Dear Everyone:
I have a problem about analysing an android memory these days.
I am new to android memory forensic,and i analyse the windows memory before.But
i think analysing an android memory may more interesting and valuable.
I have followed the url
"https://code.google.com/p/volatility/wiki/AndroidMemoryForensics#Build_a_Volatility_Profile"
,and i have done successfully.
Now, by useing lime i can get my android memory, my android is samsung9001, and
the memory file is ram.lime (almost 400M size).
But the problem is that: when i use volatility2.3_beta to analyse the android
memory , volatility can't identify the profle that i created.
The output is below:
Volatile Systems Volatility Framework 2.3_beta
Offset Name Pid Uid Gid DTB Start
Time
---------- -------------------- --------------- --------------- ------ ----------
----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x0
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile LinuxGolfishARM selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
and i use -dd option the output is:
yutruth@ubuntu:~/yutruth-android/volatility$ python vol.py --profile=Linuxsamsung9001ARM
-f ~/yutruth-android/ram.lime linux_pslist -dd
Volatile Systems Volatility Framework 2.3_beta
DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found dwarf file
home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 407 symbols
DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found system file
home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 1 symbols
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid DTB Start
Time
---------- -------------------- --------------- --------------- ------ ----------
----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x6949190>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x18600040,
instantiating lime_header
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x6949150>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header
signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32:
PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic
found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware
signature: 0x0
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible
profile Linuxsamsung9001ARM selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid
Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid
Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: No suggestions available
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid
Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0x0
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Linuxsamsung9001ARM selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Search the problem by google and i find some others have the same problem,but
i can't find the solution. By the way, i know few people submit the problem last
September and a week ago, and i know volatility can't support many Linux/android
profile now, but i have create the profile for my android and just volatility can't
identify:-(
I do these things under the ubuntu10.04 on the vmware, and i don't download
the newest dwarfdump, i just use " apt-get install dwarfdump" on the
ubuntu10.04, and i am sure the CC_PATH and some PATH Variable is true. I may think the
dwarf execute file is wrong.
Thanks for your attention and sorry for my english. The attachment are my
profile zip and dwarfdump execute file.
Hope to get your apply soon ^_^( I may be mad for the problem)
------------------
best wishes
yutruth
Show replies by date