[Vol-users] custom Android profile: No suitable address space

Hi All, Currently, I am using Volatility to analyze a lime dump of an Android device and I have the same error message as the post of the no suitable address space mapping found (http://lists.volatilityfoundation.org/pipermail/vol-users/2013-July/000942.…) I have followed the steps as indicated in the Volatility Android memory forensic instructions (https://code.google.com/p/volatility/wiki/AndroidMemoryForensics) and listed them below the dotted line in this mail. However, the error No suitable address space mapping found is showing. Anybody have any idea what is going / I am doing wrong ? (please see the steps I have performed below) Winston ***************************************** Steps I followed: Memory research of Device : HTC One V kernel device primou-ics-crc-3.0.16-133e482 Android : 4.0.3 Host system for Volatility: Ubuntu 13.04 Python 2.7.4 (default, Apr 19 2013, 18:32:33) [GCC 4.7.3] on linux2 Steps as followed from https://code.google.com/p/volatility/wiki/AndroidMemoryForensics except for the emulator steps: 1. Downloaded lime, cross compiled lime and build a *.ko file and created a lime.dump (format=lime) file 2. Downloaded Volatility, created a zip profile a. System.map retrieved from the device at /proc/kallsyms b. Module.dwarf $ head module.dwarf .debug_info <0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.7"> DW_AT_language<DW_LANG_C89> DW_AT_name<"/android/volatility-2.2/tools/linux/module.c"> DW_AT_comp_dir<"/home/winston/htc/primou-ics-crc-3.0.16-133e482"> DW_AT_stmt_list<0x00000000> <1><0x1d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000028>> <1><0x28><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char"> <1><0x2f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000003a>> <1><0x3a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char"> <1><0x41><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000004c>> <1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int"> 3. Using Volatility 2.2 and I have tried volatility 2.3-development and the latest volatility from svn co https://volatility.googlecode.com/svn/trunk (latest check out at 9th of august 2013) a. $ python vol.py info LinuxprofileHTCOneV2x86 - A Profile for Linux profileHTCOneV2 x86 b. Note, I implemented a work around since my system.map / proc/kallsyms sometimes contained four columns instead of 3. Part of my system.map file: c0682d70 A _etext bf005000 t dhd_sleep_pm_callback [bcmdhd] Error: File "/android/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line 86, in parse_system_map (str_addr, symbol_type, symbol) = line.strip().split() ValueError: too many values to unpack Work around : Added in /android/volatility-2.2/volatility/plugins/overlays/linux/linux.py, line 87: (str_addr, symbol_type, symbol) = line.strip().split()[0:3] //added work around #(str_addr, symbol_type, symbol) = line.strip().split() // original c. $ python vol.py --profile=LinuxprofileHTCOneV2x86 -f /android/resultfiles/HTVOneV/lime7-31-13_1317.lime linux_pslist Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes Offset Name Pid Uid Start Time ---------- -------------------- --------------- --------------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long' AMD64PagedMemory: Incompatible profile LinuxprofileHTCOneV2x86 selected JKIA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long' IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'