Mac RAM Analysis Rekall Volatility software logos

Mac RAM Analysis Update 1

INTRODUCTION TO MAC RAM ANALYSIS UPDATE

In our previous blog post, we talked about the initial obstacle of software being outdated or nonexistent. We still needed to conduct research and determine which tools we were going to use to capture RAM on a Mac, then analyze the contents of the RAM dump to see what data could  be collected.

ANALYSIS

To capture the RAM, we ultimately decided to use the Pmem memory acquisition suite, part of the Rekall Memory Forensic Framework. Rekall is a free, open-source forensic tool for memory acquisition and analysis that stemmed from the Volatility Project in 2013. It has since been picked up by Google. The Pmem suite specifically is a set of tools designed to acquire memory, with respective tools for Windows, OS X, and Linux systems. For the analysis stage, we decided to utilize Volatility, the most popular and trustworthy memory analysis tool.

We revised our data generation script and completed the data generation process following this decision. We wanted to ensure we covered all the sources of data that a generic user of a Mac might create: everything from email activity and casual web browsing (including social media) to photos, common programs like FaceTime, and Apple keychain information.

We ran into a couple obstacles while capturing the RAM, including to load a kernel extension to be able to capture anything. We were getting permissions errors on our El Capitan machine, despite the user being a part of the group wheel and running the extension load command from root. It worked successfully on Yosemite, however. Due to time constraints, we decided to proceed with the process on Yosemite instead of investigating the El Capitan issue any further.

During our work, we also realized that Rekall stores the RAM dump in an AFF4 file. Within the AFF4 are a large number of separate files that contain portions of the data that was in the memory. Volatility does not recognize AFF4 files, preferring single stream images. We discovered that there is a command within the Pmem suite that takes the files in the AFF4 and strings them together into a single .img file, a common file type that Volatility is able to read. The next and final step is to analyze this data and determine what information we can view from our data generation.

CONCLUSION

We will be sharing our progress and findings in future blog posts throughout the coming months. Leave a message here on the blog or email us at lcdi@champlain.edu for any comments or questions. Follow us on Facebook and Twitter to get the latest updates from us and more!