Results 1 to 2 of 2

Thread: Problem regarding analysing android RAM using Volatility Share/Save - My123World.Com!

  1. #1

    Unhappy Problem regarding analysing android RAM using Volatility

    Hi,
    We have acquired RAM image of android phone using LiME & trying to analyze with volatility framework. We have downloaded volatility & now created a profile for our Android kernel.Till this it is working fine.But now we are stuck in the below command.Can some one please help

    python vol.py --profile=LinuxGT_S7582ARM -f /root/Desktop/space/ram.lime linux_psaux

    we are getting this o/p
    Volatility Foundation Volatility Framework 2.5
    Pid Uid Gid Arguments
    No suitable address space mapping found
    Tried to open image as:
    MachOAddressSpace: mac: need base
    LimeAddressSpace: lime: need base
    WindowsHiberFileSpace32: No base Address Space
    WindowsCrash*****pace64BitMap: No base Address Space
    WindowsCrash*****pace64: No base Address Space
    HPAKAddressSpace: No base Address Space
    VirtualBoxCoreDumpElf64: No base Address Space
    VMWareMetaAddressSpace: No base Address Space
    VMWareAddressSpace: No base Address Space
    QemuCoreDumpElf: No base Address Space
    WindowsCrash*****pace32: No base Address Space
    AMD64PagedMemory: No base Address Space
    IA32PagedMemoryPae: No base Address Space
    IA32PagedMemory: No base Address Space
    OSXPmemELF: No base Address Space
    MachOAddressSpace: MachO Header signature invalid
    MachOAddressSpace: MachO Header signature invalid
    LimeAddressSpace: Invalid Lime header signature
    WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
    WindowsCrash*****pace64BitMap: Header signature invalid
    WindowsCrash*****pace64: Header signature invalid
    HPAKAddressSpace: Invalid magic found
    VirtualBoxCoreDumpElf64: ELF Header signature invalid
    VMWareMetaAddressSpace: VMware metadata file is not available
    VMWareAddressSpace: Invalid VMware signature: 0xc0002588
    QemuCoreDumpElf: ELF Header signature invalid
    WindowsCrash*****pace32: Header signature invalid
    AMD64PagedMemory: Incompatible profile LinuxGT_S7582ARM selected
    IA32PagedMemoryPae: Failed valid Address Space check
    IA32PagedMemory: Failed valid Address Space check
    OSXPmemELF: ELF Header signature invalid
    FileAddressSpace: Must be first Address Space
    ArmAddressSpace: Failed valid Address Space check

    We have also tried other commands
    python vol.py --profile=LinuxGT_S7582ARM -f /root/Desktop/space/ram.lime linux_psscan

    but getting the error as below

    ERROR : volatility.debug : You must specify something to do (try -h)

  2. #2
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Got no idea may be somebody else could help you.
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •