Problem regarding analysing RAM using Volatility

Discussion in 'Android Help' started by mariyamjohn25, May 18, 2016.

  mariyamjohn25

    mariyamjohn25 Lurker
    Thread Starter
    Jan 19, 2016

    Jan 19, 2016
    We have acquired RAM image of android phone using LiME & trying to analyze with volatility framework. We have downloaded volatility & now created a profile for our Android kernel.Till this it is working fine.But now we are stuck in the below command.Can some one please help

    python vol.py --profile=LinuxGT_S7582ARM -f /root/Desktop/space/ram.lime linux_psaux

    we are getting this o/p
    Volatility Foundation Volatility Framework 2.5
    Pid Uid Gid Arguments
    No suitable address space mapping found
    Tried to open image as:
    MachOAddressSpace: mac: need base
    LimeAddressSpace: lime: need base
    WindowsHiberFileSpace32: No base Address Space
    WindowsCrashDumpSpace64BitMap: No base Address Space
    WindowsCrashDumpSpace64: No base Address Space
    HPAKAddressSpace: No base Address Space
    VirtualBoxCoreDumpElf64: No base Address Space
    VMWareMetaAddressSpace: No base Address Space
    VMWareAddressSpace: No base Address Space
    QemuCoreDumpElf: No base Address Space
    WindowsCrashDumpSpace32: No base Address Space
    AMD64PagedMemory: No base Address Space
    IA32PagedMemoryPae: No base Address Space
    IA32PagedMemory: No base Address Space
    OSXPmemELF: No base Address Space
    MachOAddressSpace: MachO Header signature invalid
    MachOAddressSpace: MachO Header signature invalid
    LimeAddressSpace: Invalid Lime header signature
    WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
    WindowsCrashDumpSpace64BitMap: Header signature invalid
    WindowsCrashDumpSpace64: Header signature invalid
    HPAKAddressSpace: Invalid magic found
    VirtualBoxCoreDumpElf64: ELF Header signature invalid
    VMWareMetaAddressSpace: VMware metadata file is not available
    VMWareAddressSpace: Invalid VMware signature: 0xc0002588
    QemuCoreDumpElf: ELF Header signature invalid
    WindowsCrashDumpSpace32: Header signature invalid
    AMD64PagedMemory: Incompatible profile LinuxGT_S7582ARM selected
    IA32PagedMemoryPae: Failed valid Address Space check
    IA32PagedMemory: Failed valid Address Space check
    OSXPmemELF: ELF Header signature invalid
    FileAddressSpace: Must be first Address Space
    ArmAddressSpace: Failed valid Address Space check

    We have also tried other commands
    python vol.py --profile=LinuxGT_S7582ARM -f /root/Desktop/space/ram.lime linux_psscan

    but getting the error as below

    ERROR : volatility.debug : You must specify something to do (try -h)


