Hello list,
After superb support from Joe the solution was found. In my case memory acquisition with LiME from a Nexus S to SD card did not work properly with direct IO. You can deactivate direct IO with insmod parameter "dio=0":
insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime dio=0"
Acquisition over TCP was not affected.
Philipp
Von: Joe Sylve <joe.sylve@gmail.com>
Gesendet: 4. August 2014 23:10:19 MESZ
An: "Philipp Wächter" <philipp.waechter@posteo.de>
CC: Andrew Case <atcuno@gmail.com>, "vol-users@volatilityfoundation.org" <vol-users@volatilityfoundation.org>
Betreff: Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory acquisition and analysis
run this patch against the latest SVN and make sure you compile with debugging.
This patch won't actually dump any memory it'll just print a list of
all the ranges to dmesg
Does LiME see all three System RAM ranges?
On Mon, Aug 4, 2014 at 3:58 PM, Joe Sylve <joe.sylve@gmail.com> wrote:
This is very odd. I have no idea what could cause LiME to miss a
memory segment. Let me do some thinking on this.
On Sat, Aug 2, 2014 at 11:35 AM, Philipp Wächter
<philipp.waechter@posteo.de> wrote:
Hello,
It looks for me like the LiME dump is not complete.
Based on /proc/iomem I expect to find 3 segments in the LiME dump.
shell@android:/ $ cat /proc/iomem | grep -i ram
30000000-323fffff : System RAM
35000000-35ffffff : onedram
40000000-4b7aefff : System RAM
50000000-57efffff : System RAM
57f00000-57ffefff : ram_console
shell@android:/ $ cat /proc/iomem | head -n 7
30000000-323fffff : System RAM
30032000-3065afff : Kernel text
3065c000-307e154f : Kernel data
35000000-35ffffff : onedram
40000000-4b7aefff : System RAM
50000000-57efffff : System RAM
57f00000-57ffefff : ram_console
Is it correct to expect the 3 segments ...
(1) 30000000-323fffff
(2) 40000000-4b7aefff
(3) 50000000-57efffff
... in the LiME dump?
If I look into the LiME dump I see:
$ xxd -l 0x20 ~/android/dump/NexusS_4.0.4.dump
0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@....
0000010: ffef 7a4b 0000 0000 0000 0000 0000 0000 ..zK............
$ xxd -s $((0x20 + 0x4b7aefff - 0x40000000 + 1)) -l 0x20
~/android/dump/NexusS_4.0.4.dump
b7af020: 454d 694c 0100 0000 0000 0050 0000 0000 EMiL.......P....
b7af030: ffff ef57 0000 0000 0000 0000 0000 0000 ...W............
$ echo $(( 0x20 + 0xb7aefff + 1 + 0x20 + 0x7efffff + 1 ))
325775424
$ stat -c %s ~/android/dump/NexusS_4.0.4.dump
325775424
So there are only the segments
(2) 40000000-4b7aefff
(3) 50000000-57efffff
Is it sound to presume that in this case the LiME dump is flawed?
And if I have to presume that: What could have gone wrong?
Thanks,
Philipp
From: Masdif
Sent: Donnerstag, Juli 24, 2014 11:00PM
To: Andrew Case, Vol-users
Subject: Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory
acquisition and analysis
Hello Andrew,
Yes, I expect that it will take a little until first shipments arrive in
Europe/Germany. ;-)
Pasquales question in the other thread is interesting: Will there be an
ebook version provided for printed version buyers?
Back to the phone: Just talking about the currently installed 4.0.4 ICS:
1) Can you copy/paste uname -a from the phone
$ cat /proc/version
Linux version 3.0.8-g6656123 (android-build@vpbs1.mtv.corp.google.com)
(gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012
I just also installed BusyBox 1.22.1 from Google Play:
$ uname -a
Linux localhost 3.0.8-g6656123 #1 PREEMPT Thu Feb 2 16:56:02 PST 2012
armv7l GNU/Linux
2) Can you copy/paste building the profile (cmdline input/output)
$ make
make ARCH=arm
CROSS_COMPILE=~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
-C ~/android/kernel/samsung CONFIG_DEBUG_INFO=y
M=/home/hotblack/android/volatility/tools/linux modules
make[1]: Entering directory `/home/hotblack/android/kernel/samsung'
CC [M] /home/hotblack/android/volatility/tools/linux/module.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/hotblack/android/volatility/tools/linux/module.mod.o
LD [M] /home/hotblack/android/volatility/tools/linux/module.ko
make[1]: Leaving directory `/home/hotblack/android/kernel/samsung'
dwarfdump -di module.ko > module.dwarf
$
$ zip
~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip
module.dwarf ~/android/kernel/samsung/System.map
.dwarf ~/android/kernel/samsung/System.map
adding: module.dwarf (deflated 90%)
adding:
home/hotblack/android/kernel/samsung/System.map (deflated 73%)
3) Can you copy paste running Volatiltiy with the "-dd" option set
$ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f
~/android/dump/NexusS_4.0.4.dump -dd linux_pslist
Volatility Foundation Volatility Framework 2.3.1
DEBUG : volatility.plugins.overlays.linux.linux:
_NexusS_4.0.4_IMM76D_: Found dwarf file module.dwarf with 442 symbols
DEBUG : volatility.plugins.overlays.linux.linux:
_NexusS_4.0.4_IMM76D_: Found system file module.dwarf with 1 symbols
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj :
Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.plugins.overlays.linux.linux:
_NexusS_4.0.4_IMM76D_: Found dwarf file module.dwarf with 442 symbols
DEBUG
: volatility.plugins.overlays.linux.linux:
_NexusS_4.0.4_IMM76D_: Found system file module.dwarf with 1 symbols
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG :
volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid
DTB Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
mac: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils :
Failed instantiating LimeAddressSpace:
lime: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x628e1d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid
Address 0x136AF040, instantiating lime_header
DEBUG :
volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x628e090>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
Invalid Lime header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
Invalid magic found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile:
Invalid VMware signature: 0x0
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
Incompatible profile Linux_NexusS_4_0_4_IMM76D_ARM selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
Failed valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory:
Failed valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace:
Must be first Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: No suggestions
available
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace:
Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No
base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x0
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Linux_NexusS_4_0_4_IMM76D_ARM
selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Regards,
Philipp
From: Andrew Case
Sent: Donnerstag, Juli 24, 2014 7:37PM
To: Masdif, Vol-users
Subject: Re: [Vol-users] Samsung GT-I9023 Google Nexus S memory
acquisition and analysis
Hello,
Where are you located? Some foreign countries seem to be having shipping
delays.
As for the phone analysis..
1) Can you copy/paste uname -a from the phone
2) Can you copy/paste building the profile (cmdline input/output)
3) Can you copy paste running Volatiltiy with the "-dd" option set
These will greatly help debug the issue.
Thanks,
Andrew (@attrc)
On 07/24/2014 10:00 AM, masdif wrote:
Hi all,
I pre-ordered “The Art of Memory Forensics” at March 22nd :-) and as of
today delivery is estimated for September 1st :-(. I really hope there
is a chapter about debugging the memory acquisition process. ;-)
Meanwhile may I kindly ask for your advice/hints how to debug the
following? I am not able to successfully acquire and analyze a Nexus S
Android memory dump.
Where could I start to look for errors?
How can I assure that the dump is valid?
How can I assure that the profile is valid?
Any hint is highly appreciated! :-)
Thank you,
Philipp
************************************************************
0 Where I failed :-(
Google at [1] offers three “Factory Images ‘soju’ for Nexus S (worldwide
version, i9020t and i9023)”:
2.3.6 (GRK39F)
4.0.4 (IMM76D)
4.1.2 (JZO54K)
Up to now I tried
the first two.
Just in case the two memory dumps as well as the two Volatility profiles
are available here:
https://mega.co.nz/#F!CEczgBqR!ksYLENHXoMCU8qzSBn79WA
************************************************************
1 Nexus S with Android 2.3.6 Gingerbread
1.1 Prepare the phone
1.1.0 Boot loader is unlocked:
$ adb reboot bootloader
$ fastboot oem unlock
1.1.1 Get the factory image from [2] and flash it
$ tar –zxvf soju-grk39f-factory-5ab09c98.tgz
$ cd soju-grk39f
$ adb reboot bootloader
$ ./flash-all.sh
1.1.2 Start phone
Click through the initial settings
Enable USB debugging
Get version info:
$ adb shell
$ cat /proc/version
Linux version 2.6.35.7-gf5f63ef
(android-build@apa28.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #1
PREEMPT Tue Aug 2 13:57:05 PDT 2011
1.1.3 Root the phone
Get custom recovery from [5] (…because otherwise ADB sideload SuperSU
won’t work) and flash custom recovery
$ adb reboot bootloader
$ fastboot flash recovery openrecovery-twrp-2.7.1.0-crespo.img
Get SuperSU from [6]
Sideload SuperSU
$ adb reboot bootloader
Go to “Recovery” -> “Advanced” -> “ADB Sideload” -> “Swipe to start
sideload”
$ adb sideload UPDATE-SuperSU-v2.01.zip
Reboot the phone
1.2 Prepare LiME
1.2.1 Get the Samsung kernel source from AOSP [7]
$ mkdir -p ~/android/kernel && cd $_
$ git clone https://android.googlesource.com/kernel/samsung.git
$ cd samsung
$ git checkout f5f63ef
1.2.2 Setting Up a Build Environment with AOSP from [8]
$ mkdir -p ~/android/aosp && cd $_
$ repo init -u https://android.googlesource.com/platform/manifest -b
android-2.3.6_r0.9
$ repo sync
$ . build/envsetup.sh
$ lunch full_crespo-user
Check compiler:
$ arm-eabi-gcc --version
arm-eabi-gcc (GCC) 4.4.3
Set environment variables:
$ cd ~/android/kernel/samsung
$ export ARCH=arm
$ export SUBARCH=arm
$ export CROSS_COMPILE=arm-eabi-
1.2.3 Compile the Samsung kernel
Configure the kernel:
$ make herring_defconfig
Build the Samsung kernel:
$ make
1.2.4 Download LiME from [9] and Cross Compile
$ mkdir -p ~/android && cd $_
$ svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime
$ cd ~/android/lime/src
Edit Makefile
(I take CCPATH from printenv | grep arm-eabi )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
obj-m := lime.o
lime-objs := tcp.o disk.o main.o
KDIR := ~/android/kernel/samsung
CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin
PWD := $(shell pwd)
default:
$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) M=$(PWD)
modules
$(CCPATH)/arm-eabi-strip --strip-unneeded lime.ko
$(MAKE) tidy
tidy:
rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd
\.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions
clean:
$(MAKE) tidy
rm -f *.ko
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Build LiME module:
$ make
1.3 Dump volatile memory
$ adb push ~/android/lime/src/lime.ko /sdcard/lime.ko
Screen must be unlocked now in order to grant ADB shell root access
$ adb shell
$ su
# insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime"
# exit
$ exit
$ adb pull /sdcard/lime.dump ~/android/dump/NexusS_2.3.6.dump
1.4 Build a Volatility Profile
Get Volatility from [10]:
$ svn checkout https://volatility.googlecode.com/svn/trunk/
~/android/volatility
$ cd ~/android/volatility/tools/linux
Edit Makefile:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
obj-m += module.o
KDIR := ~/android/kernel/samsung
CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin
-include version.mk
all: dwarf
dwarf: module.c
$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR)
CONFIG_DEBUG_INFO=y M=$(PWD) modules
dwarfdump -di module.ko > module.dwarf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Build module:
$ make
Zip profile:
$ zip
~/android/volatility/volatility/plugins/overlays/linux/_NexusS_2.3.6_GRK39F_.zip
module.dwarf ~/android/kernel/samsung/System.map
1.5 Examine the Memory Dump with Volatility
$ cd ~/android/volatility/
$
$ python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.3.1
Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux
_NexusS_2.3.6_GRK39F_ ARM
linux_banner
- Prints the Linux banner information
linux_yarascan - A shell in the Linux memory image
$
$ python vol.py --profile=Linux_NexusS_2_3_6_GRK39F_ARM -f
~/android/dump/NexusS_2.3.6.dump linux_pslist
Volatility Foundation Volatility Framework 2.3.1
Offset Name Pid Uid Gid
DTB Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x1
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Linux_NexusS_2_3_6_GRK39F_ARM
selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
1.6 First
attempt to debug
$ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump
0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@....
0000010: ffff ff4f 0000 0000 0000 0000 0000 0000 ...O............
=>
magic: 0x4c69 4d45 -> LiME
version: 0x0000 0001 -> 1
s_addr: 0x0000 0000 4000 0000
e_addr: 0x0000 0000 4fff ffff
reserved: 0x0000 0000 0000 0000
=> Address range is:
$ python -c 'print int(0x4fffffff) - int(0x40000000) + 1'
268435456
But file size is much bigger:
$ stat -c %s ~/android/dump/NexusS_2.3.6.dump
401604672
268.435.456 Bytes + 32 Bytes Header != 401.604.672 Bytes file size!!!
************************************************************
2 Nexus S with Android 4.0.4 Ice Cream Sandwich
2.1 Prepare the phone
2.1.0 Boot loader is unlocked
2.1.1 Get
the factory image from [3] and flash it
$ tar –zxvf soju-imm76d-factory-ca4ae9ee.tgz
$ cd soju-imm76d
$ adb reboot bootloader
$ ./flash-all.sh
2.1.2 Start phone
- as described before –
$ cat /proc/version
Linux version 3.0.8-g6656123 (android-build@vpbs1.mtv.corp.google.com)
(gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012
2.1.3 Root the phone
- as described before -
2.2 Prepare LiME
2.2.1 Get the Samsung kernel source from AOSP [7]
$ mkdir -p ~/android/kernel && cd $_
$ git clone https://android.googlesource.com/kernel/samsung.git
$ cd samsung
$ git checkout 6656123
2.2.2 Setting Up a Build Environment with AOSP from [8]
$ mkdir -p ~/android/aosp && cd $_
$
repo init -u https://android.googlesource.com/platform/manifest -b
android-4.0.4_r1.1
$ repo sync
$ . build/envsetup.sh
$ lunch full_crespo-user
Check compiler:
$ arm-eabi-gcc --version
arm-eabi-gcc (GCC) 4.4.3
Set environment variables:
$ cd ~/android/kernel/samsung
$ export ARCH=arm
$ export SUBARCH=arm
$ export CROSS_COMPILE=arm-eabi-
2.2.3 Compile the Samsung kernel
- as described before -
2.2.4 Download LiME from [9] and Cross Compile
- as described before -
2.3 Dump volatile memory
- as described before –
$ adb pull /sdcard/lime.dump ~/android/dump/NexusS_4.0.4.dump
2.4 Build a Volatility Profile
Get and build Volatility - as described before -
$ zip
~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip
module.dwarf ~/android/kernel/samsung/System.map
2.5 Examine the Memory Dump with Volatility
$ cd ~/android/volatility/
$
$ python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.3.1
linux_banner - Prints the Linux banner information
linux_yarascan - A shell in the Linux memory image
Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux
_NexusS_2.3.6_GRK39F_ ARM
Linux_NexusS_4_0_4_IMM76D_ARM - A Profile for Linux
_NexusS_4.0.4_IMM76D_ ARM
$
$ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f
~/android/dump/NexusS_4.0.4.dump linux_pslist
Volatility Foundation Volatility Framework 2.3.1
Offset Name Pid Uid Gid
DTB Start
Time
---------- -------------------- --------------- --------------- ------
---------- ----------
No suitable address space mapping found
Tried to open image as:
- the rest as described before –
2.6 First attempt to debug
$ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump
0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@....
0000010: ffff ff4f 0000 0000 0000 0000 0000 0000 ...O............
=>
magic: 0x4c69 4d45 -> LiME
version: 0x0000 0001 -> 1
s_addr: 0x0000 0000 4000 0000
e_addr: 0x0000 0000 4fff ffff
reserved: 0x0000 0000 0000 0000
=> Address range is:
$ python -c 'print int(0x4fffffff) - int(0x40000000) + 1'
268435456
But file size is still bigger:
$ stat -c %s ~/android/dump/NexusS_4.0.4.dump
325775424
268.435.456 Bytes + 32 Bytes Header != 325.775.424 Bytes file size!!!
************************************************************
3 Links
[1] https://developers.google.com/android/nexus/images\#soju
[2] https://dl.google.com/dl/android/aosp/soju-grk39f-factory-5ab09c98.tgz
[3] https://dl.google.com/dl/android/aosp/soju-imm76d-factory-ca4ae9ee.tgz
[4] https://dl.google.com/dl/android/aosp/soju-jzo54k-factory-36602333.tgz
[5]
http://techerrata.com/file/twrp2/crespo/openrecovery-twrp-2.7.1.0-crespo.img
[6] http://download.chainfire.eu/supersu
[7] https://android.googlesource.com/kernel/samsung.git
[8] https://android.googlesource.com/platform/manifest
[9] http://lime-forensics.googlecode.com/svn/trunk/
[10] https://volatility.googlecode.com/svn/trunk/
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users