I’ve followed the LiME documentation to cross compile the kernel and create a loadable kernel module to dump the volatile memory off a Google Glass XE12 running Linux version 3.0.31-23935-g01ccedd (android-build@vpba28.mtv.corp.google.com) (gcc version 4.4.3 (GCC)).

Initial attempts to install the loadable kernel module for LiME would error with:

dmesg output:
lime: disagrees about version of symbol sock_create_kern
lime: Unkonwn symbol sock_create_kern (err –22)
lime: disagrees about version of symbol sock_setsockopt
lime: Unknown symbol sock_setsockopt (err –22)
lime: disagrees about version of symbol sock_sendmsg
lime: Unkonwn symbol  sock_sendmsg (err –22)

Likely due to the version of symbols in the functions implemented in tcp.h in the LiME package.  After modifying LiME source code (main.c) to ignore all tcp construct and to write directly to the /sdcard, we were able to get a ~1 GB (raw, padded, and lime formatted) memory dumps.

Here is the command we issued to get the memory dump:

insmod limed.ko "path=/sdcard/mem.lime format=lime

insmod limed.ko "path=/sdcard/mem.raw format=raw"

insmod limed.ko "path=/sdcard/mem.padded format=padded"


Next we followed the documentation on Volatility AndroidMemoryForensics Wiki to create a profile using the Google Glass source code (omap) and dwarfdump.  

Here is the Makefile we used:

obj-m += module.o
KDIR := /home/htora/Development/omap
CCPATH := /home/htora/Development/adt-bundle-linux-x86_64-20140321/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin
DWARFDUMP := /usr/bin/dwarfdump

-include version.mk

all: dwarf

dwarf: module.c
        $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules
        $(DWARFDUMP) -di module.ko > module.dwarf

Here are the results from running the make file:

make ARCH=arm CROSS_COMPILE=/home/htora/Development/adt-bundle-linux-x86_64-20140321/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin/arm-linux-androideabi- -C /home/htora/Development/omap CONFIG_DEBUG_INFO=y M=/home/htora/install/volatility-2.3.1/tools/linux modules
make[1]: Entering directory `/home/htora/Development/omap'
  CC [M]  /home/htora/install/volatility-2.3.1/tools/linux/module.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/htora/install/volatility-2.3.1/tools/linux/module.mod.o
  LD [M]  /home/htora/install/volatility-2.3.1/tools/linux/module.ko
make[1]: Leaving directory `/home/htora/Development/omap'
/usr/bin/dwarfdump -di module.ko > module.dwarf


As documented, we copied over the created module.dwarf file and the System.map file to the Volatility plugins directory and confirmed the profile exists.

root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.3.1.3543(T)
LinuxomapARM    - A Profile for Linux omap ARM
linux_banner            - Prints the Linux banner information
linux_yarascan          - A shell in the Linux memory image

However, using Volatility 2.3.1.3543 we are unable to parse the memory dump, here are the results from running volatility against the memory dump:

root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py --profile=LinuxomapARM -f /home/vol/Development/mem.lime linux_pslist
Volatility Foundation Volatility Framework 2.3.1.3543(T)
WARNING : volatility.obj      : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes
WARNING : volatility.obj      : Overlay structure _POOL_TRACKER_TABLE not present in vtypes
WARNING : volatility.obj      : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes
WARNING : volatility.obj      : Overlay structure _POOL_TRACKER_TABLE not present in vtypes
Offset     Name                 Pid             Uid             Gid    DTB        Start Time
---------- -------------------- --------------- --------------- ------ ---------- —————

Here is the debug output:

root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py -d --profile=LinuxomapARM -f /home/vol/Development/mem.lime linux_pstree
Volatility Foundation Volatility Framework 2.3.1.3543(T)
DEBUG   : volatility.plugins.overlays.linux.linux: omap: Found dwarf file tmp/System.map with 458 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: omap: Found system file tmp/System.map with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from PoolTrackTagOverlay
WARNING : volatility.obj      : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes
WARNING : volatility.obj      : Overlay structure _POOL_TRACKER_TABLE not present in vtypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Name                 Pid             Uid            
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: omap: Found dwarf file tmp/System.map with 458 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: omap: Found system file tmp/System.map with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from PoolTrackTagOverlay
WARNING : volatility.obj      : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes
WARNING : volatility.obj      : Overlay structure _POOL_TRACKER_TABLE not present in vtypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0xacf38ac>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0xacf38ec>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0xc4fb96c>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 


Appreciate any guidance and help in this matter.

Thanks
--

Hamidullah Tora
Neustar, Inc. / Sr. Security Engineer – NeuCIRT
46000 Center Oak Plaza Sterling, VA 20166
Office: +1.571.434.3410 Mobile: +1.571.527.7859 
Pager: +1.571.247.1684 Fax: +1.571.434.5606 / hamidullah.tora@neustar.biz / www.neustar.biz