An Introduction to Mac memory forensics

Published: 2016-04-26
Last Updated: 2016-04-26 17:57:41 UTC
by Basil Alawi S.Taher (Version: 1)
0 comment(s)

Unfortunately when it’s come to the memory forensics Mac in environment doesn’t have the luxury that we have in the Windows environment.

The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options.

 

OSXPmem is the only available option for memory capturing that support El Capitan,

https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zip

Now let’s sudo su and extract osxpmem_20.1.zip

Now cd to the osxpmemp.app folder

cd osxpmem.app/

 

Now change now the owner of MacPmem.kext folder

chown -R  root:wheel MacPmem.kext/

 

Now run the following

kextload MacPmem.kext/

 

And now you can capture the memory

./osxpmem –c none -o mem.dump

 

The –c option is the compression type and here I used none .

Now we have the memory image ready for some testing.

In this diary I will use bulk_extractor to carve data from the memory image,

bulk_extractor -o bulkdir/ mem.dump

 

The –o option will specify where we want to save the output, now let see what bulk_extractor carves from the memory image.

ls –lS bulkdir/

 

total 1520

-rw-r--r--  1 root  staff  398534 Apr 26 15:49 zip.txt

-rw-r--r--  1 root  staff  202338 Apr 26 15:49 url.txt

-rw-r--r--  1 root  staff  104701 Apr 26 15:49 domain.txt

-rw-r--r--  1 root  staff   32010 Apr 26 15:49 report.xml

-rw-r--r--  1 root  staff    1680 Apr 26 15:49 exif.txt

-rw-r--r--  1 root  staff    1030 Apr 26 15:49 url_histogram.txt

-rw-r--r--  1 root  staff     878 Apr 26 15:49 rfc822.txt

-rw-r--r--  1 root  staff     493 Apr 26 15:49 email.txt

-rw-r--r--  1 root  staff     427 Apr 26 15:49 domain_histogram.txt

-rw-r--r--  1 root  staff     350 Apr 26 15:49 url_services.txt

-rw-r--r--  1 root  staff     205 Apr 26 15:49 email_histogram.txt

-rw-r--r--  1 root  staff     191 Apr 26 15:49 email_domain_histogram.txt

-rw-r--r--  1 root  staff       0 Apr 26 15:48 aes_keys.txt

-rw-r--r--  1 root  staff       0 Apr 26 15:48 alerts.txt

 

 

Now let’s examine some of these files

First the domain_histogram.txt file

# BANNER FILE NOT PROVIDED (-b option)

# BULK_EXTRACTOR-Version: 1.5.0 ($Rev: 10844 $)

# Feature-Recorder: domain

# Filename: mem.dump

# Histogram-File-Version: 1.1

n=821   www.apple.com

n=218   crl.apple.com

n=4     www.iec.ch

n=4     www.w3.org

n=3     3.2.1.3

n=2     aff4.org

n=2     bugreporter.apple.com

n=2     lists.sourceforge.net

n=2     schemas.xmlsoap.org

n=2     support.apple.com

n=2     www.ietf.org

n=1     2.0.2.3

n=1     4.2.6.1

n=1     6.4.0.7

n=1     tempuri.org

sh-3.2#

 

 The n is stand for number of hits that was found in the memory image

And email_domain_histogram.txt

n=12633 @yahoo.com

n=6135  @isc.sans.edu

n=4820  @imap.mail.yahoo.com

n=4544  @lists.sans.org

n=3255  @sans.edu

n=2563  @sans.org

n=2546  @incidents.org

n=2253  @gmail.com

n=1319  @isc.sans.org

n=866   @mail.gmail.com

n=811   @web1d.den.giac.net

 

And ip.txt

720717488       192.168.1.3     struct ip L (src) cksum-ok

720717488       192.168.1.5     struct ip R (dst) cksum-ok

720719296       192.168.1.3     struct ip L (src) cksum-ok

720719296       192.168.1.5     struct ip R (dst) cksum-ok

720719536       192.168.1.3     struct ip L (src) cksum-ok

720719536       192.168.1.5     struct ip R (dst) cksum-ok

720720304       192.168.1.3     struct ip L (src) cksum-ok

720720304       192.168.1.5     struct ip R (dst) cksum-ok

720721832       192.168.1.3     struct ip L (src) cksum-ok

720721832       192.168.1.5     struct ip R (dst) cksum-ok

720722352       192.168.1.3     struct ip L (src) cksum-ok

720722352       192.168.1.5     struct ip R (dst) cksum-ok

720723112       192.168.1.3     struct ip L (src) cksum-ok

720723112       192.168.1.5     struct ip R (dst) cksum-ok

720727976       192.168.1.3     struct ip L (src) cksum-ok

720727976       192.168.1.5     struct ip R (dst) cksum-ok

 

Keywords:
0 comment(s)
ISC Stormcast For Tuesday, April 26th 2016 http://isc.sans.edu/podcastdetail.html?id=4969

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
5 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
5 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives