An Introduction to Mac memory forensics, (Tue, Apr 26th)

Unfortunately when its come to the memory forensics Mac in environment doesnt have the luxury that we have in the Windows environment.

The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options.

OSXPmem is the only available option for memory capturing that support El Capitan,

https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zip

Now let">

cd osxpmem.app/

">

chown -R root:wheel MacPmem.kext/

">

kextload MacPmem.kext/

">

The ">

bulk_extractor -o bulkdir/ mem.dump

The ">

ls lS bulkdir/

">

total 1520

-rw-r--r-- 1 root staff 398534 Apr 26 15:49 zip.txt

-rw-r--r-- 1 root staff 202338 Apr 26 15:49 url.txt

-rw-r--r-- 1 root staff 104701 Apr 26 15:49 domain.txt

-rw-r--r-- 1 root staff 32010 Apr 26 15:49 report.xml

-rw-r--r-- 1 root staff 1680 Apr 26 15:49 exif.txt

-rw-r--r-- 1 root staff 1030 Apr 26 15:49 url_histogram.txt

-rw-r--r-- 1 root staff 878 Apr 26 15:49 rfc822.txt

-rw-r--r-- 1 root staff 493 Apr 26 15:49 email.txt

-rw-r--r-- 1 root staff 427 Apr 26 15:49 domain_histogram.txt

-rw-r--r-- 1 root staff 350 Apr 26 15:49 url_services.txt

-rw-r--r-- 1 root staff 205 Apr 26 15:49 email_histogram.txt

-rw-r--r-- 1 root staff 191 Apr 26 15:49 email_domain_histogram.txt

-rw-r--r-- 1 root staff 0 Apr 26 15:48 aes_keys.txt

-rw-r--r-- 1 root staff 0 Apr 26 15:48 alerts.txt

Now let">

# BANNER FILE NOT PROVIDED (-b option)

# BULK_EXTRACTOR-Version: 1.5.0 ($Rev: 10844 $)

# Feature-Recorder: domain

# Filename: mem.dump

# Histogram-File-Version: 1.1

n=821 www.apple.com

n=218 crl.apple.com

n=4 www.iec.ch

n=4 www.w3.org

n=3 3.2.1.3

n=2 aff4.org

n=2 bugreporter.apple.com

n=2 lists.sourceforge.net

n=2 schemas.xmlsoap.org

n=2 support.apple.com

n=2 www.ietf.org

n=1 2.0.2.3

n=1 4.2.6.1

n=1 6.4.0.7

n=1 tempuri.org

sh-3.2#

">

n=12633 @yahoo.com

n=6135 @isc.sans.edu

n=4820 @imap.mail.yahoo.com

n=4544 @lists.sans.org

n=3255 @sans.edu

n=2563 @sans.org

n=2546 @incidents.org

n=2253 @gmail.com

n=1319 @isc.sans.org

n=866 @mail.gmail.com

n=811 @web1d.den.giac.net

">

720717488 192.168.1.3 struct ip L (src) cksum-ok

720717488 192.168.1.5 struct ip R (dst) cksum-ok

720719296 192.168.1.3 struct ip L (src) cksum-ok

720719296 192.168.1.5 struct ip R (dst) cksum-ok

720719536 192.168.1.3 struct ip L (src) cksum-ok

720719536 192.168.1.5 struct ip R (dst) cksum-ok

720720304 192.168.1.3 struct ip L (src) cksum-ok

720720304 192.168.1.5 struct ip R (dst) cksum-ok

720721832 192.168.1.3 struct ip L (src) cksum-ok

720721832 192.168.1.5 struct ip R (dst) cksum-ok

720722352 192.168.1.3 struct ip L (src) cksum-ok

720722352 192.168.1.5 struct ip R (dst) cksum-ok

720723112 192.168.1.3 struct ip L (src) cksum-ok

720723112 192.168.1.5 struct ip R (dst) cksum-ok

720727976 192.168.1.3 struct ip L (src) cksum-ok

720727976 192.168.1.5 struct ip R (dst) cksum-ok

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.