Question about Analyzing RAM Dump from a Google Pixel with Volatility #1042
Comments
|
Hi there, the Google Pixel is an arm architecture handset, and unfortunately volatility doesn't support the arm, or aarch64 architecture yet. There was a small effort to work on this a few years ago, but it ufortunately didn't get very far. Arm has two page tables, unlike intel which has only one. It is an on going research topic but at the moment it means that volatility won't be able to process a Google Pixel image. |
|
Thank you for the detailed information. Do you know any alternative tools or methods that might be effective for analyzing the RAM of a Google Pixel device ? I am particularly interested in detecting encryption keys in the RAM of a Google Pixel device. |
|
I'm not aware of any tools that handle the ARM architecture for memory analysis, unfortunately, and even once they did detecting encryption keys would be even more of a task. However, if you have the memory, you might be able to find it by just inspecting the dump if there are signatures that can identify the specific structure you're interested. For something such as encryption keys, the operating system or very secure software may encrypt the memory itself. As such you could look for high entropy areas of the memory, but you'd also need to be sure that the keys weren't stored in another chip (the equivalent of a TPM for mobile phones). I believe the pixels may include a Titan security chip, so there's a number of difficulties with such a request. Good luck in finding the answers you're after! |
|
Hello, I allow myself to cite the previous Volatility2 ARM64 work ikelos pointed out, as it might help you : volatilityfoundation/volatility#726 Good luck :) |
|
@ikelos Thank you once again. I completely agree that the task is indeed challenging, especially considering I am working with devices running another OS, which is a highly secure operating system installed on these phones. I even attempted to write a Python script to automate the search for encryption keys, but so far, it hasn't been successful. I'll continue exploring other methods ^^ |
|
@Abyss-W4tcher Thank you, I'll definitely explore that too ! :) |
|
Hello @fairyhuntress, do you still have access to the Google Pixel memory sample ? |
|
Hey @Abyss-W4tcher |
|
Hello @Panchajanya1999, There is ongoing work in Pull Request #1088, as well as instructions on how to use it. There aren't official instructions on how to create the ISF (profile) for your specific device. If you already have the files but missing the support, please try out the PR :). |
This is what I get after trying your branch
Coammand I ran - Would be nice if you have a discord or Telegram to discuss on this matter. Thank you! |
|
You can contact me on Volatility's Slack, and we'll investigate there :) I'll post a summary of the fixes here after |
Can you link me the slack please? |
|
here you go : https://www.volatilityfoundation.org/slack |
Hi ! Yes, I still have access to it, why ? |
How did you extracted it? with Lime?? |
Hi, we are currently working on AArch64 support in PR #1088, which might solve your issue regarding the analysis of your Google Pixel. Feel free to check it out, instructions and details are available in the description. 👍 |
Hello,
I recently performed a RAM dump on a Google Pixel and I'm interested in analyzing this data. I would like to know if it's possible to analyze this RAM dump using Volatility. Is Volatility compatible with dumps from mobile devices like the Google Pixel, or is it limited to computer operating systems only? Any guidance or suggestions for the right approach to analyze this type of data would be greatly appreciated.
Thank you in advance for your assistance.
The text was updated successfully, but these errors were encountered: