Re: [Vol-users] custom Android profile: No suitable address space

Hi All,**** ** ** Currently, I am using Volatility to analyze a lime dump of an Android device and I have the same error message as the post of the ”no suitable address space mapping found” ( http://lists.volatilityfoundation.org/pipermail/vol-users/2013-July/000942.… ).**** ** ** I have followed the steps as indicated in the Volatility Android memory forensic instructions ( https://code.google.com/p/volatility/wiki/AndroidMemoryForensics) and listed them below the dotted line in this mail. **** However, the error “No suitable address space mapping found ” is showing. **** ** ** Anybody have any idea what is going / I am doing wrong ? (please see the steps I have performed below)**** ** ** ** ** Winston **** ** ** ********************************************* Steps I followed:**** ** ** Memory research of Device : HTC One V**** kernel device primou-ics-crc-3.0.16-133e482**** Android : 4.0.3**** Host system for Volatility: Ubuntu 13.04**** Python 2.7.4 (default, Apr 19 2013, 18:32:33) **** [GCC 4.7.3] on linux2**** ** ** ** ** Steps as followed from https://code.google.com/p/volatility/wiki/AndroidMemoryForensics except for the emulator steps:**** ** ** **1. **Downloaded lime, cross compiled lime and build a *.ko file and created a lime.dump (format=lime) file**** **2. **Downloaded Volatility, created a zip profile **** **a. **System.map retrieved from the device at /proc/kallsyms**** **b. **Module.dwarf **** $ head module.dwarf **** ** ** .debug_info**** ** ** <0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.7"> DW_AT_language<DW_LANG_C89> DW_AT_name<"/android/volatility-2.2/tools/linux/module.c"> DW_AT_comp_dir<"/home/winston/htc/primou-ics-crc-3.0.16-133e482"> DW_AT_stmt_list<0x00000000>**** <1><0x1d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000028>>**** <1><0x28><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char">**** <1><0x2f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000003a>>**** <1><0x3a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char">**** <1><0x41><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000004c>>**** <1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int">**** ** ** **3. **Using Volatility 2.2 and I have tried volatility 2.3-development and the latest volatility from svn co https://volatility.googlecode.com/svn/trunk (latest check out at 9th of august 2013)**** **a. **$ python vol.py –info **** LinuxprofileHTCOneV2x86 - A Profile for Linux profileHTCOneV2 x86**** **b. **Note, I implemented a work around since my system.map / proc/kallsyms sometimes contained four columns instead of 3. **** Part of my system.map file:**** c0682d70 A _etext**** bf005000 t dhd_sleep_pm_callback [bcmdhd]**** Error: **** File "/android/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line 86, in parse_system_map**** (str_addr, symbol_type, symbol) = line.strip().split()**** ValueError: too many values to unpack**** Work around :**** Added in /android/volatility-2.2/volatility/plugins/overlays/linux/linux.py, line 87: **** (str_addr, symbol_type, symbol) = line.strip().split()[0:3] //added work around **** #(str_addr, symbol_type, symbol) = line.strip().split() // original**** **c. **$ python vol.py --profile=LinuxprofileHTCOneV2x86 -f /android/resultfiles/HTVOneV/lime7-31-13_1317.lime linux_pslist**** Volatile Systems Volatility Framework 2.3_alpha**** WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes**** Offset Name Pid Uid Start Time **** ---------- -------------------- --------------- --------------- ---------- **** No suitable address space mapping found**** Tried to open image as:**** MachOAddressSpace: mac: need base**** LimeAddressSpace: lime: need base**** WindowsHiberFileSpace32: No base Address Space**** WindowsCrashDumpSpace64: No base Address Space**** WindowsCrashDumpSpace32: No base Address Space**** JKIA32PagedMemoryPae: No base Address Space**** AMD64PagedMemory: No base Address Space**** JKIA32PagedMemory: No base Address Space**** IA32PagedMemoryPae: Module disabled**** IA32PagedMemory: Module disabled**** MachOAddressSpace: MachO Header signature invalid**** MachOAddressSpace: MachO Header signature invalid**** LimeAddressSpace: Invalid Lime header signature**** WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile**** WindowsCrashDumpSpace64: Header signature invalid**** WindowsCrashDumpSpace32: Header signature invalid**** JKIA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'**** AMD64PagedMemory: Incompatible profile LinuxprofileHTCOneV2x86 selected*** * JKIA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'**** IA32PagedMemoryPae: Module disabled**** IA32PagedMemory: Module disabled**** FileAddressSpace: Must be first Address Space**** ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'**** **** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users