Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory acquisition and analysis

4 Aug 2014

      This is very odd.  I have no idea what could cause LiME to miss a
memory segment.  Let me do some thinking on this.

On Sat, Aug 2, 2014 at 11:35 AM, Philipp Wächter
&lt;philipp.waechter(a)posteo.de&gt; wrote:
...
  Hello,

 It looks for me like the LiME dump is not complete.

 Based on /proc/iomem I expect to find 3 segments in the LiME dump.

 shell@android:/ $ cat /proc/iomem | grep -i ram
 30000000-323fffff : System RAM
 35000000-35ffffff : onedram
 40000000-4b7aefff : System RAM
 50000000-57efffff : System RAM
 57f00000-57ffefff : ram_console

 shell@android:/ $ cat /proc/iomem | head -n 7
 30000000-323fffff : System RAM
   30032000-3065afff : Kernel text
   3065c000-307e154f : Kernel data
 35000000-35ffffff : onedram
 40000000-4b7aefff : System RAM
 50000000-57efffff : System RAM
 57f00000-57ffefff : ram_console

 Is it correct to expect the 3 segments ...
 (1)   30000000-323fffff
 (2)   40000000-4b7aefff
 (3)   50000000-57efffff
 ... in the LiME dump?

 If I look into the LiME dump I see:

 $ xxd -l 0x20 ~/android/dump/NexusS_4.0.4.dump
 0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@....
 0000010: ffef 7a4b 0000 0000 0000 0000 0000 0000 ..zK............

 $ xxd -s $((0x20 + 0x4b7aefff - 0x40000000 + 1)) -l 0x20
 ~/android/dump/NexusS_4.0.4.dump
 b7af020: 454d 694c 0100 0000 0000 0050 0000 0000 EMiL.......P....
 b7af030: ffff ef57 0000 0000 0000 0000 0000 0000 ...W............

 $ echo $(( 0x20 + 0xb7aefff + 1 + 0x20 + 0x7efffff + 1 ))
 325775424

 $ stat -c %s ~/android/dump/NexusS_4.0.4.dump
 325775424

 So there are only the segments
 (2)   40000000-4b7aefff
 (3)   50000000-57efffff

 Is it sound to presume that in this case the LiME dump is flawed?

 And if I have to presume that: What could have gone wrong?

 Thanks,
 Philipp

 ________________________________________________________________
 From:    Masdif
 Sent:    Donnerstag, Juli 24, 2014 11:00PM
 To:      Andrew Case, Vol-users
 Subject: Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory
 acquisition     and analysis

  Hello Andrew,

 Yes, I expect that it will take a little until first shipments arrive in
 Europe/Germany. ;-)
 Pasquales question in the other thread is interesting: Will there be an
 ebook version provided for printed version buyers?

 Back to the phone: Just talking about the currently installed 4.0.4 ICS:

 ______________________________________________________________________
 1) Can you copy/paste uname -a from the phone

 $ cat /proc/version
 Linux version 3.0.8-g6656123 (android-build(a)vpbs1.mtv.corp.google.com)
 (gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012

 I just also installed BusyBox 1.22.1 from Google Play:

 $ uname -a
 Linux localhost 3.0.8-g6656123 #1 PREEMPT Thu Feb 2 16:56:02 PST 2012
 armv7l GNU/Linux

 ______________________________________________________________________
 2) Can you copy/paste building the profile (cmdline input/output)

 $ make
 make ARCH=arm
 CROSS_COMPILE=~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
 -C ~/android/kernel/samsung CONFIG_DEBUG_INFO=y
 M=/home/hotblack/android/volatility/tools/linux modules
 make[1]: Entering directory `/home/hotblack/android/kernel/samsung'
 CC [M]  /home/hotblack/android/volatility/tools/linux/module.o
 Building modules, stage 2.
 MODPOST 1 modules
 CC      /home/hotblack/android/volatility/tools/linux/module.mod.o
 LD [M]  /home/hotblack/android/volatility/tools/linux/module.ko
 make[1]: Leaving directory `/home/hotblack/android/kernel/samsung'
 dwarfdump -di module.ko > module.dwarf
 $
 $ zip
 ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip
 module.dwarf ~/android/kernel/samsung/System.map
 .dwarf ~/android/kernel/samsung/System.map
   adding: module.dwarf (deflated 90%)
   adding: home/hotblack/android/kernel/samsung/System.map (deflated 73%)

 ______________________________________________________________________
 3) Can you copy paste running Volatiltiy with the "-dd" option set

 $ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f
 ~/android/dump/NexusS_4.0.4.dump -dd linux_pslist
 Volatility Foundation Volatility Framework 2.3.1
 DEBUG   : volatility.plugins.overlays.linux.linux:
 _NexusS_4.0.4_IMM76D_: Found dwarf file module.dwarf with 442 symbols
 DEBUG   : volatility.plugins.overlays.linux.linux:
 _NexusS_4.0.4_IMM76D_: Found system file module.dwarf with 1 symbols
 DEBUG   : volatility.obj      : Applying modification from BashTypes
 DEBUG   : volatility.obj      : Applying modification from
 BasicObjectClasses
 DEBUG   : volatility.obj      : Applying modification from ELF64Modification
 DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
 DEBUG   : volatility.obj      : Applying modification from LimeTypes
 DEBUG   : volatility.obj      : Applying modification from MachoTypes
 DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
 DEBUG   : volatility.obj      : Applying modification from
 VMwareVTypesModification
 DEBUG   : volatility.obj      : Applying modification from
 VirtualBoxModification
 DEBUG   : volatility.obj      : Applying modification from
 LinuxKmemCacheOverlay
 DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
 cache_chain not found in module kernel

 DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
 DEBUG   : volatility.obj      : Applying modification from
 LinuxObjectClasses
 DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
 DEBUG   : volatility.plugins.overlays.linux.linux:
 _NexusS_4.0.4_IMM76D_: Found dwarf file module.dwarf with 442 symbols
 DEBUG   : volatility.plugins.overlays.linux.linux:
 _NexusS_4.0.4_IMM76D_: Found system file module.dwarf with 1 symbols
 DEBUG   : volatility.obj      : Applying modification from BashTypes
 DEBUG   : volatility.obj      : Applying modification from
 BasicObjectClasses
 DEBUG   : volatility.obj      : Applying modification from ELF64Modification
 DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
 DEBUG   : volatility.obj      : Applying modification from LimeTypes
 DEBUG   : volatility.obj      : Applying modification from MachoTypes
 DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
 DEBUG   : volatility.obj      : Applying modification from
 VMwareVTypesModification
 DEBUG   : volatility.obj      : Applying modification from
 VirtualBoxModification
 DEBUG   : volatility.obj      : Applying modification from
 LinuxKmemCacheOverlay
 DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
 cache_chain not found in module kernel

 DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
 DEBUG   : volatility.obj      : Applying modification from
 LinuxObjectClasses
 DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
 Offset     Name                 Pid             Uid             Gid
 DTB        Start Time
 ---------- -------------------- --------------- --------------- ------
 ---------- ----------
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
 mac: need base
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
 lime: need base
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
 DEBUG1  : volatility.utils    : Failed instantiating
 WindowsHiberFileSpace32: No base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
 DEBUG1  : volatility.utils    : Failed instantiating
 WindowsCrashDumpSpace64: No base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
 No base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
 DEBUG1  : volatility.utils    : Failed instantiating
 VirtualBoxCoreDumpElf64: No base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
 DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile:
 No base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
 DEBUG1  : volatility.utils    : Failed instantiating
 WindowsCrashDumpSpace32: No base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
 No base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
 DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
 No base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No
 base Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
 DEBUG   : volatility.utils    : Succeeded instantiating
 <volatility.plugins.addrspaces.standard.FileAddressSpace object at
 0x628e1d0>
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
 MachO Header signature invalid
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG1  : volatility.obj      : None object instantiated: Invalid
 Address 0x136AF040, instantiating lime_header
 DEBUG   : volatility.utils    : Succeeded instantiating
 <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x628e090>
 DEBUG   : volatility.utils    : Voting round
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
 MachO Header signature invalid
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
 Invalid Lime header signature
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
 DEBUG1  : volatility.utils    : Failed instantiating
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
 DEBUG1  : volatility.utils    : Failed instantiating
 WindowsCrashDumpSpace64: Header signature invalid
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
 Invalid magic found
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
 DEBUG1  : volatility.utils    : Failed instantiating
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
 DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile:
 Invalid VMware signature: 0x0
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
 DEBUG1  : volatility.utils    : Failed instantiating
 WindowsCrashDumpSpace32: Header signature invalid
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
 Incompatible profile Linux_NexusS_4_0_4_IMM76D_ARM selected
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
 DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
 Failed valid Address Space check
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
 DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
 Failed valid Address Space check
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
 DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace:
 Must be first Address Space
 DEBUG   : volatility.utils    : Trying <class
 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
 DEBUG1  : volatility.obj      : None object instantiated: No suggestions
 available
 DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace:
 Failed valid Address Space check
 No suitable address space mapping found
 Tried to open image as:
  MachOAddressSpace: mac: need base
  LimeAddressSpace: lime: need base
  WindowsHiberFileSpace32: No base Address Space
  WindowsCrashDumpSpace64: No base Address Space
  HPAKAddressSpace: No base Address Space
  VirtualBoxCoreDumpElf64: No base Address Space
  VMWareSnapshotFile: No base Address Space
  WindowsCrashDumpSpace32: No base Address Space
  AMD64PagedMemory: No base Address Space
  IA32PagedMemoryPae: No base Address Space
  IA32PagedMemory: No base Address Space
  MachOAddressSpace: MachO Header signature invalid
  MachOAddressSpace: MachO Header signature invalid
  LimeAddressSpace: Invalid Lime header signature
  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
  WindowsCrashDumpSpace64: Header signature invalid
  HPAKAddressSpace: Invalid magic found
  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
  VMWareSnapshotFile: Invalid VMware signature: 0x0
  WindowsCrashDumpSpace32: Header signature invalid
  AMD64PagedMemory: Incompatible profile Linux_NexusS_4_0_4_IMM76D_ARM
 selected
  IA32PagedMemoryPae: Failed valid Address Space check
  IA32PagedMemory: Failed valid Address Space check
  FileAddressSpace: Must be first Address Space
  ArmAddressSpace: Failed valid Address Space check

 Regards,
 Philipp

 ________________________________________________________________
 From:    Andrew Case
 Sent:    Donnerstag, Juli 24, 2014 7:37PM
 To:      Masdif, Vol-users
 Subject: Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory
 acquisition and analysis

  Hello,

 Where are you located? Some foreign countries seem to be having shipping
 delays.

 As for the phone analysis..

 1) Can you copy/paste uname -a from the phone
 2) Can you copy/paste building the profile (cmdline input/output)
 3) Can you copy paste running Volatiltiy with the "-dd" option set

 These will greatly help debug the issue.

 Thanks,
 Andrew (@attrc)

 On 07/24/2014 10:00 AM, masdif wrote:
> Hi all,
>
> I pre-ordered “The Art of Memory Forensics” at March 22nd :-) and as of
> today delivery is estimated for September 1st :-(. I really hope there
> is a chapter about debugging the memory acquisition process. ;-)
>
> Meanwhile may I kindly ask for your advice/hints how to debug the
> following? I am not able to successfully acquire and analyze a Nexus S
> Android memory dump.
>
> Where could I start to look for errors?
> How can I assure that the dump is valid?
> How can I assure that the profile is valid?
>
> Any hint is highly appreciated! :-)
>
>
> Thank you,
> Philipp
>
>
>
>
> ************************************************************
> 0  Where I failed :-(
>
> Google at [1] offers three “Factory Images ‘soju’ for Nexus S (worldwide
> version, i9020t and i9023)”:
> 2.3.6 (GRK39F)
> 4.0.4 (IMM76D)
> 4.1.2 (JZO54K)
>
> Up to now I tried the first two.
>
> Just in case the two memory dumps as well as the two Volatility profiles
> are available here:
> https://mega.co.nz/#F!CEczgBqR!ksYLENHXoMCU8qzSBn79WA
>
>
>
>
> ************************************************************
> 1  Nexus S with Android 2.3.6 Gingerbread
>
> ________________________________________
> 1.1 Prepare the phone
>
>
> 1.1.0 Boot loader is unlocked:
> $ adb reboot bootloader
> $ fastboot oem unlock
>
>
> 1.1.1 Get the factory image from [2] and flash it
> $ tar –zxvf soju-grk39f-factory-5ab09c98.tgz
> $ cd soju-grk39f
> $ adb reboot bootloader
> $ ./flash-all.sh
>
>
> 1.1.2 Start phone
> Click through the initial settings
> Enable USB debugging
>
> Get version info:
> $ adb shell
> $ cat /proc/version
> Linux version 2.6.35.7-gf5f63ef
> (android-build(a)apa28.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #1
> PREEMPT Tue Aug 2 13:57:05 PDT 2011
>
>
> 1.1.3 Root the phone
> Get custom recovery from [5] (…because otherwise ADB sideload SuperSU
> won’t work) and flash custom recovery
> $ adb reboot bootloader
> $ fastboot flash recovery openrecovery-twrp-2.7.1.0-crespo.img
>
> Get SuperSU from [6]
> Sideload SuperSU
> $ adb reboot bootloader
> Go to “Recovery” -> “Advanced” -> “ADB Sideload” -> “Swipe to start
> sideload”
> $ adb sideload UPDATE-SuperSU-v2.01.zip
>
> Reboot the phone
>
> ________________________________________
> 1.2 Prepare LiME
>
>
> 1.2.1 Get the Samsung kernel source from AOSP [7]
> $ mkdir -p ~/android/kernel && cd $_
> $ git clone https://android.googlesource.com/kernel/samsung.git
> $ cd samsung
> $ git checkout f5f63ef
>
>
> 1.2.2 Setting Up a Build Environment with AOSP from [8]
> $ mkdir -p ~/android/aosp && cd $_
> $ repo init -u https://android.googlesource.com/platform/manifest -b
> android-2.3.6_r0.9
> $ repo sync
> $ . build/envsetup.sh
> $ lunch full_crespo-user
>
> Check compiler:
> $ arm-eabi-gcc --version
> arm-eabi-gcc (GCC) 4.4.3
>
> Set environment variables:
> $ cd ~/android/kernel/samsung
> $ export ARCH=arm
> $ export SUBARCH=arm
> $ export CROSS_COMPILE=arm-eabi-
>
>
> 1.2.3 Compile the Samsung kernel
>
> Configure the kernel:
> $ make herring_defconfig
>
> Build the Samsung kernel:
> $ make
>
>
> 1.2.4 Download LiME  from [9] and Cross Compile
> $ mkdir -p ~/android && cd $_
> $ svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime
> $ cd ~/android/lime/src
>
> Edit Makefile
> (I take CCPATH from  printenv | grep arm-eabi )
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> obj-m := lime.o
> lime-objs := tcp.o disk.o main.o
>
> KDIR := ~/android/kernel/samsung
> CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin
> PWD := $(shell pwd)
>
> default:
>     $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) M=$(PWD)
> modules
>     $(CCPATH)/arm-eabi-strip --strip-unneeded lime.ko
>
>     $(MAKE) tidy
>
> tidy:
>     rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd
> \.*.ko.cmd \.*.o.d
>     rm -rf \.tmp_versions
>
> clean:
>     $(MAKE) tidy
>     rm -f *.ko
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Build LiME module:
> $ make
>
> ________________________________________
> 1.3 Dump volatile memory
> $ adb push ~/android/lime/src/lime.ko /sdcard/lime.ko
>
> Screen must be unlocked now in order to grant ADB shell root access
>
> $ adb shell
> $ su
> # insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"
> # exit
> $ exit
> $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_2.3.6.dump
>
> ________________________________________
> 1.4 Build a Volatility Profile
>
> Get Volatility from [10]:
> $ svn checkout https://volatility.googlecode.com/svn/trunk/
> ~/android/volatility
> $ cd ~/android/volatility/tools/linux
>
> Edit Makefile:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> obj-m += module.o
> KDIR := ~/android/kernel/samsung
> CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin
>
> -include version.mk
>
> all: dwarf
>
> dwarf: module.c
>     $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR)
> CONFIG_DEBUG_INFO=y M=$(PWD) modules
>     dwarfdump -di module.ko > module.dwarf
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Build module:
> $ make
>
> Zip profile:
> $ zip
> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_2.3.6_GRK39F_.zip
> module.dwarf ~/android/kernel/samsung/System.map
>
> ________________________________________
> 1.5 Examine the Memory Dump with Volatility
>
> $ cd ~/android/volatility/
> $
> $ python vol.py --info | grep Linux
> Volatility Foundation Volatility Framework 2.3.1
> Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux
> _NexusS_2.3.6_GRK39F_ ARM
> linux_banner            - Prints the Linux banner information
> linux_yarascan          - A shell in the Linux memory image
> $
> $ python vol.py --profile=Linux_NexusS_2_3_6_GRK39F_ARM -f
> ~/android/dump/NexusS_2.3.6.dump linux_pslist
> Volatility Foundation Volatility Framework 2.3.1
> Offset     Name                 Pid             Uid             Gid
> DTB        Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> No suitable address space mapping found
> Tried to open image as:
> MachOAddressSpace: mac: need base
> LimeAddressSpace: lime: need base
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace64: No base Address Space
> HPAKAddressSpace: No base Address Space
> VirtualBoxCoreDumpElf64: No base Address Space
> VMWareSnapshotFile: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> AMD64PagedMemory: No base Address Space
> IA32PagedMemoryPae: No base Address Space
> IA32PagedMemory: No base Address Space
> MachOAddressSpace: MachO Header signature invalid
> MachOAddressSpace: MachO Header signature invalid
> LimeAddressSpace: Invalid Lime header signature
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> WindowsCrashDumpSpace64: Header signature invalid
> HPAKAddressSpace: Invalid magic found
> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> VMWareSnapshotFile: Invalid VMware signature: 0x1
> WindowsCrashDumpSpace32: Header signature invalid
> AMD64PagedMemory: Incompatible profile Linux_NexusS_2_3_6_GRK39F_ARM
> selected
> IA32PagedMemoryPae: Failed valid Address Space check
> IA32PagedMemory: Failed valid Address Space check
> FileAddressSpace: Must be first Address Space
> ArmAddressSpace: Failed valid Address Space check
>
> ________________________________________
> 1.6 First attempt to debug
>
> $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump
> 0000000: 454d 694c 0100 0000 0000 0040 0000 0000  EMiL.......@....
> 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000  ...O............
>
> =>
> magic: 0x4c69 4d45 -> LiME
> version: 0x0000 0001 -> 1
> s_addr: 0x0000 0000 4000 0000
> e_addr: 0x0000 0000 4fff ffff
> reserved: 0x0000 0000 0000 0000
>
> => Address range is:
> $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1'
> 268435456
>
> But file size is much bigger:
> $ stat -c %s ~/android/dump/NexusS_2.3.6.dump
> 401604672
>
> 268.435.456 Bytes + 32 Bytes Header != 401.604.672 Bytes file size!!!
>
>
>
>
> ************************************************************
> 2  Nexus S with Android 4.0.4 Ice Cream Sandwich
>
> ________________________________________
> 2.1 Prepare the phone
>
>
> 2.1.0 Boot loader is unlocked
>
>
> 2.1.1 Get the factory image from [3] and flash it
> $ tar –zxvf soju-imm76d-factory-ca4ae9ee.tgz
> $ cd soju-imm76d
> $ adb reboot bootloader
> $ ./flash-all.sh
>
>
> 2.1.2 Start phone
> - as described before –
>
> $ cat /proc/version
> Linux version 3.0.8-g6656123 (android-build(a)vpbs1.mtv.corp.google.com)
> (gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012
>
>
> 2.1.3 Root the phone
> - as described before -
>
> ________________________________________
> 2.2 Prepare LiME
>
>
> 2.2.1 Get the Samsung kernel source from AOSP [7]
> $ mkdir -p ~/android/kernel && cd $_
> $ git clone https://android.googlesource.com/kernel/samsung.git
> $ cd samsung
> $ git checkout 6656123
>
>
> 2.2.2 Setting Up a Build Environment with AOSP from [8]
> $ mkdir -p ~/android/aosp && cd $_
> $ repo init -u https://android.googlesource.com/platform/manifest -b
> android-4.0.4_r1.1
> $ repo sync
> $ . build/envsetup.sh
> $ lunch full_crespo-user
>
> Check compiler:
> $ arm-eabi-gcc --version
> arm-eabi-gcc (GCC) 4.4.3
>
> Set environment variables:
> $ cd ~/android/kernel/samsung
> $ export ARCH=arm
> $ export SUBARCH=arm
> $ export CROSS_COMPILE=arm-eabi-
>
>
> 2.2.3 Compile the Samsung kernel
> - as described before -
>
>
> 2.2.4 Download LiME  from [9] and Cross Compile
> - as described before -
>
> ________________________________________
> 2.3 Dump volatile memory
> - as described before –
>
> $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_4.0.4.dump
>
> ________________________________________
> 2.4 Build a Volatility Profile
>
> Get and build Volatility - as described before -
>
> $ zip
> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip
> module.dwarf ~/android/kernel/samsung/System.map
>
> ________________________________________
> 2.5 Examine the Memory Dump with Volatility
>
> $ cd ~/android/volatility/
> $
> $ python vol.py --info | grep Linux
> Volatility Foundation Volatility Framework 2.3.1
> linux_banner            - Prints the Linux banner information
> linux_yarascan          - A shell in the Linux memory image
> Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux
> _NexusS_2.3.6_GRK39F_ ARM
> Linux_NexusS_4_0_4_IMM76D_ARM - A Profile for Linux
> _NexusS_4.0.4_IMM76D_ ARM
> $
> $ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f
> ~/android/dump/NexusS_4.0.4.dump linux_pslist
> Volatility Foundation Volatility Framework 2.3.1
> Offset     Name                 Pid             Uid             Gid
> DTB        Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> No suitable address space mapping found
> Tried to open image as:
> - the rest as described before –
>
> ________________________________________
> 2.6 First attempt to debug
>
> $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump
> 0000000: 454d 694c 0100 0000 0000 0040 0000 0000  EMiL.......@....
> 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000  ...O............
>
> =>
> magic: 0x4c69 4d45 -> LiME
> version: 0x0000 0001 -> 1
> s_addr: 0x0000 0000 4000 0000
> e_addr: 0x0000 0000 4fff ffff
> reserved: 0x0000 0000 0000 0000
>
> => Address range is:
> $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1'
> 268435456
>
> But file size is still bigger:
> $ stat -c %s ~/android/dump/NexusS_4.0.4.dump
> 325775424
>
> 268.435.456 Bytes + 32 Bytes Header != 325.775.424 Bytes file size!!!
>
>
>
>
> ************************************************************
> 3  Links
>
> [1] https://developers.google.com/android/nexus/images\#soju
> [2] https://dl.google.com/dl/android/aosp/soju-grk39f-factory-5ab09c98.tgz
> [3] https://dl.google.com/dl/android/aosp/soju-imm76d-factory-ca4ae9ee.tgz
> [4] https://dl.google.com/dl/android/aosp/soju-jzo54k-factory-36602333.tgz
> [5]
> http://techerrata.com/file/twrp2/crespo/openrecovery-twrp-2.7.1.0-crespo.img
> [6] http://download.chainfire.eu/supersu
> [7] https://android.googlesource.com/kernel/samsung.git
> [8] https://android.googlesource.com/platform/manifest
> [9] http://lime-forensics.googlecode.com/svn/trunk/
> [10] https://volatility.googlecode.com/svn/trunk/
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>  _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
  _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory acquisition and analysis