- Vol-users - volatilityfoundation.org

the problem about create a profile for my android

by fan zhou

Dear everyone: I have a problem about analysing an android memory these days. I am new to android memory forensic,and i analyse the windows memory before.But i think analysing an android memory may more interesting and valuable. I have followed the url "https://code.google.com/p/volatility/wiki/ AndroidMemoryForensics#Build_a_Volatility_Profile" ,and i have done successfully. Now, by useing lime i can get my android memory, my android is samsung9001, and the memory file is ram.lime (almost 400M size). But the problem is that: when i use volatility2.3_beta to analyse the android memory , volatility can't identify the profle that i created. The output is below： Volatile Systems Volatility Framework 2.3_beta Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile LinuxGolfishARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check and i use -dd option the output is: yutruth@ubuntu:~/yutruth-android/volatility$ python vol.py --profile=Linuxsamsung9001ARM -f ~/yutruth-android/ram.lime linux_pslist -dd Volatile Systems Volatility Framework 2.3_beta DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found dwarf file home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 407 symbols DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found system file home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x6949190> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x18600040, instantiating lime_header DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x6949150> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: 0x0 DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile Linuxsamsung9001ARM selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: No suggestions available DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid Address Space check No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Linuxsamsung9001ARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check Search the problem by google and i find some others have the same problem,but i can't find the solution. By the way, i know few people submit the problem last September and a week ago, and i know volatility can't support many Linux/android profile now, but i have create the profile for my android and just volatility can't identify:-( I do these things under the ubuntu10.04 on the vmware, and i don't download the newest dwarfdump, i just use " apt-get install dwarfdump" on the ubuntu10.04, and i am sure the CC_PATH and some PATH Variable is true. I may think the dwarf execute file is wrong. Thinks for your attention and sorry for my english. The attachment are my profile zip and dwarfdump execute file. Hope to get your apply soon ^_^( I may be mad for the problem)

12 years, 2 months

1
0
0 0

DFIR interview on healthy paranoia

by Andrew Case

I was recently on the Healthy Paranoia podcast talking about memory forensics during DFIR and other related topics: http://packetpushers.net/healthy-paranoia-show-14-digital-forensics-and-inc… Would appreciate any feedback or comments! Thanks, Andrew (@attrc)

12 years, 2 months

1
0
0 0

Virtual Machine / Linux memory

by Lou LaRocca

Maybe a stupid question here but does Volatility currently support the analysis of linux memory from a Virtual Machine? I see that it supports VM's and Linux separately but not together? Thanks in advance Lou

12 years, 2 months

3
3
0 0

Memory Forensics Training by Volatility Developers is headed back to Reston!

by Andrew Case

After quickly selling out our recent course in Reston, we have now scheduled another training there in November: http://volatility-labs.blogspot.com/2013/06/memory-forensics-training-resto… This course is taught directly by Volatility developers, and provides intense training in memory forensics for incident response, malware analysis, and digital forensic investigation. We already have quite a few people signed up and had to turn away people last time, so please contact us ASAP if you are interested in taking it. Thanks, Andrew (@attrc)

12 years, 2 months

1
0
0 0

OT: Using netsh to set ip address of an interface on winfe/winpe 4.0.

by George M. Garner Jr.

This post is off-topic; however, there are a lot of bright people on this list so maybe someone will be able to help. I need to set a static ipv4 address on an interface in WinPE4.0/WinFE4.0. For example the following command works on Windows 8: netsh.exe interface ip set address Ethernet static 192.168.0.5 255.255.255.0 On WinPE 4.0 I am getting an error that the interface is not found which is odd since the interface appears in the list of interfaces. For example: netsh.exe interface ip show interfaces and netsh.exe interface ip show interface Ethernet both work as expected. I can also add a route on the interface in WinPE, e.g.: netsh.exe interface ip add route 192.168.0.0/24 Ethernet works. It is just adding the static ip address that doesn't work. I have also tried using the IF index instead of the interface name; still no joy. Unfortunately I can't use dhcp in some applications because the client broadcasts an announcement that I am present, which wouldn't be prudent. I am wondering if there isn't maybe some dependency that is missing from my winpe installation? Anyone have any thoughts? Regards, George.

12 years, 2 months

2
4
0 0

Problem using bitmaps in overlays

by Carl Pulley

Hi all, I'm currently attempting to code up a bitmap (within an overlay) that consists of an array of 4 ulongs. With (say) a single ulong, the following works great: profile.merge_overlay({ 'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]] }) However, the obvious generalisation to 4 ulongs: profile.merge_overlay({ 'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']], 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]] }) fails. Looking at the source, the profile.merge_overlay calls: obj.Object(['array', 4, ['unsigned long']], offset=0, ..) and this function in turn raises an exception (i.e. TypeError: unhashable type: 'list') when it calls: vm.profile.has_type(['array', 4, ['unsigned long']]) Attempts at using obj.Array instead also flounder. Does anyone have any hints or tips as to how best to deal with bitmaps that are arrays of bytes, ulongs or similar? Is it a case of having to extend the obj.Flags class so that such things can be handled? Many thanks, Carl.

12 years, 2 months

2
2
0 0

No shimcache data found

by Brian Keefer

I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time). While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...) Thanks! -- chort

12 years, 2 months

3
5
0 0

Final Week of Month of Volatility Plugins II is posted

by Andrew Case

We are writing as the final week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new and updated plugins used to analyze Mac systems. The first post demonstrated leveraging process cross-view analysis for Mac rootkit detection: http://volatility-labs.blogspot.com/2013/06/movp-ii-41-leveraging-process-c… The second post covered dumping, scanning, and searching process memory: http://volatility-labs.blogspot.com/2013/06/movp-ii-42-dumping-scanning-and… The third post discussed how to recover networking information: http://volatility-labs.blogspot.com/2013/06/movp-ii-43-recovering-mac-os-x-… The fourth post showed a number of artifacts in Mac kernel memory: http://volatility-labs.blogspot.com/2013/06/movp-ii-44-whats-in-your-mac-os… The fifth post analyzed the Rubilyn kernel rootkit and detected it in a number of ways: http://volatility-labs.blogspot.com/2013/06/movp-ii-45-mac-volatility-vs-ru… We hope you have enjoyed this month's posts and will be trying 2.3 when its released! If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

12 years, 3 months

1
0
0 0

Mucho processes

by Glenn Edwards

Background: The user logged off (I know, I know) of the system (WinXP) and the first responder logged back in under a different user and took the memory dump. When running pslist against the memory dump there're 2,423 entries. I'm seeing a lot of entries where the process starts and exits - sometimes in a row: 0x89b3f868 userinit.exe 3808 548 0 -------- 0 0 2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000 0x89b89ad0 userinit.exe 3156 548 0 -------- 0 0 2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000 0x89b2a868 userinit.exe 3672 548 0 -------- 0 0 2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000 0x89afc020 userinit.exe 3388 548 0 -------- 0 0 2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000 0x89b49da0 userinit.exe 1336 548 0 -------- 0 0 2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000 and sometimes more spread out: 0x89c1da98 java.exe 4536 1368 0 -------- 0 0 2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000 0x89141020 cscript.exe 8608 4536 0 -------- 0 0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000 0x89142da0 wmiprvse.exe 3152 832 0 -------- 0 0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000 0x89144ac0 minituner.exe 1120 1368 0 -------- 0 0 2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000 0x8934d520 java.exe 9148 1368 0 -------- 0 0 2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000 0x8934e020 cscript.exe 7620 9148 0 -------- 0 0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000 0x895423b8 wmiprvse.exe 3664 832 0 -------- 0 0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000 0x895ce8a0 minituner.exe 9940 1368 0 -------- 0 0 2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000 0x893a3838 java.exe 4572 1368 0 -------- 0 0 2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000 Example of top processes by overall count of occurrence: $ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr 364 java.exe 362 minituner.exe 335 userinit.exe 301 wmiprvse.exe 219 cscript.exe 192 verclsid.exe 91 wuauclt.exe 37 regsvr32.exe 34 winlogon.exe 34 csrss.exe [snip] I've never come across this before so I'm wondering if this could be attributed to the first responder not letting the system fully log them on prior to taking the memory dump and therefore there was a lot of still loading processes observed? -- Glenn Edwards @hiddenillusion

12 years, 3 months

3
4
0 0

hive file dump

by Jaroslav Brtan

Hi everyone, I would like to ask you if it is possible to dump the hive file from a memory image. For some reason the printkey cmd does not return expected values. In my virtualbox Windows xp sp3 image contains vboxtray.exe in the RUN key, but I dont see it in the printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" cmd output I am using volatility version 2.3 beta. I want to use Windows registry recovery tool to check if it is able to get the info I need. Thank you Jaro

12 years, 3 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users