Hi,
I was wondering: did anyone ever managed to do an analysis with a real device? I know the answer is Yes.
The thing is that I've seen around many nice examples and tutorials working... but all of them with the emulator. The only real device sample "in the wild" seems to be the Evo4GRodeo samples from DFWRS Challenge.
This time I'm pretty sure I did (almost?) everything right. Although if it doesn't work, probably it's not.
I've tried also with another smartphone other than the HTC One X, the Galaxy Nexus, getting the correct kernel version. No compilation errors, no module errors, no lime module crashing on the phone, no volatility profiles error, nothing. Everything (looks) right.
But still, when trying to run volatility I still keep getting empty results like this:
hydra:volatility-read-only paco$ python vol.py --profile=LinuxGalaxyNexus-3_0_1x86 -f ~/memdump/test-lime-4.7.lime linux_pslist
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
Offset Name Pid Uid Gid DTB Start Time
---------- -------------------- --------------- --------------- ------ ---------- ----------
Now I start wondering two things:
- Is it my lime dump the issue? the header looks fine, if I look inside with hexdump it seems reasonable, if I strings it I find my data.
- Is it the volatility profile? Maybe, because I've event tried to dump the memory of my Galaxy Nexus with FROST (which uses LiME) and the result looks the same. So I started believing my problem is in the profile, although I cannot seem to find any other way to understand where the problem could be.
So if anyone who successfully analyzed Android memory dumps from any real life device is willing to share his experience and/or Volatility profile, it would be great.
Thanks
P.
--
Pasquale Stirparo, MEng
GCFA, OPST, OWSE, ECCE