[Vol-users] Issues reading Android memory dump using Volatility 2.3.1

I’ve followed the LiME documentation to cross compile the kernel and create a loadable kernel module to dump the volatile memory off a Google Glass XE12 running Linux version 3.0.31-23935-g01ccedd (android-build(a)vpba28.mtv.corp.google.com) (gcc version 4.4.3 (GCC)). Initial attempts to install the loadable kernel module for LiME would error with: dmesg output: … lime: disagrees about version of symbol sock_create_kern lime: Unkonwn symbol sock_create_kern (err –22) lime: disagrees about version of symbol sock_setsockopt lime: Unknown symbol sock_setsockopt (err –22) lime: disagrees about version of symbol sock_sendmsg lime: Unkonwn symbol sock_sendmsg (err –22) … Likely due to the version of symbols in the functions implemented in tcp.h in the LiME package. After modifying LiME source code (main.c) to ignore all tcp construct and to write directly to the /sdcard, we were able to get a ~1 GB (raw, padded, and lime formatted) memory dumps. Here is the command we issued to get the memory dump: insmod limed.ko "path=/sdcard/mem.lime format=lime” insmod limed.ko "path=/sdcard/mem.raw format=raw" insmod limed.ko "path=/sdcard/mem.padded format=padded" Next we followed the documentation on Volatility AndroidMemoryForensics Wiki to create a profile using the Google Glass source code (omap) and dwarfdump. Here is the Makefile we used: obj-m += module.o KDIR := /home/htora/Development/omap CCPATH := /home/htora/Development/adt-bundle-linux-x86_64-20140321/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin DWARFDUMP := /usr/bin/dwarfdump -include version.mk all: dwarf dwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules $(DWARFDUMP) -di module.ko > module.dwarf Here are the results from running the make file: make ARCH=arm CROSS_COMPILE=/home/htora/Development/adt-bundle-linux-x86_64-20140321/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin/arm-linux-androideabi- -C /home/htora/Development/omap CONFIG_DEBUG_INFO=y M=/home/htora/install/volatility-2.3.1/tools/linux modules make[1]: Entering directory `/home/htora/Development/omap' CC [M] /home/htora/install/volatility-2.3.1/tools/linux/module.o Building modules, stage 2. MODPOST 1 modules CC /home/htora/install/volatility-2.3.1/tools/linux/module.mod.o LD [M] /home/htora/install/volatility-2.3.1/tools/linux/module.ko make[1]: Leaving directory `/home/htora/Development/omap' /usr/bin/dwarfdump -di module.ko > module.dwarf As documented, we copied over the created module.dwarf file and the System.map file to the Volatility plugins directory and confirmed the profile exists. root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py --info | grep Linux Volatility Foundation Volatility Framework 2.3.1.3543(T) LinuxomapARM - A Profile for Linux omap ARM linux_banner - Prints the Linux banner information linux_yarascan - A shell in the Linux memory image However, using Volatility 2.3.1.3543 we are unable to parse the memory dump, here are the results from running volatility against the memory dump: root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py --profile=LinuxomapARM -f /home/vol/Development/mem.lime linux_pslist Volatility Foundation Volatility Framework 2.3.1.3543(T) WARNING : volatility.obj : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_TABLE not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_TABLE not present in vtypes Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ————— Here is the debug output: root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py -d --profile=LinuxomapARM -f /home/vol/Development/mem.lime linux_pstree Volatility Foundation Volatility Framework 2.3.1.3543(T) DEBUG : volatility.plugins.overlays.linux.linux: omap: Found dwarf file tmp/System.map with 458 symbols DEBUG : volatility.plugins.overlays.linux.linux: omap: Found system file tmp/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from PoolTrackTagOverlay WARNING : volatility.obj : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_TABLE not present in vtypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Name Pid Uid DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.plugins.overlays.linux.linux: omap: Found dwarf file tmp/System.map with 458 symbols DEBUG : volatility.plugins.overlays.linux.linux: omap: Found system file tmp/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from PoolTrackTagOverlay WARNING : volatility.obj : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_TABLE not present in vtypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0xacf38ac> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0xacf38ec> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0xc4fb96c> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> Appreciate any guidance and help in this matter. Thanks -- Hamidullah Tora Neustar, Inc. / Sr. Security Engineer – NeuCIRT 46000 Center Oak Plaza Sterling, VA 20166 Office: +1.571.434.3410 Mobile: +1.571.527.7859 Pager: +1.571.247.1684 Fax: +1.571.434.5606 / hamidullah.tora@neustar.biz<mailto:hamidullah.tora@neustar.biz> / www.neustar.biz<http://www.neustar.biz/>