RFI: Failed Memory Acquisitions
by AAron Walters
vol-users,
As you know, one of the main goals of the Volatility Foundation is to
promote the use of memory analysis within the forensics community. If you
have been on this mailing list for a while or seen some of the recent
court cases, you know that one of the main challenges facing investigators
is the ability to reliably collect a sample of physical memory. The
increasing number of acquisition tools has given people a lot of options
but has also exacerbated the challenge of knowing which tool to use and
under what circumstances.
In order to address this and to reduce the amount of time we spend helping
investigators troubleshoot bad memory samples, we are working on
developing some memory acquisition guidelines for investigators. If you
have had experiences where you were unable to collect a valid sample from
a system, we would like to hear from you. This could mean that the system
crashed during collection or the collected sample couldn’t be analyzed.
In particular, we are interested in the details (hardware, software, etc)
about the system the memory was being acquired from and the version of the
tool you were using to perform the acquisition.
If you have this type of information and are able to share, please contact
me off list.
Happy holidays and hope we can catch up in the New Year!
AAron Walters
The Volatility Foundation
10 years
- 1
- 0
Insmod lime.lo on stock Samsung Galaxy S3 results in Exec format error
by Rob Hunter
Hello list,
This is my first post to this list. My name is Rob, I'm located in the
Netherlands and am looking for some help in dumping the memory of an
Android phone so I can inspect it in Volatility. A bit of background as to
where I'm currently at with Volatility.
I've successfully compiled LiME against a standard linux kernel running on
Intel, created a profile with dwarfdump etc., dumped the memory and can use
the plugins successfully.
I've also installed Cyanogenmod 12.1 on a GalaxyS2 and can run LiMe on it
and dump the RAM. I have a problem with the profile not loading in
Volatility but that's for another post :-) I can run strings on the dump
and recover meaningful information though.
Cutting to the chase...
My target phone is a stock Samsung Galaxy S3. I've looked at the device
settings and have downloaded the matching kernel source code from Samsungs
opensource website, taking care to make sure the build versions string
matches. The phone has developer settings and usb debugging enabled. I have
also rooted the phone and the SuperSU binary is installed and configured to
grant root always without prompting.
I've tried using toolchain versions 4.9 and 4.8 but the Samsung source code
will not compile without modifications to the makefile relating to warnings
being interpreted as errors. I'm therefore using version 4.7.
I've compiled the kernel modules which generated a module.symvers:
***
0x82d9772c bcmsdh_remove drivers/net/wireless/bcmdhd/dhd
EXPORT_SYMBOL
0x9cad0f4b bcmsdh_probe drivers/net/wireless/bcmdhd/dhd
EXPORT_SYMBOL
***
I then compiled LiME with this make file...
***
obj-m := lime.o
lime-objs := tcp.o disk.o main.o
KDIR :=~/ANDROID/S3Kernel/Kernel
PWD := $(shell pwd)
CROSS_COMPILE :=
/home/dfir/ANDROID/android-ndk-r10e/toolchains/arm-linux-androideabi-4.7/bin/arm-linux-androideabi-
ARCH := arm
.PHONY: modules modules_install clean distclen help
default:
$(MAKE) ARCH=arm SUBARCH=arm -C $(KDIR) M=$(PWD)
CROSS_COMPILE=$(CROSS_COMPILE) EXTRA_CFLAGS=-fno-pic modules
mv lime.ko limeS3.ko
***
...and this generates the following output
***
dfir@ThinkPad-T420:~/ANDROID/S3Kernel/LiME/src$ make
make ARCH=arm SUBARCH=arm -C ~/ANDROID/S3Kernel/Kernel
M=/home/dfir/ANDROID/S3Kernel/LiME/src
CROSS_COMPILE=/home/dfir/ANDROID/android-ndk-r10e/toolchains/arm-linux-androideabi-4.7/bin/arm-linux-androideabi-
EXTRA_CFLAGS=-fno-pic modules
make[1]: Entering directory `/home/dfir/ANDROID/S3Kernel/Kernel'
CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/tcp.o
CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/disk.o
CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/main.o
LD [M] /home/dfir/ANDROID/S3Kernel/LiME/src/lime.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/dfir/ANDROID/S3Kernel/LiME/src/lime.mod.o
LD [M] /home/dfir/ANDROID/S3Kernel/LiME/src/lime.ko
make[1]: Leaving directory `/home/dfir/ANDROID/S3Kernel/Kernel'
mv lime.ko limeS3.ko
***
After successfully compilation there is also a module.symvers file located
in LiME directory but it is empty. I wonder if this is indicative of my
problem?
I then move limeS3.ko to my phone and connect to it with adb
adb forward tcp:4444 tcp:4444
adb shell
su
this gets me to a root prompt on the device and I can move freely around
the file system.
I then move to the location where limeS3.ko is installed and enter the
command
root@m0:/storage/extSdCard # insmod ./limeS3.ko "path=tcp:4444
format=lime"
which gives the following error.
insmod: init_module './limeS3.ko' failed (Exec format error)
I've searched for this error and ensured the kernel version is correct.
Can anyone tell me what I'm doing wrong so I can get the driver loaded?
I realize that this was a long first post. Thank-you for taking the time to
read this far. I hope someone can point me in the right direction.
regards,
Rob
10 years
- 2
- 1
Blog Post - Binary Zone Forensic Challenge #4
by Jared Greenhill
All,
I recently wrote a blog post that outlines volatility usage related to an
intrusion based scenario. The blog post can be found here:
http://justanotherdfirblog.blogspot.com/2015/11/solving-binary-zone-forensi…
The challenge can be found here:
http://www.binary-zone.com/2015/09/16/digital-forensic-challenge-4/
Hopefully some of you will find it useful.
Best,
Jared
10 years
- 1
- 0