[Vol-users] Data-in-use leakages from Android Memory

Thank you Pasquale, much appreciated! May I ask questions? 1. Referring to the ebay example in your paper (table ii): You looked at 0x0000b000 0x003d1000 [heap] 0x409b2000 0x42124000 /dev/ashmem/dalvik-heap But what about 0x42124000 0x449b2000 /dev/ashmem/dalvik-heap 0x46e02000 0x46e03000 /dev/ashmem/SurfaceFlinger 1a) Why are there two Dalvik heaps? 1b) Is there any work known about the SurfaceFlinger heap so far? If I understood correctly the SurfaceFlinger prepares an application's screen before it gets visible to the user. Any interesting data (visualization) to expect here? (...if there were a Volatility plugin to decode it) 2. Did I get you correct that you investigated the heap only? What were the reasons to not look at the stack? Best regards, Philipp ________________________________________________________________ From: Pasquale Stirparo Sent: Freitag, Mai 30, 2014 3:02PM To: Masdif Cc: Joe Sylve, Andrew Case, Vol-users Subject: Re: [Vol-users] LiME in real world Android forensics