Pulling Memory off an Android Device

HowTo!

Pulling memory off an android device is a valuable skill. Not to mention one that is somewhat a pain in the butt.  I spent a good amount of time with trying to follow the documentation of lime.  It is fairly well documented, however if you're new to the android sdk and new to compiling you may find yourself struggling a bit.

Volatility 2.3 is scheduled to be released this month, and with it, new modules for the android operating system.  This made me want to look into pulling a forensic memory image from my phone.

To begin, your phone HAS to be rooted. This may turn off a lot of corporate forensic investigators since corporate policy probably dictates that your phone isn't aloud to be rooted.  None the less, I will be going over the process of how to get LiME up and running.

The only thing i won't cover is installing Java JDK. That part is up to you. JDK 6 or 7 should both work fine.

After you have the JDK installed I would recommend making a new directory in your home directory

$ mkdir android

we will need the android adb tool. If you're on a debian-based machine you can likely grab it like so

$ sudo apt-get install android-tools-adb

(alternativly you can download the android sdk located here. The adb tool is located in the sdk/platform-tools)

Now we need to download the arm-eabi tool here

Note:
The arm-eabi tool is also inside the android NDK, but the NDK contains a lot of tools we won't be using. So why not just download this tool itself

Move the arm-eabi tar to your android directory then run the following

$ tar -xvf arm-eCross-eabi-2011-02-02.tar.gz

Lets make our lives ALOT easier and add our new tool to our path

$ export PATH=$PATH:/home/<your_username>/android/arm-eCross-eabi/bin

Note: If you close your terminal you will have to run the above command again

Now an annoying part. We have to find our device open source code online. Odds are your manufacturer has released it.  Just google for it. I'm using the droid charge in this case so i'll just google "droid charge opensource code" which brings me to Samsung's website where they host the code.

I download the code and move it to my android folder. Then i'll make a folder called source_code.

$ mkdir device_source
$ mv SCH-I510_OpenSource.zip device_source
$ cd device_source
$ unzip SCH-I510_OpenSource.zip

The zip contains multiple compressed files. One which is called SCH-I510_Kernel.tar.gz
This one is the only one I need as it contains the source code for my kernel.

$ tar -xvf SCH-I510_Kernel.tar.gz

So I now have my Kernel source folder in the following directory

~/android/device_source/Kernel 

Note that yours might be different. Just look for a folder called Kernel. It will probably exist somewhere.

One last thing to download and that is Lime.  Lime is kernel module we will compile to pull memory.  Download it here

Move it to your android folder, make a dir for it, then untar it.

$ mkdir lime
$ mv lime-forensics-1.1-r14.tar.gz lime
$ tar -xvf lime-forensics-1.1-r14.tar.gz

You should now have a directory called src. Great!

Now for the fun part!

We use the tool adb to interact with our android device. Make sure your rooted android device is plugged in to your computer via usb with debug mode enabled.  (Look for it. Something like settings>applications>developer>enable debugging mode)

Go into your Kernel directory for your phone source code that you unzipped

$ cd ~/android/device_source/Kernel

First we pull the kernal config using our adb tool. Adb will need to open a port. So run it as sudo

$ sudo adb pull /proc/config.gz

You should get something similar to
151 KB/s (13434 bytes in 0.086s)

Now we unzip it and rename and change it to a hidden file. (The compiler will be looking for this)

$ gunzip config.gz
$ mv config .config

Now we prepare the kernel source for our Mod. If you've been following this tutorial, the following command should work for you

$ make ARCH=arm CROSS_COMPILE=arm-eCross-eabi- modules_prepare

The compiler might throw a few complaints. So long as it doesn't tell you arm-eCross-eabi- is missing you should be good.  You will be prompted for y/n a few times. Just keep pressing enter until it's finished.

Now we must prepare the module for compilation.  Go into your lime src directory

$ cd ~/android/lime/src

Copy this into your Makefile. If you've followed this tutorial this should work. I had to tweak it a bit but It's what worked for me.


obj-m := lime.o
lime-objs := tcp.o disk.o main.o

KDIR := ~/android/device_source/Kernel

KVER := $(shell uname -r)

PWD := $(shell pwd)

default:
# compile for local system
$(MAKE) ARCH=arm CROSS_COMPILE=arm-eCross-eabi- -C $(KDIR) M=$(PWD) modules
strip --strip-unneeded lime.ko
mv lime.ko lime-$(KVER).ko

$(MAKE) tidy

tidy:
rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions

clean:
$(MAKE) tidy
rm -f *.ko

Up at the top make sure KDIR points to your Kernel source directory

and then type

$ make


And that ought to do it! You still might get some errors and an error that says

"strip: Unable to recognise the format of the input file `lime.ko'"

You should be fine. just do an "ls" and make sure the file lime.ko was created"

Now for the final steps.  Lets take our new kernel module we built and push it to our android device. This part is pretty much right out of the documentation.

$ sudo adb push lime.ko /sdcard/lime.ko

We will transfer over netcat and usb. Yes, I realize this is a confusing statement

Lets set up a port with adb

$ adb forward tcp:4444 tcp:4444

Now we will interact with our device's shell over adb

$ adb shell

Login as root

# su

and run our kernal module. We will use the lime format as the memory format. (volatility will support this in the future)

# cd /sdcard
# insmod lime.ko "path=tcp:4444 format=lime"

Your terminal will now hang. Adb will not start transferring the file until it has something to transfer too. Lets connect with netcat on our machine.  Open a new terminal and type

$ nc 127.0.0.1 4444 > memory.lime

Wait a few minutes depending on how much memory your phone has and bingo! You should now have a file called memory.lime on your system. String through it. Mess with it. Do whatever you want! Here is something you should note however

If you want to take memory off this phone again you need to remove our kernel module. Otherwise it will not work again (from my experience). It also may free up some space.

$ lsmod

Will show you that your module is running. To kill it type

$ rmmod lime

A big thank you to the guys who designed Lime. This tool is a beast and useful for more than just android.
Happy memory imaging!