[Vol-users] Samsung GT-I9023 Google Nexus S memory acquisition and analysis

masdif masdif at posteo.net
Thu Jul 24 16:00:12 CDT 2014


Hello Andrew,

Yes, I expect that it will take a little until first shipments arrive in
Europe/Germany. ;-)
Pasquales question in the other thread is interesting: Will there be an
ebook version provided for printed version buyers?


Back to the phone: Just talking about the currently installed 4.0.4 ICS:

______________________________________________________________________
1) Can you copy/paste uname -a from the phone

$ cat /proc/version
Linux version 3.0.8-g6656123 (android-build at vpbs1.mtv.corp.google.com)
(gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012

I just also installed BusyBox 1.22.1 from Google Play:

$ uname -a
Linux localhost 3.0.8-g6656123 #1 PREEMPT Thu Feb 2 16:56:02 PST 2012
armv7l GNU/Linux


______________________________________________________________________
2) Can you copy/paste building the profile (cmdline input/output)

$ make
make ARCH=arm
CROSS_COMPILE=~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
-C ~/android/kernel/samsung CONFIG_DEBUG_INFO=y
M=/home/hotblack/android/volatility/tools/linux modules
make[1]: Entering directory `/home/hotblack/android/kernel/samsung'
CC [M]  /home/hotblack/android/volatility/tools/linux/module.o
Building modules, stage 2.
MODPOST 1 modules
CC      /home/hotblack/android/volatility/tools/linux/module.mod.o
LD [M]  /home/hotblack/android/volatility/tools/linux/module.ko
make[1]: Leaving directory `/home/hotblack/android/kernel/samsung'
dwarfdump -di module.ko > module.dwarf
$
$ zip
~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip
module.dwarf ~/android/kernel/samsung/System.map
.dwarf ~/android/kernel/samsung/System.map
  adding: module.dwarf (deflated 90%)
  adding: home/hotblack/android/kernel/samsung/System.map (deflated 73%)


______________________________________________________________________
3) Can you copy paste running Volatiltiy with the "-dd" option set

$ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f
~/android/dump/NexusS_4.0.4.dump -dd linux_pslist
Volatility Foundation Volatility Framework 2.3.1
DEBUG   : volatility.plugins.overlays.linux.linux:
_NexusS_4.0.4_IMM76D_: Found dwarf file module.dwarf with 442 symbols
DEBUG   : volatility.plugins.overlays.linux.linux:
_NexusS_4.0.4_IMM76D_: Found system file module.dwarf with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from
BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from
LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.plugins.overlays.linux.linux:
_NexusS_4.0.4_IMM76D_: Found dwarf file module.dwarf with 442 symbols
DEBUG   : volatility.plugins.overlays.linux.linux:
_NexusS_4.0.4_IMM76D_: Found system file module.dwarf with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from
BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from
LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset     Name                 Pid             Uid             Gid
DTB        Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
mac: need base
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
lime: need base
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsHiberFileSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace64: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating
VirtualBoxCoreDumpElf64: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile:
No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No
base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.utils    : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x628e1d0>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.obj      : None object instantiated: Invalid
Address 0x136AF040, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x628e090>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
Invalid Lime header signature
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace64: Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
Invalid magic found
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile:
Invalid VMware signature: 0x0
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace32: Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
Incompatible profile Linux_NexusS_4_0_4_IMM76D_ARM selected
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
Failed valid Address Space check
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
Failed valid Address Space check
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace:
Must be first Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1  : volatility.obj      : None object instantiated: No suggestions
available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace:
Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile Linux_NexusS_4_0_4_IMM76D_ARM
selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check



Regards,
Philipp

________________________________________________________________
From:    Andrew Case
Sent:    Donnerstag, Juli 24, 2014 7:37PM
To:      Masdif, Vol-users
Subject: Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory
acquisition and analysis

> Hello,
> 
> Where are you located? Some foreign countries seem to be having shipping
> delays.
> 
> As for the phone analysis..
> 
> 1) Can you copy/paste uname -a from the phone
> 2) Can you copy/paste building the profile (cmdline input/output)
> 3) Can you copy paste running Volatiltiy with the "-dd" option set
> 
> These will greatly help debug the issue.
> 
> Thanks,
> Andrew (@attrc)
> 
> On 07/24/2014 10:00 AM, masdif wrote:
>> Hi all,
>>
>> I pre-ordered “The Art of Memory Forensics” at March 22nd :-) and as of
>> today delivery is estimated for September 1st :-(. I really hope there
>> is a chapter about debugging the memory acquisition process. ;-)
>>
>> Meanwhile may I kindly ask for your advice/hints how to debug the
>> following? I am not able to successfully acquire and analyze a Nexus S
>> Android memory dump.
>>
>> Where could I start to look for errors?
>> How can I assure that the dump is valid?
>> How can I assure that the profile is valid?
>>
>> Any hint is highly appreciated! :-)
>>
>>
>> Thank you,
>> Philipp
>>
>>
>>
>>
>> ************************************************************
>> 0  Where I failed :-(
>>
>> Google at [1] offers three “Factory Images ‘soju’ for Nexus S (worldwide
>> version, i9020t and i9023)”:
>> 2.3.6 (GRK39F)
>> 4.0.4 (IMM76D)
>> 4.1.2 (JZO54K)
>>
>> Up to now I tried the first two.
>>
>> Just in case the two memory dumps as well as the two Volatility profiles
>> are available here:
>> https://mega.co.nz/#F!CEczgBqR!ksYLENHXoMCU8qzSBn79WA
>>
>>
>>
>>
>> ************************************************************
>> 1  Nexus S with Android 2.3.6 Gingerbread
>>
>> ________________________________________
>> 1.1 Prepare the phone
>>
>>
>> 1.1.0 Boot loader is unlocked:
>> $ adb reboot bootloader
>> $ fastboot oem unlock
>>
>>
>> 1.1.1 Get the factory image from [2] and flash it
>> $ tar –zxvf soju-grk39f-factory-5ab09c98.tgz
>> $ cd soju-grk39f
>> $ adb reboot bootloader
>> $ ./flash-all.sh
>>
>>
>> 1.1.2 Start phone
>> Click through the initial settings
>> Enable USB debugging
>>
>> Get version info:
>> $ adb shell
>> $ cat /proc/version
>> Linux version 2.6.35.7-gf5f63ef
>> (android-build at apa28.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #1
>> PREEMPT Tue Aug 2 13:57:05 PDT 2011
>>
>>
>> 1.1.3 Root the phone
>> Get custom recovery from [5] (…because otherwise ADB sideload SuperSU
>> won’t work) and flash custom recovery
>> $ adb reboot bootloader
>> $ fastboot flash recovery openrecovery-twrp-2.7.1.0-crespo.img
>>
>> Get SuperSU from [6]
>> Sideload SuperSU
>> $ adb reboot bootloader
>> Go to “Recovery” -> “Advanced” -> “ADB Sideload” -> “Swipe to start
>> sideload”
>> $ adb sideload UPDATE-SuperSU-v2.01.zip
>>
>> Reboot the phone
>>
>> ________________________________________
>> 1.2 Prepare LiME
>>
>>
>> 1.2.1 Get the Samsung kernel source from AOSP [7]
>> $ mkdir -p ~/android/kernel && cd $_
>> $ git clone https://android.googlesource.com/kernel/samsung.git
>> $ cd samsung
>> $ git checkout f5f63ef
>>
>>
>> 1.2.2 Setting Up a Build Environment with AOSP from [8]
>> $ mkdir -p ~/android/aosp && cd $_
>> $ repo init -u https://android.googlesource.com/platform/manifest -b
>> android-2.3.6_r0.9
>> $ repo sync
>> $ . build/envsetup.sh
>> $ lunch full_crespo-user
>>
>> Check compiler:
>> $ arm-eabi-gcc --version
>> arm-eabi-gcc (GCC) 4.4.3
>>
>> Set environment variables:
>> $ cd ~/android/kernel/samsung
>> $ export ARCH=arm
>> $ export SUBARCH=arm
>> $ export CROSS_COMPILE=arm-eabi-
>>
>>
>> 1.2.3 Compile the Samsung kernel
>>
>> Configure the kernel:
>> $ make herring_defconfig
>>
>> Build the Samsung kernel:
>> $ make
>>
>>
>> 1.2.4 Download LiME  from [9] and Cross Compile
>> $ mkdir -p ~/android && cd $_
>> $ svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime
>> $ cd ~/android/lime/src
>>
>> Edit Makefile
>> (I take CCPATH from  printenv | grep arm-eabi )
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> obj-m := lime.o
>> lime-objs := tcp.o disk.o main.o
>>
>> KDIR := ~/android/kernel/samsung
>> CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin
>> PWD := $(shell pwd)
>>
>> default:
>> 	$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) M=$(PWD)
>> modules
>> 	$(CCPATH)/arm-eabi-strip --strip-unneeded lime.ko
>> 	
>> 	$(MAKE) tidy
>>
>> tidy:
>> 	rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd
>> \.*.ko.cmd \.*.o.d
>> 	rm -rf \.tmp_versions
>>
>> clean:
>> 	$(MAKE) tidy
>> 	rm -f *.ko
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Build LiME module:
>> $ make
>>
>> ________________________________________
>> 1.3 Dump volatile memory
>> $ adb push ~/android/lime/src/lime.ko /sdcard/lime.ko
>>
>> Screen must be unlocked now in order to grant ADB shell root access
>>
>> $ adb shell
>> $ su
>> # insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"
>> # exit
>> $ exit
>> $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_2.3.6.dump
>>
>> ________________________________________
>> 1.4 Build a Volatility Profile
>>
>> Get Volatility from [10]:
>> $ svn checkout https://volatility.googlecode.com/svn/trunk/
>> ~/android/volatility
>> $ cd ~/android/volatility/tools/linux
>>
>> Edit Makefile:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> obj-m += module.o
>> KDIR := ~/android/kernel/samsung
>> CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin
>>
>> -include version.mk
>>
>> all: dwarf
>>
>> dwarf: module.c
>> 	$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR)
>> CONFIG_DEBUG_INFO=y M=$(PWD) modules
>> 	dwarfdump -di module.ko > module.dwarf
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Build module:
>> $ make
>>
>> Zip profile:
>> $ zip
>> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_2.3.6_GRK39F_.zip
>> module.dwarf ~/android/kernel/samsung/System.map
>>
>> ________________________________________
>> 1.5 Examine the Memory Dump with Volatility
>>
>> $ cd ~/android/volatility/
>> $
>> $ python vol.py --info | grep Linux
>> Volatility Foundation Volatility Framework 2.3.1
>> Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux
>> _NexusS_2.3.6_GRK39F_ ARM
>> linux_banner            - Prints the Linux banner information
>> linux_yarascan          - A shell in the Linux memory image
>> $
>> $ python vol.py --profile=Linux_NexusS_2_3_6_GRK39F_ARM -f
>> ~/android/dump/NexusS_2.3.6.dump linux_pslist
>> Volatility Foundation Volatility Framework 2.3.1
>> Offset     Name                 Pid             Uid             Gid
>> DTB        Start Time
>> ---------- -------------------- --------------- --------------- ------
>> ---------- ----------
>> No suitable address space mapping found
>> Tried to open image as:
>> MachOAddressSpace: mac: need base
>> LimeAddressSpace: lime: need base
>> WindowsHiberFileSpace32: No base Address Space
>> WindowsCrashDumpSpace64: No base Address Space
>> HPAKAddressSpace: No base Address Space
>> VirtualBoxCoreDumpElf64: No base Address Space
>> VMWareSnapshotFile: No base Address Space
>> WindowsCrashDumpSpace32: No base Address Space
>> AMD64PagedMemory: No base Address Space
>> IA32PagedMemoryPae: No base Address Space
>> IA32PagedMemory: No base Address Space
>> MachOAddressSpace: MachO Header signature invalid
>> MachOAddressSpace: MachO Header signature invalid
>> LimeAddressSpace: Invalid Lime header signature
>> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>> WindowsCrashDumpSpace64: Header signature invalid
>> HPAKAddressSpace: Invalid magic found
>> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
>> VMWareSnapshotFile: Invalid VMware signature: 0x1
>> WindowsCrashDumpSpace32: Header signature invalid
>> AMD64PagedMemory: Incompatible profile Linux_NexusS_2_3_6_GRK39F_ARM
>> selected
>> IA32PagedMemoryPae: Failed valid Address Space check
>> IA32PagedMemory: Failed valid Address Space check
>> FileAddressSpace: Must be first Address Space
>> ArmAddressSpace: Failed valid Address Space check
>>
>> ________________________________________
>> 1.6 First attempt to debug
>>
>> $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump
>> 0000000: 454d 694c 0100 0000 0000 0040 0000 0000  EMiL....... at ....
>> 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000  ...O............
>>
>> =>
>> magic: 0x4c69 4d45 -> LiME
>> version: 0x0000 0001 -> 1
>> s_addr: 0x0000 0000 4000 0000
>> e_addr: 0x0000 0000 4fff ffff
>> reserved: 0x0000 0000 0000 0000
>>
>> => Address range is:
>> $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1'
>> 268435456
>>
>> But file size is much bigger:
>> $ stat -c %s ~/android/dump/NexusS_2.3.6.dump
>> 401604672
>>
>> 268.435.456 Bytes + 32 Bytes Header != 401.604.672 Bytes file size!!!
>>
>>
>>
>>
>> ************************************************************
>> 2  Nexus S with Android 4.0.4 Ice Cream Sandwich
>>
>> ________________________________________
>> 2.1 Prepare the phone
>>
>>
>> 2.1.0 Boot loader is unlocked
>>
>>
>> 2.1.1 Get the factory image from [3] and flash it
>> $ tar –zxvf soju-imm76d-factory-ca4ae9ee.tgz
>> $ cd soju-imm76d
>> $ adb reboot bootloader
>> $ ./flash-all.sh
>>
>>
>> 2.1.2 Start phone
>> - as described before –
>>
>> $ cat /proc/version
>> Linux version 3.0.8-g6656123 (android-build at vpbs1.mtv.corp.google.com)
>> (gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012
>>
>>
>> 2.1.3 Root the phone
>> - as described before -
>>
>> ________________________________________
>> 2.2 Prepare LiME
>>
>>
>> 2.2.1 Get the Samsung kernel source from AOSP [7]
>> $ mkdir -p ~/android/kernel && cd $_
>> $ git clone https://android.googlesource.com/kernel/samsung.git
>> $ cd samsung
>> $ git checkout 6656123
>>
>>
>> 2.2.2 Setting Up a Build Environment with AOSP from [8]
>> $ mkdir -p ~/android/aosp && cd $_
>> $ repo init -u https://android.googlesource.com/platform/manifest -b
>> android-4.0.4_r1.1
>> $ repo sync
>> $ . build/envsetup.sh
>> $ lunch full_crespo-user
>>
>> Check compiler:
>> $ arm-eabi-gcc --version
>> arm-eabi-gcc (GCC) 4.4.3
>>
>> Set environment variables:
>> $ cd ~/android/kernel/samsung
>> $ export ARCH=arm
>> $ export SUBARCH=arm
>> $ export CROSS_COMPILE=arm-eabi-
>>
>>
>> 2.2.3 Compile the Samsung kernel
>> - as described before -
>>
>>
>> 2.2.4 Download LiME  from [9] and Cross Compile
>> - as described before -
>>
>> ________________________________________
>> 2.3 Dump volatile memory
>> - as described before –
>>
>> $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_4.0.4.dump
>>
>> ________________________________________
>> 2.4 Build a Volatility Profile
>>
>> Get and build Volatility - as described before -
>>
>> $ zip
>> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip
>> module.dwarf ~/android/kernel/samsung/System.map
>>
>> ________________________________________
>> 2.5 Examine the Memory Dump with Volatility
>>
>> $ cd ~/android/volatility/
>> $
>> $ python vol.py --info | grep Linux
>> Volatility Foundation Volatility Framework 2.3.1
>> linux_banner            - Prints the Linux banner information
>> linux_yarascan          - A shell in the Linux memory image
>> Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux
>> _NexusS_2.3.6_GRK39F_ ARM
>> Linux_NexusS_4_0_4_IMM76D_ARM - A Profile for Linux
>> _NexusS_4.0.4_IMM76D_ ARM
>> $
>> $ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f
>> ~/android/dump/NexusS_4.0.4.dump linux_pslist
>> Volatility Foundation Volatility Framework 2.3.1
>> Offset     Name                 Pid             Uid             Gid
>> DTB        Start Time
>> ---------- -------------------- --------------- --------------- ------
>> ---------- ----------
>> No suitable address space mapping found
>> Tried to open image as:
>> - the rest as described before –
>>
>> ________________________________________
>> 2.6 First attempt to debug
>>
>> $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump
>> 0000000: 454d 694c 0100 0000 0000 0040 0000 0000  EMiL....... at ....
>> 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000  ...O............
>>
>> =>
>> magic: 0x4c69 4d45 -> LiME
>> version: 0x0000 0001 -> 1
>> s_addr: 0x0000 0000 4000 0000
>> e_addr: 0x0000 0000 4fff ffff
>> reserved: 0x0000 0000 0000 0000
>>
>> => Address range is:
>> $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1'
>> 268435456
>>
>> But file size is still bigger:
>> $ stat -c %s ~/android/dump/NexusS_4.0.4.dump
>> 325775424
>>
>> 268.435.456 Bytes + 32 Bytes Header != 325.775.424 Bytes file size!!!
>>
>>
>>
>>
>> ************************************************************
>> 3  Links
>>
>> [1] https://developers.google.com/android/nexus/images\#soju
>> [2] https://dl.google.com/dl/android/aosp/soju-grk39f-factory-5ab09c98.tgz
>> [3] https://dl.google.com/dl/android/aosp/soju-imm76d-factory-ca4ae9ee.tgz
>> [4] https://dl.google.com/dl/android/aosp/soju-jzo54k-factory-36602333.tgz
>> [5]
>> http://techerrata.com/file/twrp2/crespo/openrecovery-twrp-2.7.1.0-crespo.img
>> [6] http://download.chainfire.eu/supersu
>> [7] https://android.googlesource.com/kernel/samsung.git
>> [8] https://android.googlesource.com/platform/manifest
>> [9] http://lime-forensics.googlecode.com/svn/trunk/
>> [10] https://volatility.googlecode.com/svn/trunk/
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>


More information about the Vol-users mailing list