Skip to main content

Android memory forensic analysis with LIME volatility ᕙ༼*◕_◕*༽ᕤ (Day 5) (work on progress)



At first i thought that memory forensic is a black magic. Whenever i try to watch someone do memory forensic they do this kinda weird and exotic command to dump the memory and walaaa they got the source of infection. i was like whatttttt the hell is happening ʕʘ̅͜ʘ̅ʔ.

So rather than staying here babbling about how hard is memory forensic why not try it !

in these post i'm going to do memory forensic analysis with infamous LIME framework from volatility.

Before we go to the cool stuff let me explain you briefly about what is memory forensic. Simple enough memory forensic is a process acquiring and analysis of volatile data(RAM). Expert use memory forensic to identify the attack source or malware infection.

That's enough for the theory, lets go to the fun stuff(if you want to know more about memory forensic just google it you dumb dumb!)

we are going to run an application, dump the memory from the android and try to analyze it(Maximum EFFORT !!!!). OKAY! before you do exercise i must warn you that the android virtual machine that i use is based on ARM architecture not X86. PLEASE! check your android architecture using "droidhardware" application.


There are some checklist you need to prepare:

1. the standalone binary of volatility(link: https://www.volatilityfoundation.org/releases), i suggest that you choose the Linux distribution.


2. Download official github repository of the python wrapper for volatility. This post was inspire by the following github repository(link: https://github.com/devopscrazy/AndroidForensics)


3. extract the standalone binary zip to the androidforensic directory.






4. make some changes of the androidforensic.py script file. this file is responsible to operating the LIME framework make sure you change the variable of the script based on your environment.





1. I change the path_to_android_sdk variable based on my environment setup, i stored the android sdk at opt directory.

2. I change the emulator name because i already make one emulator called "droidbox"

3. I change the path of volatility executable because in the original script the volatility binary is only can run in macOS environment.


We are ready to go! first start the emulator:


wait for a moment and after that you will be served with fresh emulator loaded by the tools. If the emulator is ready move to installing the application we want to analyze(In this post i will use the eicar_safe.apk that i created from the previous post). Put it in the "myapp" directory in order to be loaded and deploy the app.




After you done deploy the app lets start interacting with the application just put some random command inside the application in order to be executed.







now after the application is executed lets dump the memory using LIME inside the tools. if you ever get this error "failed to copy remote Read-only filesystem" while dumping the memory use the following command to make the sdcard writable:

$./adb shell
$su
mount -o rw,remount rootfs /
chmod 777 /mnt/sdcard
exit

(link: https://stackoverflow.com/questions/2083709/android-emulator-sdcard-push-error-read-only-file-system)



this may take a while depend on the size of the memory inside the emulator(just wait patiently). So this is the problem!

i try to run volatility to extract the process memory of the dump. But unfortunately i just encounter bug when volatility try to read the limeaddresspace.





i try to read some post about this bug but no resolution to this problem. I'll try next time in a mean time. Any thoughts guys how to resolve this bug ?

Thank you 





Comments

  1. Unknown21 January 2020 at 22:16

    Please tell which kernel module have you used, as LIME doesnot work otherwise . we must load a kernel module.. We are working for obtaining a dump of memory but we are failing as no kernel module is loading ..
    Your help is highly appreciated..

    ReplyDelete

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th...
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct...
Post a Comment
Read More »

Why you should always cautious on your VPN: Study Case on Broken Cryptography of Android VPN (day 91) ಠ_ಠ

source: https://me.me/i/when-you-make-a-meme-in-europe-but-you-use-22778509 Disclaimer: This blog post is heavily based on https://www.youtube.com/watch?v=ofTts7jlC2Y&t=177s created by Lukas Stefanko. I strongly suggest you guys check his youtube videos it contain many great android security study cases that you can learn free Background: Who doesn't know VPN, right?! It is a wonderful program that lets us maintain the confidentiality of our identity and information while surfing the internet. It is fast and more importantly is "FREE!" there are tons of free VPN applications that you can download in play store and use it in a click of a button. The workflow is also not really that difficult to understand: Source: https://blog.sucuri.net/2020/03/vpn-secure-online-work-environment.html Pay attention to the above figure, this diagram explains the difference in our connection when using a VPN and not using VPN. When using a VPN before we connect to ...
Post a Comment
Read More »