[Vol-users] Data-in-use leakages from Android Memory
masdif at posteo.net
Sat May 31 05:00:20 CDT 2014
Thank you Pasquale,
May I ask questions?
1. Referring to the ebay example in your paper (table ii):
You looked at
0x0000b000 0x003d1000 [heap]
0x409b2000 0x42124000 /dev/ashmem/dalvik-heap
But what about
0x42124000 0x449b2000 /dev/ashmem/dalvik-heap
0x46e02000 0x46e03000 /dev/ashmem/SurfaceFlinger
1a) Why are there two Dalvik heaps?
1b) Is there any work known about the SurfaceFlinger heap
so far? If I understood correctly the SurfaceFlinger
prepares an application's screen before it gets visible
to the user. Any interesting data (visualization) to
expect here? (...if there were a Volatility plugin to
2. Did I get you correct that you investigated the heap only?
What were the reasons to not look at the stack?
From: Pasquale Stirparo
Sent: Freitag, Mai 30, 2014 3:02PM
Cc: Joe Sylve, Andrew Case, Vol-users
Subject: Re: [Vol-users] LiME in real world Android forensics
> Hi Philipp
> If you are interested, take also a look at my publication of 2013 on
> retrieving user credentials from Android memory
> "Data-in-use leakages from Android Memory"
More information about the Vol-users