Re: [Vol-users] Android Memory Forensics without System.map
7 Oct
2013
7 Oct
'13
3:15 p.m.
Hello,
You do need the System.map file (or at least the subset of values that
Volatility uses from it). We are currently exploring ways to reduce
this dependency, but there is no timeframe of when it may be done as
it requires a bit of extra research and is proving somewhat difficult.
On Wed, Oct 2, 2013 at 9:52 PM, Quentin Chaki Cha <quenberry(a)hotmail.com> wrote:
Hi guys, i'm working on a project to analyze
memory dumps of Android devices
with Volatility. But it seems that it isn't possible to do so if the source
code does not provide me with the System.map file. I can't compile my own
System.map file using commands like "make ARCH=arm CROSS_COMPILE=$CCOMPILER"
(this would give me inaccurate addresses) nor can i use the /proc/kallsyms
(this does not have symbols required for volatility to prepare) file from
the Android device itself. I just wanna verify, is it actually still
possible for me to use volatility to analyze this memory dump if the
System.map file wasn't distributed with the headers/source? Thanks.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users