2

I have some ARM memory dumps which I need to analyze and I wanted to use volatility.

After looking through the code, it seems that ARM is not supported yet. I am currently thinking about implementing ARM support for volatility.

https://github.com/volatilityfoundation/volatility

If anybody has experience with this tool and forensics..

What I am trying to do is support standard GNU/Linux 4.0-4.2 distros on ARMv6 and ARMv7. I want to be able to analyze memory dumps from as many consumer devices as possible.

My main questions are ..

  • Is this doable ?
  • If there are significant differences between implementation for the ARMv6 architecture and ARMv7 architecture , what problems would occur/what are the differences?

I want to offer near the same functionality you get with what there currently is for equivalent distros on x86.

Thanks in advance!

itsec19932010
  • 23
  • 4
  • 1
    By "implementing ARM support" you mean that you want to extend it to handle images from a bunch of ARM7/ARM64/etc. platforms (Windows, Windows RT, iOS, Android, "normal" GNU/Linux, etc.)? – abarnert Aug 26 '18 at 17:21
  • Also, from the README, it looks like it already _does_ support ARM (at the very least, there's an `ArmAddressSpace`), it just doesn't have any profiles for any actual ARM platforms (and of there likely won't be too many plugins available for whatever platform(s) you care about unless you port them). – abarnert Aug 26 '18 at 17:25
  • from a phython application level program examining ram on top of an operating system that fully supports phython, how is the target relevant? – old_timer Aug 26 '18 at 19:02
  • @abarnert Yes thats pretty much it. I also already saw that someone already started it. I would concentrate on doing it for linux to start with. Juding from your answer, that would probably mean that the implementation is different for all of these platforms and all of these architectures(atleast some of them) ? – itsec19932010 Aug 27 '18 at 08:33
  • @old_timer Im sorry I dont think I understand your question. – itsec19932010 Aug 27 '18 at 08:37
  • @old_timer I don’t think it’s about wanting to run on ARM, but rather about adding support for examining system and application structures from one or more ARM-based platforms. – abarnert Aug 27 '18 at 16:38
  • I think it would help to [edit] the question to make it clear that what you’re looking to do is to add support for some particular platform—like “support standard GNU/Linux 4.0-4.2 distros on ARM7 with at least a significant subset of the same functionality you get with the equivalent distro on x86”. That’s probably doable, but, even more important, it’s probably a concretely answerable question, especially if anyone has knowledge of the existing plugins for Linux, elf, GNU apps, etc. – abarnert Aug 27 '18 at 16:44
  • @abarnert thanks for the patience! I edited the question and I hope its more clear now what I am asking. – itsec19932010 Aug 27 '18 at 17:12
  • @itsec19932010 No problem; I think it was pretty clear that you had the seeds of a great question here, and the willingness to turn it into one, even if it's one I'm not sure I'm qualified to answer. My _guess_ is that it should be doable within the scope of a BS thesis project, but I haven't worked on forensics software since the 90s (and that was mostly reverse engineering private data structures, not following specs, which is a pretty different task), and I've only taken a very brief glimpse at what the existing plugins do. So, hopefully someone else can do more than guess. – abarnert Aug 27 '18 at 17:40

0 Answers0