[Vol-users] Data-in-use leakages from Android Memory

masdif masdif at posteo.net
Sat May 31 05:00:20 CDT 2014

Thank you Pasquale,

much appreciated!

May I ask questions?

1.  Referring to the ebay example in your paper (table ii):

    You looked at
      0x0000b000 0x003d1000 [heap]
      0x409b2000 0x42124000 /dev/ashmem/dalvik-heap

    But what about
      0x42124000 0x449b2000 /dev/ashmem/dalvik-heap
      0x46e02000 0x46e03000 /dev/ashmem/SurfaceFlinger

1a) Why are there two Dalvik heaps?

1b) Is there any work known about the SurfaceFlinger heap
    so far? If I understood correctly the SurfaceFlinger
    prepares an application's screen before it gets visible
    to the user. Any interesting data (visualization) to
    expect here? (...if there were a Volatility plugin to
    decode it)

2.  Did I get you correct that you investigated the heap only?
    What were the reasons to not look at the stack?

Best regards,

From:    Pasquale Stirparo
Sent:    Freitag, Mai 30, 2014 3:02PM
To:      Masdif
Cc:      Joe Sylve, Andrew Case, Vol-users
Subject: Re: [Vol-users] LiME in real world Android forensics

> Hi Philipp
> If you are interested, take also a look at my publication of 2013 on
> retrieving user credentials from Android memory
> "Data-in-use leakages from Android Memory"
> http://scholar.google.it/scholar?cluster=12705537352149207082&hl=en&as_sdt=0,5
> Cheers
> P.

More information about the Vol-users mailing list