first two.
> 
> Just in case the two memory dumps as well as the two Volatility profiles
> are available here:
> https://mega.co.nz/#F!CEczgBqR!ksYLENHXoMCU8qzSBn79WA
> 
> 
> 
> 
> ************************************************************
> 1  Nexus S with Android 2.3.6 Gingerbread
> 
> ________________________________________
> 1.1 Prepare the phone
> 
> 
> 1.1.0 Boot loader is unlocked:
> $ adb reboot bootloader
> $ fastboot oem unlock
> 
> 
> 1.1.1 Get the factory image from [2] and flash it
> $ tar –zxvf soju-grk39f-factory-5ab09c98.tgz
> $ cd soju-grk39f
> $ adb reboot bootloader
> $ ./flash-all.sh
> 
> 
> 1.1.2 Start phone
> Click through the initial settings
> Enable USB debugging
> 
> Get version info:
> $ adb shell
> $ cat /proc/version
> Linux version 2.6.35.7-gf5f63ef
> (android-build at apa28.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #1
> PREEMPT Tue Aug 2 13:57:05 PDT 2011
> 
> 
> 1.1.3 Root the phone
> Get custom recovery from [5] (…because otherwise ADB sideload SuperSU
> won’t work) and flash custom recovery
> $ adb reboot bootloader
> $ fastboot flash recovery openrecovery-twrp-2.7.1.0-crespo.img
> 
> Get SuperSU from [6]
> Sideload SuperSU
> $ adb reboot bootloader
> Go to “Recovery” -> “Advanced” -> “ADB Sideload” -> “Swipe to start
> sideload”
> $ adb sideload UPDATE-SuperSU-v2.01.zip
> 
> Reboot the phone
> 
> ________________________________________
> 1.2 Prepare LiME
> 
> 
> 1.2.1 Get the Samsung kernel source from AOSP [7]
> $ mkdir -p ~/android/kernel && cd $_
> $ git clone https://android.googlesource.com/kernel/samsung.git
> $ cd samsung
> $ git checkout f5f63ef
> 
> 
> 1.2.2 Setting Up a Build Environment with AOSP from [8]
> $ mkdir -p ~/android/aosp && cd $_
> $ repo init -u https://android.googlesource.com/platform/manifest -b
> android-2.3.6_r0.9
> $ repo sync
> $ . build/envsetup.sh
> $ lunch full_crespo-user
> 
> Check compiler:
> $ arm-eabi-gcc --version
> arm-eabi-gcc (GCC) 4.4.3
> 
> Set environment variables:
> $ cd ~/android/kernel/samsung
> $ export ARCH=arm
> $ export SUBARCH=arm
> $ export CROSS_COMPILE=arm-eabi-
> 
> 
> 1.2.3 Compile the Samsung kernel
> 
> Configure the kernel:
> $ make herring_defconfig
> 
> Build the Samsung kernel:
> $ make
> 
> 
> 1.2.4 Download LiME  from [9] and Cross Compile
> $ mkdir -p ~/android && cd $_
> $ svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime
> $ cd ~/android/lime/src
> 
> Edit Makefile
> (I take CCPATH from  printenv | grep arm-eabi )
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> obj-m := lime.o
> lime-objs := tcp.o disk.o main.o
> 
> KDIR := ~/android/kernel/samsung
> CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin
> PWD := $(shell pwd)
> 
> default:
> 	$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) M=$(PWD)
> modules
> 	$(CCPATH)/arm-eabi-strip --strip-unneeded lime.ko
> 	
> 	$(MAKE) tidy
> 
> tidy:
> 	rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd
> \.*.ko.cmd \.*.o.d
> 	rm -rf \.tmp_versions
> 
> clean:
> 	$(MAKE) tidy
> 	rm -f *.ko
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Build LiME module:
> $ make
> 
> ________________________________________
> 1.3 Dump volatile memory
> $ adb push ~/android/lime/src/lime.ko /sdcard/lime.ko
> 
> Screen must be unlocked now in order to grant ADB shell root access
> 
> $ adb shell
> $ su
> # insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"
> # exit
> $ exit
> $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_2.3.6.dump
> 
> ________________________________________
> 1.4 Build a Volatility Profile
> 
> Get Volatility from [10]:
> $ svn checkout https://volatility.googlecode.com/svn/trunk/
> ~/android/volatility
> $ cd ~/android/volatility/tools/linux
> 
> Edit Makefile:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> obj-m += module.o
> KDIR := ~/android/kernel/samsung
> CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin
> 
> -include version.mk
> 
> all: dwarf
> 
> dwarf: module.c
> 	$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR)
> CONFIG_DEBUG_INFO=y M=$(PWD) modules
> 	dwarfdump -di module.ko > module.dwarf
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Build module:
> $ make
> 
> Zip profile:
> $ zip
> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_2.3.6_GRK39F_.zip
> module.dwarf ~/android/kernel/samsung/System.map
> 
> ________________________________________
> 1.5 Examine the Memory Dump with Volatility
> 
> $ cd ~/android/volatility/
> $
> $ python vol.py --info | grep Linux
> Volatility Foundation Volatility Framework 2.3.1
> Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux
> _NexusS_2.3.6_GRK39F_ ARM
> linux_banner            - Prints the Linux banner information
> linux_yarascan          - A shell in the Linux memory image
> $
> $ python vol.py --profile=Linux_NexusS_2_3_6_GRK39F_ARM -f
> ~/android/dump/NexusS_2.3.6.dump linux_pslist
> Volatility Foundation Volatility Framework 2.3.1
> Offset     Name                 Pid             Uid             Gid
> DTB        Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> No suitable address space mapping found
> Tried to open image as:
> MachOAddressSpace: mac: need base
> LimeAddressSpace: lime: need base
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace64: No base Address Space
> HPAKAddressSpace: No base Address Space
> VirtualBoxCoreDumpElf64: No base Address Space
> VMWareSnapshotFile: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> AMD64PagedMemory: No base Address Space
> IA32PagedMemoryPae: No base Address Space
> IA32PagedMemory: No base Address Space
> MachOAddressSpace: MachO Header signature invalid
> MachOAddressSpace: MachO Header signature invalid
> LimeAddressSpace: Invalid Lime header signature
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> WindowsCrashDumpSpace64: Header signature invalid
> HPAKAddressSpace: Invalid magic found
> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> VMWareSnapshotFile: Invalid VMware signature: 0x1
> WindowsCrashDumpSpace32: Header signature invalid
> AMD64PagedMemory: Incompatible profile Linux_NexusS_2_3_6_GRK39F_ARM
> selected
> IA32PagedMemoryPae: Failed valid Address Space check
> IA32PagedMemory: Failed valid Address Space check
> FileAddressSpace: Must be first Address Space
> ArmAddressSpace: Failed valid Address Space check
> 
> ________________________________________
> 1.6 First attempt to debug
> 
> $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump
> 0000000: 454d 694c 0100 0000 0000 0040 0000 0000  EMiL....... at ....
> 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000  ...O............
> 
> =>
> magic: 0x4c69 4d45 -> LiME
> version: 0x0000 0001 -> 1
> s_addr: 0x0000 0000 4000 0000
> e_addr: 0x0000 0000 4fff ffff
> reserved: 0x0000 0000 0000 0000
> 
> => Address range is:
> $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1'
> 268435456
> 
> But file size is much bigger:
> $ stat -c %s ~/android/dump/NexusS_2.3.6.dump
> 401604672
> 
> 268.435.456 Bytes + 32 Bytes Header != 401.604.672 Bytes file size!!!
> 
> 
> 
> 
> ************************************************************
> 2  Nexus S with Android 4.0.4 Ice Cream Sandwich
> 
> ________________________________________
> 2.1 Prepare the phone
> 
> 
> 2.1.0 Boot loader is unlocked
> 
> 
> 2.1.1 Get the factory image from [3] and flash it
> $ tar –zxvf soju-imm76d-factory-ca4ae9ee.tgz
> $ cd soju-imm76d
> $ adb reboot bootloader
> $ ./flash-all.sh
> 
> 
> 2.1.2 Start phone
> - as described before –
> 
> $ cat /proc/version
> Linux version 3.0.8-g6656123 (android-build at vpbs1.mtv.corp.google.com)
> (gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012
> 
> 
> 2.1.3 Root the phone
> - as described before -
> 
> ________________________________________
> 2.2 Prepare LiME
> 
> 
> 2.2.1 Get the Samsung kernel source from AOSP [7]
> $ mkdir -p ~/android/kernel && cd $_
> $ git clone https://android.googlesource.com/kernel/samsung.git
> $ cd samsung
> $ git checkout 6656123
> 
> 
> 2.2.2 Setting Up a Build Environment with AOSP from [8]
> $ mkdir -p ~/android/aosp && cd $_
> $ repo init -u https://android.googlesource.com/platform/manifest -b
> android-4.0.4_r1.1
> $ repo sync
> $ . build/envsetup.sh
> $ lunch full_crespo-user
> 
> Check compiler:
> $ arm-eabi-gcc --version
> arm-eabi-gcc (GCC) 4.4.3
> 
> Set environment variables:
> $ cd ~/android/kernel/samsung
> $ export ARCH=arm
> $ export SUBARCH=arm
> $ export CROSS_COMPILE=arm-eabi-
> 
> 
> 2.2.3 Compile the Samsung kernel
> - as described before -
> 
> 
> 2.2.4 Download LiME  from [9] and Cross Compile
> - as described before -
> 
> ________________________________________
> 2.3 Dump volatile memory
> - as described before –
> 
> $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_4.0.4.dump
> 
> ________________________________________
> 2.4 Build a Volatility Profile
> 
> Get and build Volatility - as described before -
> 
> $ zip
> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip
> module.dwarf ~/android/kernel/samsung/System.map
> 
> ________________________________________
> 2.5 Examine the Memory Dump with Volatility
> 
> $ cd ~/android/volatility/
> $
> $ python vol.py --info | grep Linux
> Volatility Foundation Volatility Framework 2.3.1
> linux_banner            - Prints the Linux banner information
> linux_yarascan          - A shell in the Linux memory image
> Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux
> _NexusS_2.3.6_GRK39F_ ARM
> Linux_NexusS_4_0_4_IMM76D_ARM - A Profile for Linux
> _NexusS_4.0.4_IMM76D_ ARM
> $
> $ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f
> ~/android/dump/NexusS_4.0.4.dump linux_pslist
> Volatility Foundation Volatility Framework 2.3.1
> Offset     Name                 Pid             Uid             Gid
> DTB        Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> No suitable address space mapping found
> Tried to open image as:
> - the rest as described before –
> 
> ________________________________________
> 2.6 First attempt to debug
> 
> $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump
> 0000000: 454d 694c 0100 0000 0000 0040 0000 0000  EMiL....... at ....
> 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000  ...O............
> 
> =>
> magic: 0x4c69 4d45 -> LiME
> version: 0x0000 0001 -> 1
> s_addr: 0x0000 0000 4000 0000
> e_addr: 0x0000 0000 4fff ffff
> reserved: 0x0000 0000 0000 0000
> 
> => Address range is:
> $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1'
> 268435456
> 
> But file size is still bigger:
> $ stat -c %s ~/android/dump/NexusS_4.0.4.dump
> 325775424
> 
> 268.435.456 Bytes + 32 Bytes Header != 325.775.424 Bytes file size!!!
> 
> 
> 
> 
> ************************************************************
> 3  Links
> 
> [1] https://developers.google.com/android/nexus/images\#soju
> [2] https://dl.google.com/dl/android/aosp/soju-grk39f-factory-5ab09c98.tgz
> [3] https://dl.google.com/dl/android/aosp/soju-imm76d-factory-ca4ae9ee.tgz
> [4] https://dl.google.com/dl/android/aosp/soju-jzo54k-factory-36602333.tgz
> [5]
> http://techerrata.com/file/twrp2/crespo/openrecovery-twrp-2.7.1.0-crespo.img
> [6] http://download.chainfire.eu/supersu
> [7] https://android.googlesource.com/kernel/samsung.git
> [8] https://android.googlesource.com/platform/manifest
> [9] http://lime-forensics.googlecode.com/svn/trunk/
> [10] https://volatility.googlecode.com/svn/trunk/
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 


More information about the Vol-users mailing list