An Introduction to Mac memory forensics

Published: 2016-04-26
Last Updated: 2016-04-26 17:57:41 UTC
by Basil Alawi S.Taher (Version: 1)
0 comment(s)

Unfortunately when it’s come to the memory forensics Mac in environment doesn’t have the luxury that we have in the Windows environment.

The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options.

 

OSXPmem is the only available option for memory capturing that support El Capitan,

https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zip

Now let’s sudo su and extract osxpmem_20.1.zip

Now cd to the osxpmemp.app folder

cd osxpmem.app/

 

Now change now the owner of MacPmem.kext folder

chown -R  root:wheel MacPmem.kext/

 

Now run the following

kextload MacPmem.kext/

 

And now you can capture the memory

./osxpmem –c none -o mem.dump

 

The –c option is the compression type and here I used none .

Now we have the memory image ready for some testing.

In this diary I will use bulk_extractor to carve data from the memory image,

bulk_extractor -o bulkdir/ mem.dump

 

The –o option will specify where we want to save the output, now let see what bulk_extractor carves from the memory image.

ls –lS bulkdir/

 

total 1520

-rw-r--r--  1 root  staff  398534 Apr 26 15:49 zip.txt

-rw-r--r--  1 root  staff  202338 Apr 26 15:49 url.txt

-rw-r--r--  1 root  staff  104701 Apr 26 15:49 domain.txt

-rw-r--r--  1 root  staff   32010 Apr 26 15:49 report.xml

-rw-r--r--  1 root  staff    1680 Apr 26 15:49 exif.txt

-rw-r--r--  1 root  staff    1030 Apr 26 15:49 url_histogram.txt

-rw-r--r--  1 root  staff     878 Apr 26 15:49 rfc822.txt

-rw-r--r--  1 root  staff     493 Apr 26 15:49 email.txt

-rw-r--r--  1 root  staff     427 Apr 26 15:49 domain_histogram.txt

-rw-r--r--  1 root  staff     350 Apr 26 15:49 url_services.txt

-rw-r--r--  1 root  staff     205 Apr 26 15:49 email_histogram.txt

-rw-r--r--  1 root  staff     191 Apr 26 15:49 email_domain_histogram.txt

-rw-r--r--  1 root  staff       0 Apr 26 15:48 aes_keys.txt

-rw-r--r--  1 root  staff       0 Apr 26 15:48 alerts.txt

 

 

Now let’s examine some of these files

First the domain_histogram.txt file

# BANNER FILE NOT PROVIDED (-b option)

# BULK_EXTRACTOR-Version: 1.5.0 ($Rev: 10844 $)

# Feature-Recorder: domain

# Filename: mem.dump

# Histogram-File-Version: 1.1

n=821   www.apple.com

n=218   crl.apple.com

n=4     www.iec.ch

n=4     www.w3.org

n=3     3.2.1.3

n=2     aff4.org

n=2     bugreporter.apple.com

n=2     lists.sourceforge.net

n=2     schemas.xmlsoap.org

n=2     support.apple.com

n=2     www.ietf.org

n=1     2.0.2.3

n=1     4.2.6.1

n=1     6.4.0.7

n=1     tempuri.org

sh-3.2#

 

 The n is stand for number of hits that was found in the memory image

And email_domain_histogram.txt

n=12633 @yahoo.com

n=6135  @isc.sans.edu

n=4820  @imap.mail.yahoo.com

n=4544  @lists.sans.org

n=3255  @sans.edu

n=2563  @sans.org

n=2546  @incidents.org

n=2253  @gmail.com

n=1319  @isc.sans.org

n=866   @mail.gmail.com

n=811   @web1d.den.giac.net

 

And ip.txt

720717488       192.168.1.3     struct ip L (src) cksum-ok

720717488       192.168.1.5     struct ip R (dst) cksum-ok

720719296       192.168.1.3     struct ip L (src) cksum-ok

720719296       192.168.1.5     struct ip R (dst) cksum-ok

720719536       192.168.1.3     struct ip L (src) cksum-ok

720719536       192.168.1.5     struct ip R (dst) cksum-ok

720720304       192.168.1.3     struct ip L (src) cksum-ok

720720304       192.168.1.5     struct ip R (dst) cksum-ok

720721832       192.168.1.3     struct ip L (src) cksum-ok

720721832       192.168.1.5     struct ip R (dst) cksum-ok

720722352       192.168.1.3     struct ip L (src) cksum-ok

720722352       192.168.1.5     struct ip R (dst) cksum-ok

720723112       192.168.1.3     struct ip L (src) cksum-ok

720723112       192.168.1.5     struct ip R (dst) cksum-ok

720727976       192.168.1.3     struct ip L (src) cksum-ok

720727976       192.168.1.5     struct ip R (dst) cksum-ok

 

Keywords:
0 comment(s)

Comments


Diary Archives