![]() It will also produce an output file that is slightly larger than the system's physical memory due to the Mach-O header. You can compute additional hashes on the fly if needed, adding "?-H hashtype'" arguments where hashtype can be MD5, SHA-1, SHA-256 or SHA-512.ĭon't forget that, in order to use this tool to collect the contents of RAM, it must be loaded into memory as a running process, consuming memory space and therefore leaving a "digital footprint" (remember Locard's?). When the dump is completed the hash of the output file will be shown. The -v switch will show progress on the memory dump process and additional debugging information like available memory ranges. MacMemoryReader -v -H SHA-256 memory.img Open a terminal, change into the MacMemoryReader directory and execute: ($) sudo. It's been reported though that it doesn't work on all systems so if you get different results it would be interesting to know. ![]() All the commands and examples that I include in this post have been tested on my Macbook Pro and iMac both running Snow Leopard (10.6) on Intel based processors. The tool generates a dump file in Apple's Mach-O format containing the offsets and lengths of each available segment of physical RAM (ignoring memory ports or memory-mapped I/O devices) with output to a USB device or any other mounted volume like an NFS share.Īccording to Cyber Marshal Mac Memory Reader executes directly on 32-bit and 64-bit target machines running Mac OS X 10.4, 10.5, or 10.6 and requires a PowerPC G4 or newer, or any Intel processor. ![]() Lucky for us Cyber Marshal released last week Mac Memory Reader, a command line utility that runs directly on the target Mac and that can be downloaded for free. ![]() While access to memory was possible using acquisition methods such as the Cold Boot attack, by exploiting the Firewire interface which provides DMA (Direct Memory Access) or, under some circumstances, grabbing the file called sleepimage (OS X counterpart of hiberfil.sys), the forensic community lacked tools that could sample the state of a Mac's physical memory in the same way that win32dd, mdd, winen or memoryze can do on a Windows machine. Many of us have long waited for a tool that would allow incident responders to grab the contents of RAM from a live Mac. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |