Maintaining Android in the enterprise
Risk Management
Volatility
Since version 2.2, Volatility has been available for Linux, as well as for Android and Mac OS X since the beta 2.3.1. Quickly creating a memory dump of the Android system proves more problematic than running Volatility. As on Linux, each kernel and each version of Android needs customized Lime drivers, and building them can frighten even die-hard Linux specialists. Thank goodness test images are available for Volatility [17].
If you download the Rodeo2012.tgz
file from the Google repository (link to DFRWS 2012 Rodeo
) and uncompress, you will find two files: Evo4GRodeo.lime
and Evo4G.zip
. The first is the memory dump created with Lime; the second is the profile [16], which according to the Volatility project, is copied to the plugins/overlays/linux
directory. If the profile matches the image, you can get started:
[root@pc]# vol.py --info | grep Linux Volatile Systems Volatility Framework 2.3_beta LinuxEvo4GARM - A Profile for Linux Evo4G ARM
Listing 5 shows the filesystems mounted at the time of the dump; the linux_dentry_cache
command helps you search for files, such as browser.db
, which is perhaps not stored on the hard disk.
Listing 5
Filesystems
01 [root@pc]# vol.py -f Evo4GRodeo.lime --profile=LinuxEvo4GARM linux_mount 02 Volatile Systems Volatility Framework 2.3_beta 03 WARNING : volatility.obj : Overlay structure tty_struct not present in vtypes 04 tmpfs /app-cache tmpfs rw,relatime 05 tmpfs /mnt/obb tmpfs rw,relatime 06 tmpfs /mnt/asec tmpfs rw,relatime 07 /dev/block/vold/179:1 /mnt/secure/asec/.android_secure vfat rw,relatime,nosuid,nodev,noexec 08 /dev/block/mtdblock5 /cache yaffs2 rw,relatime,nosuid,nodev 09 /dev/block/mtdblock6 /data yaffs2 rw,relatime,nosuid,nodev 10 none /acct cgroup rw,relatime 11 tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime 12 htcfs /data/htcfs fuse rw,relatime,nosuid,nodev 13 /dev/block/vold/179:1 /mnt/sdcard vfat rw,relatime,nosuid,nodev,noexec 14 none /dev/cpuctl cgroup rw,relatime 15 tmpfs /dev tmpfs rw,relatime 16 devpts /dev/pts devpts rw,relatime 17 /dev/block/mtdblock4 /system yaffs2 ro,relatime 18 sysfs /sys sysfs rw,relatime 19 /sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 20 proc /proc proc rw,relatime
[root@pc]# vol.py -f Evo4GRodeo.lime \ --profile=LinuxEvo4GARM linux_dentry_cache> filelist
The filelist
file contains the information you need, but only in the body file format, which is a raw data format that MACB-Time (from Sleuth Kit) converts into a readable MACB format (mactime -d filelist > filelist.mac
). Figure 7 shows how a
grep browser.db filelist.mac
command line provides the desired information. Volatility then provides the number of inodes required for the administrator to restore a file:
[root@pc]# vol.py linux_find_file \ -F "/data/data/com.android.browser/databases/browser.db" [...] [root@pc]# vol.py linux_find_file -i 0xd3aebd20 -O browser.db
In contrast to Sleuth Kit, the virtual inode 0xd3aebd20
is used for identification purposes. You could use sqlitebrowser here, but the command line is also good for the analysis. Figure 8 shows a successful operation with sqlite3 browser.db
and the list of tables contained (.tables
). As you can see, the database obviously contains HTC bookmarks. They are revealed by a select * from htctopbookmarks;
(Listing 6).
Listing 6
select * from htctopbookmarks
01 1|HTC|http://www.htc.com/|2|11|h|ht|htc 02 2|Google|http://www.google.com/|2|11|g|go|goo 03 3|Facebook|http://www.facebook.com/|2|11|f|fa|fac 04 4|Yahoo!|http://www.yahoo.com/|2|11|y|ya|yah 05 5|YouTube|http://www.youtube.com/|2|11|y|yo|you 06 6|Windows Live|http://www.live.com/|2|11|l|li|liv 07 7|Wikipedia|http://www.wikipedia.org/|2|11|w|wi|wik 08 8|Blogger.com|http://www.blogger.com/|2|11|b|bl|blo 09 9|Baidu.com|http://www.baidu.com/|2|11|b|ba|bai 10 [...]
The Memory Dump Problem
If you want to create your own memory dumps, the process currently involves a huge amount of manual work related to source code, kernel, modules, and more. The following example describes a procedure that worked in our lab with Android 4.4 (KitKat uses kernel 3.4) and an HTC device. An illustrative – but not always consistent – guide from Google itself can be found online [18]. The prerequisite for success is the Android SDK, developer tools, and a cross compiler.
The example does not use the cross compiler from Google's Native Development Kit (NDK) [19], but the existing Ubuntu GNU cross compiler for ARM, because it was easier to talk this tool into cooperating. Just before a deadline, the authors received reports of success from employees of the Swiss Federal Office for Computer Science and Telecommunications, who managed to extract memory dumps using the NDK compiler. For Ubuntu, Listing 7 shows how to retrieve the Android kernel sources from Google's Git.
Listing 7
Preparations on Ubuntu
01 [root@pc]# aptitude install gcc-arm-linux-gnueabi 02 [...] 03 [root@pc]# git clone https://android.googlesource.com/kernel/goldfish.git /opt/android-source 04 [...] 05 [root@pc]# cd /opt/android-source/ 06 [root@pc]# git branch -a 07 * master 08 remotes/origin/HEAD -> origin/master 09 remotes/origin/android-goldfish-2.6.29 10 remotes/origin/android-goldfish-3.4 11 remotes/origin/linux-goldfish-3.0-wip 12 remotes/origin/master 13 [...] 14 [root@pc]# git checkout -t remotes/origin/android-goldfish-3.4 -b goldfish-3.4 15 [...] 16 [root@pc]# export ARCH=arm 17 [root@pc]# export SUBARCH=arm 18 [root@pc]# export CROSS_
Now for the tricky bit: Before you compile the kernel sources, you need the right config
for the kernel. This is zipped under /proc/config.gz
on most devices; other manufacturers make life difficult for the forensic scientist by not installing the file. You sometimes even have to grab it from the source code archives. If the configuration files cannot be found either in forums or in installable open source mods, your only remaining option is painstaking trial and error.
Such a file should also reside on each virtual guest machine (that can launch the SDK); in rare cases, you might even find the file you need in the smartphone recovery system. Once you overcome this hurdle, you can unpack and edit the config file. You typically just need to insert or edit the three MODULES
lines:
CONFIG_BASE_SMALL=0 CONFIG_MODULES=y CONFIG_MODULES_UNLOAD=y CONFIG_MODULES_FORCE_UNLOAD=y CONFIG_BLOCK=y
Next, save the file in the source directory and call Make. If the kernel resides in /opt/android-source/arch/arm/boot/
, for example, then the command (when run in this directory)
[root@pc]# svn checkout http://lime-forensics.googlecode.com/\ svn/trunk/lime-android
downloads the Lime driver for Android, including the Makefile for Linux environments, heralding the start of individual problems with the specific devices.
As a general rule, KDIR_GOLD := /opt/android-source
must point to the right path, but even the CROSS_COMPILE
instruction options differ from device to device. What the approaches have in common is that they both do
ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux -gnueabi
to invoke the cross compiler.
Loading the Lime Module
Referring to the example of an Android emulated by the SDK, Listing 8 shows how the Lime module ends up on the smartphone. Immediately after the module is loaded (once only, not on each restart; thus, insmod
instead of modprobe
), it saves a dump on the (virtual) SD card, which can be downloaded with the usual tricks.
Listing 8
Installing the Kernel and Lime Module
01 [root@pc]# emulator -avd goldfish -kernel /opt/android-source/arch/arm/boot/zImage -show-kernel -verbose 02 [root@pc]# adb push lime-goldfish.ko /sdcard/lime.ko 03 [root@pc]# adb shell 04 [shell@android]## insmod /sdcard/lime.ko "format=lime path=/sdcard/goldfish.lime"
Here, it makes sense to set up a Netcat connection (nc
), if only because the data transfer is faster than going through the SD card.
Even if all of these steps have worked, however, Volatility still needs the correct extensions. Similar to the Linux kernels in a previous article [16], you need to run Make to produce system.map
and module.dwarf
, which end up as ZIP files in the Volatility profile directory. After entering
zip Goldfish-3_4.zip module.dwarf /opt/android-source/System.map
Vol.py now finds the new profile named Goldfish (Figure 9).
After doing this and selecting the correct settings for your device in the makefiles and the kernel config, you can now start analyzing the memory dump. The command:
vol.py -f goldfish.lime \ --profile=LinuxGoldfish-3_4ARM linux_mount
lists the existing mounts, even on Android, as described above.
Buy this article as PDF
(incl. VAT)