Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
πŸ’¬ RAM Extraction And Analysis

MacOS RAM


Created: 12.10.2020

… load a driver to virtually recreate the /dev/mem device found in other Unix-type hosts. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 161). BCS Learning & Development Limited. Kindle Edition. ❗️ Requires root.

Beginning with Mac OS X (the predecessor to macOS) version 10.9, Apple implemented compression for physical memory. The aim of this was to reduce the amount of swap space used, improving performance and battery. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 161). BCS Learning & Development Limited. Kindle Edition.

RAM

On the forensicswiki [1] there is the list of tools to be used for RAM acquisition. I’ve tried several of them and realised, that the current problem of the forensic community is that the tools get old much faster than the information gets updated… Sadly.

OSXPmem

It’s the part of rekall, download. There a few complications though.

⚠️ SIP needs to be disabled. Freboot > CMD+R > Terminal > csrutil disbale > reboot). Otherwise, might run into this issue: dump_memory(833): Failed to load kext (No such process) ⚠️ USB > Get Info > unlock πŸ”’ > Ignore ownership on this volume (check). Otherwise, might run into this issue: Can’t load kext ./pmem.kext, as it is not owned by root:wheel. Just chowning didn’t work for me. When I unchecked it, replugged the USB, and decompressed the archive, I managed to get the dump without this error. ❗️ Restart the Terminal in order to changes to take place!

hibernation

Get the hibernation settings - pmset -g | grep hibernatemode:

  • 0 – Old style sleep mode, with RAM powered on while sleeping, safe sleep disabled, and super-fast wake.
  • 1 – Hibernation mode, with RAM contents written to disk, system totally shut down while β€œsleeping,” and slower wake up, due to reading the contents of RAM off the hard drive.
  • 3 – The default mode on machines introduced since about fall 2005. RAM is powered on while sleeping, but RAM contents are also written to disk before sleeping. In the event of total power loss, the system enters hibernation mode automatically.
  • 5 – This is the same as mode 1, but it’s for those using secure virtual memory (in System Preferences -> Security).
  • 7 – This is the same as mode 3, but it’s for those using secure virtual memory.

To set the hibernation to the 0 mode - sudo pmset -a hibernatemode 0. To see the file - ls -lh /private/var/vm/sleepimage. On Mac with M1 hibernation was enabled only in 11.3 (see). On Intel MacBook the hibernate file’s location can be retreived with pmset -g | grep hibernate. Default mode - 3.

Swap

The same purpose as pagefile.sys for Windows.

Rather than a single file, macOS can generate up to 10 different swap files, depending on need. These swap files can be found in the β€˜/private/var/vm’ directory. This directory also contains a β€˜sleepimage’ file, which is used to dump a copy of the RAM contents if the computer is put to sleep: something to be aware of, since this could provide a source of otherwise volatile evidence.

VMEM

???

python3 vol.py -f 1.vmem windows.vadinfo.VadInfo to view Virtual Address Descriptors (VAD).

References

1

Magnet

2

SDF Memory Forensics

3

Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 141). BCS Learning & Development Limited. Kindle Edition.