Thanks again Andrew for the assistance and for the Makefile. So here a brief summary for creating the Android profile, following the  linux example here (https://code.google.com/p/volatility/wiki/LinuxMemoryForensics):

DISCLAIMER: I'm using a Mac OS X system.

- I modified the Makefile sent by Andrew, placed under volatility/tools/linux/Makefile, adding the options for cross-compiling as from the LiME kernel module. Basically the modifications are the following:

CCPATH := /path/to/android-ndk/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin

dwarf: module.c
$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules


- The last instruction of the makefile "dwarfdump -di module.ko > module.dwarf" was originally with -di option. But -d appears to be not a valid option anymore. Checking the man page, the alternatives for debugging options are the following
--debug-abbrev, --debug-aranges, --debug-frame[=OFFSET],
      --debug-info[=OFFSET], --debug-inlined, --debug-line[=OFFSET],
      --debug-macinfo[=OFFSET], --debug-pubnames[=PATTERN],
      --debug-pubtypes[=PATTERN], --debug-str
debug-info is the default (which looking at the output of "head module.dwarf" seems to be the correct one), so i tried just to remove the -d and also to put --debug-info without any offset value, but this is what I get as content of the module.dwarf file
hydra:linux paco$ cat module.dwarf 
----------------------------------------------------------------------
 File: module.ko (arm)
----------------------------------------------------------------------
.debug_info contents:
< EMPTY >

- The last step to make the profile is to zip the module.dwarf file and the System.map of the kernel. After searching around, I found that System.map file for android is /proc/kallsyms (probably you all already knew it, but I didn't know this :) ).


Attached the make file I used, if all the rest of the steps I did are right, it's missing the right debug option for the dwarfdump command. I've tried also the others but no one seems to give the right output. Any tips on this?
Thanks

P.



On Fri, Feb 15, 2013 at 5:41 PM, Andrew Case <atcuno@gmail.com> wrote:
Hello,

We are currently testing a stripped down Makefile to help people
compiling for different kernels than the one for the system they are
on (which includes Android). Can you please try the attached makefile?
You will need to change the KDIR varabile to point to your kernel
headers or source.

On Fri, Feb 15, 2013 at 5:55 AM, Pasquale Stirparo <pstirparo@gmail.com> wrote:
> Hi All,
>
> I'm trying to make a profile for android device.
> I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC Sense 4.0,
> kernel 2.6.39.4-g6b459dc).
>
> Now, following the instruction here
> https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , I was
> trying to understand how to modify the makefile under
> volatility/tools/linux/ , in order to point to my kernel source. The thing
> is that in from my kernel source folder I couldn't find a proper value for
> KDIR and KVER (although they should be pretty straightforward according to
> their name) that would fit with the path for make command as from the
> following source code:
>
> pmem: pmem.c
>         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules
>
> dwarf: module.c
>         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y
> M=$(PWD) modules
>         dwarfdump -di module.ko > module.dwarf
>         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean
>
>
> Did anyone ever created an android profile? Any hint?
> I've seen in the mailing list archive a thread "Profile (ZIP) for Android
> 4.0.3" from Mike (in Cc), any news about that?
>
> Thank you
>
> P.
>
> --
> Pasquale Stirparo, MEng
> GCFA, OPST, OWSE, ECCE
>
> European Commission - JRC Joint Research Centre
> Institute for the Protection and Security of the Citizen (IPSC)
> Digital Citizen Security Unit
> Via E. Fermi, 2749 - TP 361
> 21027 Ispra (VA) - Italy
>
> PGP Key: 0x4C589FB2
> Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
>
> Disclaimer: The views expressed are purely those of the writer and may not
> in any circumstance be regarded as stating an official position of the
> European Commission.
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



--
Pasquale Stirparo, MEng    
GCFA, OPST, OWSE, ECCE                      

European Commission - JRC Joint Research Centre
Institute for the Protection and Security of the Citizen (IPSC)  
Digital Citizen Security Unit
Via E. Fermi, 2749 - TP 361
21027 Ispra (VA) - Italy

PGP Key: 0x4C589FB2
Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2

Disclaimer: The views expressed are purely those of the writer and may not in any circumstance be regarded as stating an official position of the European Commission.