MoVP II – 3.5 – Utilizing the kmem_cache for Android Memory Forensics
by Volatility | Jun 4, 2013 | android, forensics, kernel, linux, malware, movp, volatility
This post will discuss utilizing plugins that leverage the kmem_cache in order to perform deep memory forensics of Android devices. In previous Linux posts, we have briefly mentioned these plugins, but a full walk through has not been done. Also, as we will see, these...MoVP II – 3.4 – Checking the ARM (Android) System Call Table and Exception Vector Table for Signs of Rootkits
by Volatility | Jun 3, 2013 | android, forensics, malware, movp, volatility
In this post we are going to discuss two Volatility plugins that are specific to the ARM platform. Both of these plugins were contributed by Joe Sylve. linux_check_syscall_arm The first, linux_check_syscall_arm, enumerates each entry of the system call table to see if...Automated Volatility Plugin Generation with Dalvik Inspector
by Volatility | May 31, 2013 | android, malware, s, volatility
Last month we covered new capabilities developed by 504ensics Labs that allowed for analysis of Dalvik instances within Volatility. This included a set of plugins as well as a GUI to explore the classes loaded into memory. We are writing an updated post as the GUI now...MoVP II – 3.3 – Automated Linux/Android Bash History Scanning
by Volatility | May 31, 2013 | android, forensics, linux, movp, volatility
Recovering bash command history from Linux and Android memory dumps just got a lot easier. In previous releases of Volatility, extracting commands and the associated timestamps was possible, but with one caveat – you needed to know the offset into the /bin/bash...MoVP II – 3.2 – Linux/Android Memory Forensics with Python and Yara
by Volatility | May 30, 2013 | android, forensics, kernel, linux, movp, volatility
In this post we will describe the Linux volshell and yarascan plugins. In previous releases of Volatility, these plugins only supported Windows samples, but starting with 2.3 you can interactively explore your Linux memory dumps (from a Python shell) or scan process...
You must be logged in to post a comment.