Dear everyone:
I have a problem about analysing an android memory these days.
I am new to android memory forensic,and i analyse the windows
memory before.But i think analysing an android memory may more interesting
and valuable.
I have followed the url "https://code.google.com/p/volatility/wiki/
AndroidMemoryForensics#Build_a_Volatility_Profile" ,and i have done
successfully.
Now, by useing lime i can get my android memory, my android is
samsung9001, and the memory file is ram.lime (almost 400M size).
But the problem is that: when i use volatility2.3_beta to analyse
the android memory , volatility can't identify the profle that i created.
The output is below:
Volatile Systems Volatility Framework 2.3_beta
Offset Name Pid Uid Gid
DTB Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x0
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile LinuxGolfishARM selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
and i use -dd option the output is:
yutruth@ubuntu:~/yutruth-android/volatility$ python vol.py
--profile=Linuxsamsung9001ARM -f ~/yutruth-android/ram.lime linux_pslist
-dd
Volatile Systems Volatility Framework 2.3_beta
DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found dwarf
file home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with
407 symbols
DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found
system file
home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 1
symbols
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid
DTB Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
mac: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
lime: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x6949190>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address
0x18600040, instantiating lime_header
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x6949150>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
Invalid Lime header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
Invalid magic found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile:
Invalid VMware signature: 0x0
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
Incompatible profile Linuxsamsung9001ARM selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
Failed valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory:
Failed valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must
be first Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: No suggestions
available
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace:
Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x0
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Linuxsamsung9001ARM selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Search the problem by google and i find some others have the same
problem,but i can't find the solution. By the way, i know few people submit
the problem
last September and a week ago, and i know volatility can't support many
Linux/android profile now, but i have create the profile for my android and
just volatility can't
identify:-(
I do these things under the ubuntu10.04 on the vmware, and i
don't download the newest dwarfdump, i just use " apt-get install
dwarfdump" on the ubuntu10.04,
and i am sure the CC_PATH and some PATH Variable is true. I may think the
dwarf execute file is wrong.
Thinks for your attention and sorry for my english. The
attachment are my profile zip and dwarfdump execute file.
Hope to get your apply soon ^_^( I may be mad for the problem)
Maybe a stupid question here but does Volatility currently support the
analysis of linux memory from a Virtual Machine?
I see that it supports VM's and Linux separately but not together?
Thanks in advance
Lou
After quickly selling out our recent course in Reston, we have now
scheduled another training there in November:
http://volatility-labs.blogspot.com/2013/06/memory-forensics-training-resto…
This course is taught directly by Volatility developers, and provides
intense training in memory forensics for incident response, malware
analysis, and digital forensic investigation.
We already have quite a few people signed up and had to turn away
people last time, so please contact us ASAP if you are interested in
taking it.
Thanks,
Andrew (@attrc)
This post is off-topic; however, there are a lot of bright people on
this list so maybe someone will be able to help. I need to set a static
ipv4 address on an interface in WinPE4.0/WinFE4.0. For example the
following command works on Windows 8:
netsh.exe interface ip set address Ethernet static 192.168.0.5
255.255.255.0
On WinPE 4.0 I am getting an error that the interface is not found which
is odd since the interface appears in the list of interfaces. For example:
netsh.exe interface ip show interfaces
and
netsh.exe interface ip show interface Ethernet
both work as expected.
I can also add a route on the interface in WinPE, e.g.:
netsh.exe interface ip add route 192.168.0.0/24 Ethernet
works. It is just adding the static ip address that doesn't work. I
have also tried using the IF index instead of the interface name; still
no joy. Unfortunately I can't use dhcp in some applications because the
client broadcasts an announcement that I am present, which wouldn't be
prudent.
I am wondering if there isn't maybe some dependency that is missing from
my winpe installation?
Anyone have any thoughts?
Regards,
George.
Hi all,
I'm currently attempting to code up a bitmap (within an overlay) that consists of an array of 4 ulongs.
With (say) a single ulong, the following works great:
profile.merge_overlay({
'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
})
However, the obvious generalisation to 4 ulongs:
profile.merge_overlay({
'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']], 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
})
fails. Looking at the source, the profile.merge_overlay calls:
obj.Object(['array', 4, ['unsigned long']], offset=0, ..)
and this function in turn raises an exception (i.e. TypeError: unhashable type: 'list') when it calls:
vm.profile.has_type(['array', 4, ['unsigned long']])
Attempts at using obj.Array instead also flounder.
Does anyone have any hints or tips as to how best to deal with bitmaps that are arrays of bytes, ulongs or similar? Is it a case of having to extend the obj.Flags class so that such things can be handled?
Many thanks,
Carl.
I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time).
While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...)
Thanks!
--
chort
Hi everyone,
I would like to ask you if it is possible to dump the hive file from a
memory image.
For some reason the printkey cmd does not return expected values.
In my virtualbox Windows xp sp3 image contains vboxtray.exe in the RUN key,
but I dont see it in the printkey -K
"Software\Microsoft\Windows\CurrentVersion\Run" cmd output
I am using volatility version 2.3 beta.
I want to use Windows registry recovery tool to check if it is able to get
the info I need.
Thank you
Jaro