Logo
RSS Feed

๐Ÿ‘ˆ๐Ÿผ Back to
๐Ÿ ๐Ÿง UNIX Artefacts

RAM

Created: 01.06.2023

This is about … .

macOS

On the forensicswiki [1], there is a list of tools to be used for RAM acquisition. Iโ€™ve tried several of them and realised that the current problem in the forensic community is that the tools get old much faster than the information gets updatedโ€ฆ Sadly.

OSXPmem

Itโ€™s the part of rekall, download. There are a few complications, though.

โš ๏ธ SIP needs to be disabled. Freeboot > CMD+R > Terminal > csrutil disable > reboot). Otherwise, you might run into this issue: dump_memory(833): Failed to load kext (No such process) โš ๏ธ USB > Get Info > unlock ๐Ÿ”’ > Ignore ownership on this volume (check). Otherwise, you might run into this issue: Canโ€™t load kext ./pmem.kext, as it is not owned by root: wheel. Just chowning didnโ€™t work for me. When I unchecked it, replugged the USB, and decompressed the archive, I managed to get the dump without this error. โ—๏ธ Restart the Terminal for changes to take place!

… load a driver to virtually recreate the /dev/mem device found in other Unix-type hosts. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 161). BCS Learning & Development Limited. Kindle Edition. โ—๏ธ Requires root.

Beginning with Mac OS X (the predecessor to macOS) version 10.9, Apple implemented compression for physical memory. The aim of this was to reduce the amount of swap space used, improving performance and battery. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 161). BCS Learning & Development Limited. Kindle Edition.

On the forensicswiki [1] there is the list of tools to be used for RAM acquisition. Iโ€™ve tried several of them and realised, that the current problem of the forensic community is that the tools get old much faster than the information gets updatedโ€ฆ Sadly.

OSXPmem

Itโ€™s the part of rekall, download. There a few complications though.

โš ๏ธ SIP needs to be disabled. Freboot > CMD+R > Terminal > csrutil disbale > reboot). Otherwise, might run into this issue: dump_memory(833): Failed to load kext (No such process) โš ๏ธ USB > Get Info > unlock ๐Ÿ”’ > Ignore ownership on this volume (check). Otherwise, might run into this issue: Canโ€™t load kext ./pmem.kext, as it is not owned by root:wheel. Just chowning didnโ€™t work for me. When I unchecked it, replugged the USB, and decompressed the archive, I managed to get the dump without this error. โ—๏ธ Restart the Terminal in order to changes to take place!

hibernation

Get the hibernation settings - pmset -g | grep hibernatemode:

  • 0 โ€“ Old style sleep mode, with RAM powered on while sleeping, safe sleep disabled, and super-fast wake.
  • 1 โ€“ Hibernation mode, with RAM contents written to disk, system totally shut down while โ€œsleeping,โ€ and slower wake up, due to reading the contents of RAM off the hard drive.
  • 3 โ€“ The default mode on machines introduced since about fall 2005. RAM is powered on while sleeping, but RAM contents are also written to disk before sleeping. In the event of total power loss, the system enters hibernation mode automatically.
  • 5 โ€“ This is the same as mode 1, but itโ€™s for those using secure virtual memory (in System Preferences -> Security).
  • 7 โ€“ This is the same as mode 3, but itโ€™s for those using secure virtual memory.

To set the hibernation to the 0 mode - sudo pmset -a hibernatemode 0. To see the file - ls -lh /private/var/vm/sleepimage. On Mac with M1 hibernation was enabled only in 11.3 (see). On Intel MacBook the hibernate file’s location can be retreived with pmset -g | grep hibernate. Default mode - 3.

Swap

The same purpose as pagefile.sys for Windows.

Rather than a single file, macOS can generate up to 10 different swap files, depending on need. These swap files can be found in the โ€˜/private/var/vmโ€™ directory. This directory also contains a โ€˜sleepimageโ€™ file, which is used to dump a copy of the RAM contents if the computer is put to sleep: something to be aware of, since this could provide a source of otherwise volatile evidence.

VMEM

๐Ÿ“˜ python3 vol.py -f 1.vmem windows.vadinfo.VadInfo # to view Virtual Address Descriptors ([VAD](https://resources.infosecinstitute.com/topic/finding-enumerating-processes-within-memory-part-2/)).

python3 vol.py -f 1.vmem windows.vadinfo.VadInfo to view Virtual Address Descriptors (VAD).

Parallels

โ—๏ธ Even when sharing with the host is off, sometimes there are host ๐Ÿ‘ฃ footprints in UserAssist and other artefacts.

๐Ÿพ .mem - ram memory image.

VMware

โ—๏ธ Uses a more complex format that needs prior parsing, ESX.

Each snapshot has a separate .vmem file. These are not raw memory dumps but contain everything that was in RAM then.

๐Ÿพ .vmem - ram memory ๐Ÿพ .vmss - VMware saved state ๐Ÿพ .vmsn - VMware snapshot

๐Ÿ“‚ /Users/uname/Documents/VirtualMachines.localized/ (Fusion)

Linux

/dev/mem # raw
/proc/kcore # debugging format

Rootkits

On a live system:

sudo chkrootkit

References

Expand…
  1. Magnet
  2. SDF Memory Forensics
  3. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 141). BCS Learning & Development Limited. Kindle Edition.