An Introduction to Mac memory forensics
Unfortunately when it’s come to the memory forensics Mac in environment doesn’t have the luxury that we have in the Windows environment.
The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options.
OSXPmem is the only available option for memory capturing that support El Capitan,
https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zip
Now let’s sudo su and extract osxpmem_20.1.zip
Now cd to the osxpmemp.app folder
|
cd osxpmem.app/ |
Now change now the owner of MacPmem.kext folder
|
chown -R root:wheel MacPmem.kext/ |
Now run the following
|
kextload MacPmem.kext/ |
And now you can capture the memory
|
./osxpmem –c none -o mem.dump |
The –c option is the compression type and here I used none .
Now we have the memory image ready for some testing.
In this diary I will use bulk_extractor to carve data from the memory image,
|
bulk_extractor -o bulkdir/ mem.dump |
The –o option will specify where we want to save the output, now let see what bulk_extractor carves from the memory image.
|
ls –lS bulkdir/ |
|
total 1520 -rw-r--r-- 1 root staff 398534 Apr 26 15:49 zip.txt -rw-r--r-- 1 root staff 202338 Apr 26 15:49 url.txt -rw-r--r-- 1 root staff 104701 Apr 26 15:49 domain.txt -rw-r--r-- 1 root staff 32010 Apr 26 15:49 report.xml -rw-r--r-- 1 root staff 1680 Apr 26 15:49 exif.txt -rw-r--r-- 1 root staff 1030 Apr 26 15:49 url_histogram.txt -rw-r--r-- 1 root staff 878 Apr 26 15:49 rfc822.txt -rw-r--r-- 1 root staff 493 Apr 26 15:49 email.txt -rw-r--r-- 1 root staff 427 Apr 26 15:49 domain_histogram.txt -rw-r--r-- 1 root staff 350 Apr 26 15:49 url_services.txt -rw-r--r-- 1 root staff 205 Apr 26 15:49 email_histogram.txt -rw-r--r-- 1 root staff 191 Apr 26 15:49 email_domain_histogram.txt -rw-r--r-- 1 root staff 0 Apr 26 15:48 aes_keys.txt -rw-r--r-- 1 root staff 0 Apr 26 15:48 alerts.txt
|
Now let’s examine some of these files
First the domain_histogram.txt file
|
# BANNER FILE NOT PROVIDED (-b option) # BULK_EXTRACTOR-Version: 1.5.0 ($Rev: 10844 $) # Feature-Recorder: domain # Filename: mem.dump # Histogram-File-Version: 1.1 n=821 www.apple.com n=218 crl.apple.com n=4 www.iec.ch n=4 www.w3.org n=3 3.2.1.3 n=2 aff4.org n=2 bugreporter.apple.com n=2 lists.sourceforge.net n=2 schemas.xmlsoap.org n=2 support.apple.com n=2 www.ietf.org n=1 2.0.2.3 n=1 4.2.6.1 n=1 6.4.0.7 n=1 tempuri.org sh-3.2#
|
The n is stand for number of hits that was found in the memory image
And email_domain_histogram.txt
|
n=12633 @yahoo.com n=6135 @isc.sans.edu n=4820 @imap.mail.yahoo.com n=4544 @lists.sans.org n=3255 @sans.edu n=2563 @sans.org n=2546 @incidents.org n=2253 @gmail.com n=1319 @isc.sans.org n=866 @mail.gmail.com n=811 @web1d.den.giac.net |
And ip.txt
|
720717488 192.168.1.3 struct ip L (src) cksum-ok 720717488 192.168.1.5 struct ip R (dst) cksum-ok 720719296 192.168.1.3 struct ip L (src) cksum-ok 720719296 192.168.1.5 struct ip R (dst) cksum-ok 720719536 192.168.1.3 struct ip L (src) cksum-ok 720719536 192.168.1.5 struct ip R (dst) cksum-ok 720720304 192.168.1.3 struct ip L (src) cksum-ok 720720304 192.168.1.5 struct ip R (dst) cksum-ok 720721832 192.168.1.3 struct ip L (src) cksum-ok 720721832 192.168.1.5 struct ip R (dst) cksum-ok 720722352 192.168.1.3 struct ip L (src) cksum-ok 720722352 192.168.1.5 struct ip R (dst) cksum-ok 720723112 192.168.1.3 struct ip L (src) cksum-ok 720723112 192.168.1.5 struct ip R (dst) cksum-ok 720727976 192.168.1.3 struct ip L (src) cksum-ok 720727976 192.168.1.5 struct ip R (dst) cksum-ok |
Comments