Hi,
I've uploaded a tarball [1] containing a number of Volatility plugins which
provide support for the DalvikVM and Android. I didn't provide a
patch set, because there are only new files included. However, I can do
so or can open an issue, whatever would be most convenient.
The plugins are named:
- dalvik_find_gdvm_offset
- dalvik_vms
- dalvik_loaded_classes
- dalvik_class_information
- dalvik_find_class_instance
- dalvik_app_mirrored
Any comments would be appreciated. This is part of a research project I
need to have finished by the end of the year, so if someone suggests
fundamental changes, I most likely won't have the immediate time to look
at it. Just wanted to provide my code, because obviously there is some
interest (cf. vol-users@).
Ideally, I could get a branch in SVN to get this integrated into
upcoming Volatility releases.
I've attached a README.dalvik which gives some meta information about
the plugins and could become a corresponding wiki article.
Thanks to Joe Sylve and Andrew Case for providing me with some initial
guidelines.
Regards,
Holger
[1] http://www.homac.de/files/Volatility-Dalvik-support-v1.tar.bz2
Hi list,
I'm pleased to announce you the Volatility Framework is now available in FreeBSD
ports tree in security/py-volatility [1] since tonight.
It was possible with efforts of Antoine Brodin and Sofian Brabez.
Just make -C /usr/ports/security/py-volatility install clean, then try it with
vol.py and a random dump.
$ vol.py imageinfo -f /tmp/memory.dmp
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/memory.dmp)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82948c28
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82949c00
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-05-28 02:57:03 UTC+0000
Image local date and time : 2012-05-27 22:57:03 -0400
Regards
--
Sofian Brabez
Hello,
We are writing to announce the public offering of our Windows Memory
Forensics for Analysts training course. This course is taught directly by
Volatility developers, and will provide intense training in memory
forensics for incident response, malware analysis, and digital forensic
investigation. Full details can be found here:
http://volatility-labs.blogspot.com/2012/11/windows-memory-forensics-traini…
Please write or comment on the post if you have any questions or comments.
Thanks,
Andrew (@attrc)
Hello,
I'm currently in need of extracting page tables from a Linux memory
image (with a known profile). Can anyone point me in the direction of
Volatility's code that would handle the page tables ?
Thanks,
Nhan
