Hi All,

 

Currently, I am using Volatility to analyze  a lime dump of an Android device and I have the same error message as the post of  the ”no suitable address space mapping found” (http://lists.volatilesystems.com/pipermail/vol-users/2013-July/000942.html).

 

I have followed the steps as indicated in the Volatility Android memory forensic instructions (https://code.google.com/p/volatility/wiki/AndroidMemoryForensics) and listed them below the dotted line in this mail.

However,  the error “No suitable address space mapping found ” is showing.

 

Anybody have any idea what is going / I am doing  wrong ? (please see the steps I have performed below)

 

 

Winston

 

*****************************************

Steps I followed:

 

Memory research of Device : HTC One V

kernel device primou-ics-crc-3.0.16-133e482

Android : 4.0.3

Host system for Volatility: Ubuntu 13.04

Python 2.7.4 (default, Apr 19 2013, 18:32:33)

[GCC 4.7.3] on linux2

 

 

Steps as followed from https://code.google.com/p/volatility/wiki/AndroidMemoryForensics except for the emulator steps:

 

1.       Downloaded lime, cross compiled lime and build a *.ko file and created a lime.dump (format=lime) file

2.       Downloaded Volatility, created a zip profile

a.       System.map retrieved from the device at /proc/kallsyms

b.      Module.dwarf  

$ head module.dwarf

 

.debug_info

 

<0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.7"> DW_AT_language<DW_LANG_C89> DW_AT_name<"/android/volatility-2.2/tools/linux/module.c"> DW_AT_comp_dir<"/home/winston/htc/primou-ics-crc-3.0.16-133e482"> DW_AT_stmt_list<0x00000000>

<1><0x1d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000028>>

<1><0x28><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char">

<1><0x2f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000003a>>

<1><0x3a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char">

<1><0x41><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000004c>>

<1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int">

 

3.       Using Volatility 2.2 and I have tried  volatility 2.3-development and the latest volatility from svn co  https://volatility.googlecode.com/svn/trunk (latest check out at 9th of august 2013)

a.       $ python vol.py –info

LinuxprofileHTCOneV2x86 - A Profile for Linux profileHTCOneV2 x86

b.      Note, I implemented a work around since my system.map / proc/kallsyms  sometimes contained four columns instead of 3.

Part of my system.map file:

                c0682d70 A _etext

bf005000 t dhd_sleep_pm_callback         [bcmdhd]

Error:

 File "/android/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line 86, in parse_system_map

    (str_addr, symbol_type, symbol) = line.strip().split()

ValueError: too many values to unpack

                                                Work around :

Added in /android/volatility-2.2/volatility/plugins/overlays/linux/linux.py, line 87:

        (str_addr, symbol_type, symbol) = line.strip().split()[0:3]     //added work around

     #(str_addr, symbol_type, symbol) = line.strip().split()               // original

c.       $ python vol.py --profile=LinuxprofileHTCOneV2x86 -f /android/resultfiles/HTVOneV/lime7-31-13_1317.lime linux_pslist

Volatile Systems Volatility Framework 2.3_alpha

WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes

Offset     Name                 Pid             Uid             Start Time

---------- -------------------- --------------- --------------- ----------

No suitable address space mapping found

Tried to open image as:

MachOAddressSpace: mac: need base

LimeAddressSpace: lime: need base

WindowsHiberFileSpace32: No base Address Space

WindowsCrashDumpSpace64: No base Address Space

WindowsCrashDumpSpace32: No base Address Space

JKIA32PagedMemoryPae: No base Address Space

AMD64PagedMemory: No base Address Space

JKIA32PagedMemory: No base Address Space

IA32PagedMemoryPae: Module disabled

IA32PagedMemory: Module disabled

MachOAddressSpace: MachO Header signature invalid

MachOAddressSpace: MachO Header signature invalid

LimeAddressSpace: Invalid Lime header signature

WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile

WindowsCrashDumpSpace64: Header signature invalid

WindowsCrashDumpSpace32: Header signature invalid

JKIA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

AMD64PagedMemory: Incompatible profile LinuxprofileHTCOneV2x86 selected

JKIA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

IA32PagedMemoryPae: Module disabled

IA32PagedMemory: Module disabled

FileAddressSpace: Must be first Address Space

ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'