Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory acquisition and analysis

This is very odd. I have no idea what could cause LiME to miss a memory segment. Let me do some thinking on this. On Sat, Aug 2, 2014 at 11:35 AM, Philipp Wächter &lt;philipp.waechter(a)posteo.de&gt; wrote: > Hello, > > It looks for me like the LiME dump is not complete. > > > Based on /proc/iomem I expect to find 3 segments in the LiME dump. > > shell@android:/ $ cat /proc/iomem | grep -i ram > 30000000-323fffff : System RAM > 35000000-35ffffff : onedram > 40000000-4b7aefff : System RAM > 50000000-57efffff : System RAM > 57f00000-57ffefff : ram_console > > shell@android:/ $ cat /proc/iomem | head -n 7 > 30000000-323fffff : System RAM > 30032000-3065afff : Kernel text > 3065c000-307e154f : Kernel data > 35000000-35ffffff : onedram > 40000000-4b7aefff : System RAM > 50000000-57efffff : System RAM > 57f00000-57ffefff : ram_console > > > Is it correct to expect the 3 segments ... > (1) 30000000-323fffff > (2) 40000000-4b7aefff > (3) 50000000-57efffff > ... in the LiME dump? > > > If I look into the LiME dump I see: > > $ xxd -l 0x20 ~/android/dump/NexusS_4.0.4.dump > 0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@.... > 0000010: ffef 7a4b 0000 0000 0000 0000 0000 0000 ..zK............ > > $ xxd -s $((0x20 + 0x4b7aefff - 0x40000000 + 1)) -l 0x20 > ~/android/dump/NexusS_4.0.4.dump > b7af020: 454d 694c 0100 0000 0000 0050 0000 0000 EMiL.......P.... > b7af030: ffff ef57 0000 0000 0000 0000 0000 0000 ...W............ > > $ echo $(( 0x20 + 0xb7aefff + 1 + 0x20 + 0x7efffff + 1 )) > 325775424 > > $ stat -c %s ~/android/dump/NexusS_4.0.4.dump > 325775424 > > > So there are only the segments > (2) 40000000-4b7aefff > (3) 50000000-57efffff > > > Is it sound to presume that in this case the LiME dump is flawed? > > And if I have to presume that: What could have gone wrong? > > > > Thanks, > Philipp > > > ________________________________________________________________ > From: Masdif > Sent: Donnerstag, Juli 24, 2014 11:00PM > To: Andrew Case, Vol-users > Subject: Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory > acquisition and analysis > >> Hello Andrew, >> >> Yes, I expect that it will take a little until first shipments arrive in >> Europe/Germany. ;-) >> Pasquales question in the other thread is interesting: Will there be an >> ebook version provided for printed version buyers? >> >> >> Back to the phone: Just talking about the currently installed 4.0.4 ICS: >> >> ______________________________________________________________________ >> 1) Can you copy/paste uname -a from the phone >> >> $ cat /proc/version >> Linux version 3.0.8-g6656123 (android-build(a)vpbs1.mtv.corp.google.com) >> (gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012 >> >> I just also installed BusyBox 1.22.1 from Google Play: >> >> $ uname -a >> Linux localhost 3.0.8-g6656123 #1 PREEMPT Thu Feb 2 16:56:02 PST 2012 >> armv7l GNU/Linux >> >> >> ______________________________________________________________________ >> 2) Can you copy/paste building the profile (cmdline input/output) >> >> $ make >> make ARCH=arm >> CROSS_COMPILE=~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi- >> -C ~/android/kernel/samsung CONFIG_DEBUG_INFO=y >> M=/home/hotblack/android/volatility/tools/linux modules >> make[1]: Entering directory `/home/hotblack/android/kernel/samsung' >> CC [M] /home/hotblack/android/volatility/tools/linux/module.o >> Building modules, stage 2. >> MODPOST 1 modules >> CC /home/hotblack/android/volatility/tools/linux/module.mod.o >> LD [M] /home/hotblack/android/volatility/tools/linux/module.ko >> make[1]: Leaving directory `/home/hotblack/android/kernel/samsung' >> dwarfdump -di module.ko > module.dwarf >> $ >> $ zip >> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip >> module.dwarf ~/android/kernel/samsung/System.map >> .dwarf ~/android/kernel/samsung/System.map >> adding: module.dwarf (deflated 90%) >> adding: home/hotblack/android/kernel/samsung/System.map (deflated 73%) >> >> >> ______________________________________________________________________ >> 3) Can you copy paste running Volatiltiy with the "-dd" option set >> >> $ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f >> ~/android/dump/NexusS_4.0.4.dump -dd linux_pslist >> Volatility Foundation Volatility Framework 2.3.1 >> DEBUG : volatility.plugins.overlays.linux.linux: >> _NexusS_4.0.4_IMM76D_: Found dwarf file module.dwarf with 442 symbols >> DEBUG : volatility.plugins.overlays.linux.linux: >> _NexusS_4.0.4_IMM76D_: Found system file module.dwarf with 1 symbols >> DEBUG : volatility.obj : Applying modification from BashTypes >> DEBUG : volatility.obj : Applying modification from >> BasicObjectClasses >> DEBUG : volatility.obj : Applying modification from ELF64Modification >> DEBUG : volatility.obj : Applying modification from HPAKVTypes >> DEBUG : volatility.obj : Applying modification from LimeTypes >> DEBUG : volatility.obj : Applying modification from MachoTypes >> DEBUG : volatility.obj : Applying modification from MbrObjectTypes >> DEBUG : volatility.obj : Applying modification from >> VMwareVTypesModification >> DEBUG : volatility.obj : Applying modification from >> VirtualBoxModification >> DEBUG : volatility.obj : Applying modification from >> LinuxKmemCacheOverlay >> DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol >> cache_chain not found in module kernel >> >> DEBUG : volatility.obj : Applying modification from LinuxMountOverlay >> DEBUG : volatility.obj : Applying modification from >> LinuxObjectClasses >> DEBUG : volatility.obj : Applying modification from LinuxOverlay >> DEBUG : volatility.plugins.overlays.linux.linux: >> _NexusS_4.0.4_IMM76D_: Found dwarf file module.dwarf with 442 symbols >> DEBUG : volatility.plugins.overlays.linux.linux: >> _NexusS_4.0.4_IMM76D_: Found system file module.dwarf with 1 symbols >> DEBUG : volatility.obj : Applying modification from BashTypes >> DEBUG : volatility.obj : Applying modification from >> BasicObjectClasses >> DEBUG : volatility.obj : Applying modification from ELF64Modification >> DEBUG : volatility.obj : Applying modification from HPAKVTypes >> DEBUG : volatility.obj : Applying modification from LimeTypes >> DEBUG : volatility.obj : Applying modification from MachoTypes >> DEBUG : volatility.obj : Applying modification from MbrObjectTypes >> DEBUG : volatility.obj : Applying modification from >> VMwareVTypesModification >> DEBUG : volatility.obj : Applying modification from >> VirtualBoxModification >> DEBUG : volatility.obj : Applying modification from >> LinuxKmemCacheOverlay >> DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol >> cache_chain not found in module kernel >> >> DEBUG : volatility.obj : Applying modification from LinuxMountOverlay >> DEBUG : volatility.obj : Applying modification from >> LinuxObjectClasses >> DEBUG : volatility.obj : Applying modification from LinuxOverlay >> Offset Name Pid Uid Gid >> DTB Start Time >> ---------- -------------------- --------------- --------------- ------ >> ---------- ---------- >> DEBUG : volatility.utils : Voting round >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> >> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: >> mac: need base >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> >> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: >> lime: need base >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> >> DEBUG1 : volatility.utils : Failed instantiating >> WindowsHiberFileSpace32: No base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> >> DEBUG1 : volatility.utils : Failed instantiating >> WindowsCrashDumpSpace64: No base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> >> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: >> No base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> >> DEBUG1 : volatility.utils : Failed instantiating >> VirtualBoxCoreDumpElf64: No base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> >> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: >> No base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> >> DEBUG1 : volatility.utils : Failed instantiating >> WindowsCrashDumpSpace32: No base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> >> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: >> No base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> >> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: >> No base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> >> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No >> base Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.standard.FileAddressSpace'> >> DEBUG : volatility.utils : Succeeded instantiating >> <volatility.plugins.addrspaces.standard.FileAddressSpace object at >> 0x628e1d0> >> DEBUG : volatility.utils : Voting round >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> >> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: >> MachO Header signature invalid >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> >> DEBUG1 : volatility.obj : None object instantiated: Invalid >> Address 0x136AF040, instantiating lime_header >> DEBUG : volatility.utils : Succeeded instantiating >> <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x628e090> >> DEBUG : volatility.utils : Voting round >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> >> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: >> MachO Header signature invalid >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> >> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: >> Invalid Lime header signature >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> >> DEBUG1 : volatility.utils : Failed instantiating >> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> >> DEBUG1 : volatility.utils : Failed instantiating >> WindowsCrashDumpSpace64: Header signature invalid >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> >> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: >> Invalid magic found >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> >> DEBUG1 : volatility.utils : Failed instantiating >> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> >> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: >> Invalid VMware signature: 0x0 >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> >> DEBUG1 : volatility.utils : Failed instantiating >> WindowsCrashDumpSpace32: Header signature invalid >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> >> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: >> Incompatible profile Linux_NexusS_4_0_4_IMM76D_ARM selected >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> >> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: >> Failed valid Address Space check >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> >> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: >> Failed valid Address Space check >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.standard.FileAddressSpace'> >> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: >> Must be first Address Space >> DEBUG : volatility.utils : Trying <class >> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> >> DEBUG1 : volatility.obj : None object instantiated: No suggestions >> available >> DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: >> Failed valid Address Space check >> No suitable address space mapping found >> Tried to open image as: >> MachOAddressSpace: mac: need base >> LimeAddressSpace: lime: need base >> WindowsHiberFileSpace32: No base Address Space >> WindowsCrashDumpSpace64: No base Address Space >> HPAKAddressSpace: No base Address Space >> VirtualBoxCoreDumpElf64: No base Address Space >> VMWareSnapshotFile: No base Address Space >> WindowsCrashDumpSpace32: No base Address Space >> AMD64PagedMemory: No base Address Space >> IA32PagedMemoryPae: No base Address Space >> IA32PagedMemory: No base Address Space >> MachOAddressSpace: MachO Header signature invalid >> MachOAddressSpace: MachO Header signature invalid >> LimeAddressSpace: Invalid Lime header signature >> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile >> WindowsCrashDumpSpace64: Header signature invalid >> HPAKAddressSpace: Invalid magic found >> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid >> VMWareSnapshotFile: Invalid VMware signature: 0x0 >> WindowsCrashDumpSpace32: Header signature invalid >> AMD64PagedMemory: Incompatible profile Linux_NexusS_4_0_4_IMM76D_ARM >> selected >> IA32PagedMemoryPae: Failed valid Address Space check >> IA32PagedMemory: Failed valid Address Space check >> FileAddressSpace: Must be first Address Space >> ArmAddressSpace: Failed valid Address Space check >> >> >> >> Regards, >> Philipp >> >> ________________________________________________________________ >> From: Andrew Case >> Sent: Donnerstag, Juli 24, 2014 7:37PM >> To: Masdif, Vol-users >> Subject: Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory >> acquisition and analysis >> >>> Hello, >>> >>> Where are you located? Some foreign countries seem to be having shipping >>> delays. >>> >>> As for the phone analysis.. >>> >>> 1) Can you copy/paste uname -a from the phone >>> 2) Can you copy/paste building the profile (cmdline input/output) >>> 3) Can you copy paste running Volatiltiy with the "-dd" option set >>> >>> These will greatly help debug the issue. >>> >>> Thanks, >>> Andrew (@attrc) >>> >>> On 07/24/2014 10:00 AM, masdif wrote: >>>> Hi all, >>>> >>>> I pre-ordered “The Art of Memory Forensics” at March 22nd :-) and as of >>>> today delivery is estimated for September 1st :-(. I really hope there >>>> is a chapter about debugging the memory acquisition process. ;-) >>>> >>>> Meanwhile may I kindly ask for your advice/hints how to debug the >>>> following? I am not able to successfully acquire and analyze a Nexus S >>>> Android memory dump. >>>> >>>> Where could I start to look for errors? >>>> How can I assure that the dump is valid? >>>> How can I assure that the profile is valid? >>>> >>>> Any hint is highly appreciated! :-) >>>> >>>> >>>> Thank you, >>>> Philipp >>>> >>>> >>>> >>>> >>>> ************************************************************ >>>> 0 Where I failed :-( >>>> >>>> Google at [1] offers three “Factory Images ‘soju’ for Nexus S (worldwide >>>> version, i9020t and i9023)”: >>>> 2.3.6 (GRK39F) >>>> 4.0.4 (IMM76D) >>>> 4.1.2 (JZO54K) >>>> >>>> Up to now I tried the first two. >>>> >>>> Just in case the two memory dumps as well as the two Volatility profiles >>>> are available here: >>>> https://mega.co.nz/#F!CEczgBqR!ksYLENHXoMCU8qzSBn79WA >>>> >>>> >>>> >>>> >>>> ************************************************************ >>>> 1 Nexus S with Android 2.3.6 Gingerbread >>>> >>>> ________________________________________ >>>> 1.1 Prepare the phone >>>> >>>> >>>> 1.1.0 Boot loader is unlocked: >>>> $ adb reboot bootloader >>>> $ fastboot oem unlock >>>> >>>> >>>> 1.1.1 Get the factory image from [2] and flash it >>>> $ tar –zxvf soju-grk39f-factory-5ab09c98.tgz >>>> $ cd soju-grk39f >>>> $ adb reboot bootloader >>>> $ ./flash-all.sh >>>> >>>> >>>> 1.1.2 Start phone >>>> Click through the initial settings >>>> Enable USB debugging >>>> >>>> Get version info: >>>> $ adb shell >>>> $ cat /proc/version >>>> Linux version 2.6.35.7-gf5f63ef >>>> (android-build(a)apa28.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #1 >>>> PREEMPT Tue Aug 2 13:57:05 PDT 2011 >>>> >>>> >>>> 1.1.3 Root the phone >>>> Get custom recovery from [5] (…because otherwise ADB sideload SuperSU >>>> won’t work) and flash custom recovery >>>> $ adb reboot bootloader >>>> $ fastboot flash recovery openrecovery-twrp-2.7.1.0-crespo.img >>>> >>>> Get SuperSU from [6] >>>> Sideload SuperSU >>>> $ adb reboot bootloader >>>> Go to “Recovery” -> “Advanced” -> “ADB Sideload” -> “Swipe to start >>>> sideload” >>>> $ adb sideload UPDATE-SuperSU-v2.01.zip >>>> >>>> Reboot the phone >>>> >>>> ________________________________________ >>>> 1.2 Prepare LiME >>>> >>>> >>>> 1.2.1 Get the Samsung kernel source from AOSP [7] >>>> $ mkdir -p ~/android/kernel && cd $_ >>>> $ git clone https://android.googlesource.com/kernel/samsung.git >>>> $ cd samsung >>>> $ git checkout f5f63ef >>>> >>>> >>>> 1.2.2 Setting Up a Build Environment with AOSP from [8] >>>> $ mkdir -p ~/android/aosp && cd $_ >>>> $ repo init -u https://android.googlesource.com/platform/manifest -b >>>> android-2.3.6_r0.9 >>>> $ repo sync >>>> $ . build/envsetup.sh >>>> $ lunch full_crespo-user >>>> >>>> Check compiler: >>>> $ arm-eabi-gcc --version >>>> arm-eabi-gcc (GCC) 4.4.3 >>>> >>>> Set environment variables: >>>> $ cd ~/android/kernel/samsung >>>> $ export ARCH=arm >>>> $ export SUBARCH=arm >>>> $ export CROSS_COMPILE=arm-eabi- >>>> >>>> >>>> 1.2.3 Compile the Samsung kernel >>>> >>>> Configure the kernel: >>>> $ make herring_defconfig >>>> >>>> Build the Samsung kernel: >>>> $ make >>>> >>>> >>>> 1.2.4 Download LiME from [9] and Cross Compile >>>> $ mkdir -p ~/android && cd $_ >>>> $ svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime >>>> $ cd ~/android/lime/src >>>> >>>> Edit Makefile >>>> (I take CCPATH from printenv | grep arm-eabi ) >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> obj-m := lime.o >>>> lime-objs := tcp.o disk.o main.o >>>> >>>> KDIR := ~/android/kernel/samsung >>>> CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin >>>> PWD := $(shell pwd) >>>> >>>> default: >>>> $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) M=$(PWD) >>>> modules >>>> $(CCPATH)/arm-eabi-strip --strip-unneeded lime.ko >>>> >>>> $(MAKE) tidy >>>> >>>> tidy: >>>> rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd >>>> \.*.ko.cmd \.*.o.d >>>> rm -rf \.tmp_versions >>>> >>>> clean: >>>> $(MAKE) tidy >>>> rm -f *.ko >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> >>>> Build LiME module: >>>> $ make >>>> >>>> ________________________________________ >>>> 1.3 Dump volatile memory >>>> $ adb push ~/android/lime/src/lime.ko /sdcard/lime.ko >>>> >>>> Screen must be unlocked now in order to grant ADB shell root access >>>> >>>> $ adb shell >>>> $ su >>>> # insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime" >>>> # exit >>>> $ exit >>>> $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_2.3.6.dump >>>> >>>> ________________________________________ >>>> 1.4 Build a Volatility Profile >>>> >>>> Get Volatility from [10]: >>>> $ svn checkout https://volatility.googlecode.com/svn/trunk/ >>>> ~/android/volatility >>>> $ cd ~/android/volatility/tools/linux >>>> >>>> Edit Makefile: >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> obj-m += module.o >>>> KDIR := ~/android/kernel/samsung >>>> CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin >>>> >>>> -include version.mk >>>> >>>> all: dwarf >>>> >>>> dwarf: module.c >>>> $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) >>>> CONFIG_DEBUG_INFO=y M=$(PWD) modules >>>> dwarfdump -di module.ko > module.dwarf >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> >>>> Build module: >>>> $ make >>>> >>>> Zip profile: >>>> $ zip >>>> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_2.3.6_GRK39F_.zip >>>> module.dwarf ~/android/kernel/samsung/System.map >>>> >>>> ________________________________________ >>>> 1.5 Examine the Memory Dump with Volatility >>>> >>>> $ cd ~/android/volatility/ >>>> $ >>>> $ python vol.py --info | grep Linux >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux >>>> _NexusS_2.3.6_GRK39F_ ARM >>>> linux_banner - Prints the Linux banner information >>>> linux_yarascan - A shell in the Linux memory image >>>> $ >>>> $ python vol.py --profile=Linux_NexusS_2_3_6_GRK39F_ARM -f >>>> ~/android/dump/NexusS_2.3.6.dump linux_pslist >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Offset Name Pid Uid Gid >>>> DTB Start Time >>>> ---------- -------------------- --------------- --------------- ------ >>>> ---------- ---------- >>>> No suitable address space mapping found >>>> Tried to open image as: >>>> MachOAddressSpace: mac: need base >>>> LimeAddressSpace: lime: need base >>>> WindowsHiberFileSpace32: No base Address Space >>>> WindowsCrashDumpSpace64: No base Address Space >>>> HPAKAddressSpace: No base Address Space >>>> VirtualBoxCoreDumpElf64: No base Address Space >>>> VMWareSnapshotFile: No base Address Space >>>> WindowsCrashDumpSpace32: No base Address Space >>>> AMD64PagedMemory: No base Address Space >>>> IA32PagedMemoryPae: No base Address Space >>>> IA32PagedMemory: No base Address Space >>>> MachOAddressSpace: MachO Header signature invalid >>>> MachOAddressSpace: MachO Header signature invalid >>>> LimeAddressSpace: Invalid Lime header signature >>>> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile >>>> WindowsCrashDumpSpace64: Header signature invalid >>>> HPAKAddressSpace: Invalid magic found >>>> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid >>>> VMWareSnapshotFile: Invalid VMware signature: 0x1 >>>> WindowsCrashDumpSpace32: Header signature invalid >>>> AMD64PagedMemory: Incompatible profile Linux_NexusS_2_3_6_GRK39F_ARM >>>> selected >>>> IA32PagedMemoryPae: Failed valid Address Space check >>>> IA32PagedMemory: Failed valid Address Space check >>>> FileAddressSpace: Must be first Address Space >>>> ArmAddressSpace: Failed valid Address Space check >>>> >>>> ________________________________________ >>>> 1.6 First attempt to debug >>>> >>>> $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump >>>> 0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@.... >>>> 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000 ...O............ >>>> >>>> => >>>> magic: 0x4c69 4d45 -> LiME >>>> version: 0x0000 0001 -> 1 >>>> s_addr: 0x0000 0000 4000 0000 >>>> e_addr: 0x0000 0000 4fff ffff >>>> reserved: 0x0000 0000 0000 0000 >>>> >>>> => Address range is: >>>> $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1' >>>> 268435456 >>>> >>>> But file size is much bigger: >>>> $ stat -c %s ~/android/dump/NexusS_2.3.6.dump >>>> 401604672 >>>> >>>> 268.435.456 Bytes + 32 Bytes Header != 401.604.672 Bytes file size!!! >>>> >>>> >>>> >>>> >>>> ************************************************************ >>>> 2 Nexus S with Android 4.0.4 Ice Cream Sandwich >>>> >>>> ________________________________________ >>>> 2.1 Prepare the phone >>>> >>>> >>>> 2.1.0 Boot loader is unlocked >>>> >>>> >>>> 2.1.1 Get the factory image from [3] and flash it >>>> $ tar –zxvf soju-imm76d-factory-ca4ae9ee.tgz >>>> $ cd soju-imm76d >>>> $ adb reboot bootloader >>>> $ ./flash-all.sh >>>> >>>> >>>> 2.1.2 Start phone >>>> - as described before – >>>> >>>> $ cat /proc/version >>>> Linux version 3.0.8-g6656123 (android-build(a)vpbs1.mtv.corp.google.com) >>>> (gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012 >>>> >>>> >>>> 2.1.3 Root the phone >>>> - as described before - >>>> >>>> ________________________________________ >>>> 2.2 Prepare LiME >>>> >>>> >>>> 2.2.1 Get the Samsung kernel source from AOSP [7] >>>> $ mkdir -p ~/android/kernel && cd $_ >>>> $ git clone https://android.googlesource.com/kernel/samsung.git >>>> $ cd samsung >>>> $ git checkout 6656123 >>>> >>>> >>>> 2.2.2 Setting Up a Build Environment with AOSP from [8] >>>> $ mkdir -p ~/android/aosp && cd $_ >>>> $ repo init -u https://android.googlesource.com/platform/manifest -b >>>> android-4.0.4_r1.1 >>>> $ repo sync >>>> $ . build/envsetup.sh >>>> $ lunch full_crespo-user >>>> >>>> Check compiler: >>>> $ arm-eabi-gcc --version >>>> arm-eabi-gcc (GCC) 4.4.3 >>>> >>>> Set environment variables: >>>> $ cd ~/android/kernel/samsung >>>> $ export ARCH=arm >>>> $ export SUBARCH=arm >>>> $ export CROSS_COMPILE=arm-eabi- >>>> >>>> >>>> 2.2.3 Compile the Samsung kernel >>>> - as described before - >>>> >>>> >>>> 2.2.4 Download LiME from [9] and Cross Compile >>>> - as described before - >>>> >>>> ________________________________________ >>>> 2.3 Dump volatile memory >>>> - as described before – >>>> >>>> $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_4.0.4.dump >>>> >>>> ________________________________________ >>>> 2.4 Build a Volatility Profile >>>> >>>> Get and build Volatility - as described before - >>>> >>>> $ zip >>>> ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip >>>> module.dwarf ~/android/kernel/samsung/System.map >>>> >>>> ________________________________________ >>>> 2.5 Examine the Memory Dump with Volatility >>>> >>>> $ cd ~/android/volatility/ >>>> $ >>>> $ python vol.py --info | grep Linux >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> linux_banner - Prints the Linux banner information >>>> linux_yarascan - A shell in the Linux memory image >>>> Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux >>>> _NexusS_2.3.6_GRK39F_ ARM >>>> Linux_NexusS_4_0_4_IMM76D_ARM - A Profile for Linux >>>> _NexusS_4.0.4_IMM76D_ ARM >>>> $ >>>> $ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f >>>> ~/android/dump/NexusS_4.0.4.dump linux_pslist >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Offset Name Pid Uid Gid >>>> DTB Start Time >>>> ---------- -------------------- --------------- --------------- ------ >>>> ---------- ---------- >>>> No suitable address space mapping found >>>> Tried to open image as: >>>> - the rest as described before – >>>> >>>> ________________________________________ >>>> 2.6 First attempt to debug >>>> >>>> $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump >>>> 0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@.... >>>> 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000 ...O............ >>>> >>>> => >>>> magic: 0x4c69 4d45 -> LiME >>>> version: 0x0000 0001 -> 1 >>>> s_addr: 0x0000 0000 4000 0000 >>>> e_addr: 0x0000 0000 4fff ffff >>>> reserved: 0x0000 0000 0000 0000 >>>> >>>> => Address range is: >>>> $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1' >>>> 268435456 >>>> >>>> But file size is still bigger: >>>> $ stat -c %s ~/android/dump/NexusS_4.0.4.dump >>>> 325775424 >>>> >>>> 268.435.456 Bytes + 32 Bytes Header != 325.775.424 Bytes file size!!! >>>> >>>> >>>> >>>> >>>> ************************************************************ >>>> 3 Links >>>> >>>> [1] https://developers.google.com/android/nexus/images\#soju >>>> [2] https://dl.google.com/dl/android/aosp/soju-grk39f-factory-5ab09c98.tgz >>>> [3] https://dl.google.com/dl/android/aosp/soju-imm76d-factory-ca4ae9ee.tgz >>>> [4] https://dl.google.com/dl/android/aosp/soju-jzo54k-factory-36602333.tgz >>>> [5] >>>> http://techerrata.com/file/twrp2/crespo/openrecovery-twrp-2.7.1.0-crespo.img >>>> [6] http://download.chainfire.eu/supersu >>>> [7] https://android.googlesource.com/kernel/samsung.git >>>> [8] https://android.googlesource.com/platform/manifest >>>> [9] http://lime-forensics.googlecode.com/svn/trunk/ >>>> [10] https://volatility.googlecode.com/svn/trunk/ >>>> _______________________________________________ >>>> Vol-users mailing list >>>> Vol-users(a)volatilityfoundation.org >>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>>> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users