Problem regarding v...
 
Notifications
Clear all

Problem regarding volatility framework

2 Posts
2 Users
0 Likes
1,243 Views
(@karishma)
Posts: 3
New Member
Topic starter
 

Hi,
We have acquired RAM image of android phone using LiME & trying to analyze with volatility framework. We have downloaded volatility & now created a profile for our Android kernel.Till this it is working fine.But now we are stuck in the below command.Can some one please help

python vol.py –profile=LinuxGT_S7582ARM -f /root/Desktop/space/ram.lime linux_psaux

we are getting this o/p
Volatility Foundation Volatility Framework 2.5
Pid Uid Gid Arguments
No suitable address space mapping found
Tried to open image as
MachOAddressSpace mac need base
LimeAddressSpace lime need base
WindowsHiberFileSpace32 No base Address Space
WindowsCrashDumpSpace64BitMap No base Address Space
WindowsCrashDumpSpace64 No base Address Space
HPAKAddressSpace No base Address Space
VirtualBoxCoreDumpElf64 No base Address Space
VMWareMetaAddressSpace No base Address Space
VMWareAddressSpace No base Address Space
QemuCoreDumpElf No base Address Space
WindowsCrashDumpSpace32 No base Address Space
AMD64PagedMemory No base Address Space
IA32PagedMemoryPae No base Address Space
IA32PagedMemory No base Address Space
OSXPmemELF No base Address Space
MachOAddressSpace MachO Header signature invalid
MachOAddressSpace MachO Header signature invalid
LimeAddressSpace Invalid Lime header signature
WindowsHiberFileSpace32 PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap Header signature invalid
WindowsCrashDumpSpace64 Header signature invalid
HPAKAddressSpace Invalid magic found
VirtualBoxCoreDumpElf64 ELF Header signature invalid
VMWareMetaAddressSpace VMware metadata file is not available
VMWareAddressSpace Invalid VMware signature 0xc0002588
QemuCoreDumpElf ELF Header signature invalid
WindowsCrashDumpSpace32 Header signature invalid
AMD64PagedMemory Incompatible profile LinuxGT_S7582ARM selected
IA32PagedMemoryPae Failed valid Address Space check
IA32PagedMemory Failed valid Address Space check
OSXPmemELF ELF Header signature invalid
FileAddressSpace Must be first Address Space
ArmAddressSpace Failed valid Address Space check

We have also tried other commands
python vol.py –profile=LinuxGT_S7582ARM -f /root/Desktop/space/ram.lime linux_psscan

but getting the error as below

ERROR volatility.debug You must specify something to do (try -h)

 
Posted : 18/05/2016 12:05 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi,
We have acquired RAM image of android phone using LiME & trying to analyze with volatility framework.

Are you sure you got the dump in Lime format (and not - by mistake - in the Raw one)?
Try running limeinfo on the image/dump
https://github.com/volatilityfoundation/volatility/issues/174

jaclaz

 
Posted : 18/05/2016 2:12 pm
Share: