'Many of us have long waited for a tool that would allow incident responders to grab the contents of RAM from a live Mac. While access to memory was possible using acquisition methods such as the Cold Boot attack, by exploiting the Firewire interface which provides DMA (Direct Memory Access) or, under some circumstances, grabbing the file called sleepimage (OS X counterpart of hiberfil.sys), the forensic community lacked tools that could sample the state of a Mac's physical memory in the same way that win32dd, mdd, winen or memoryze can do on a Windows machine. Lucky for us Cyber Marshal released last week Mac Memory Reader, a command line utility that runs directly on the target Mac and that can be downloaded for free. The tool generates a dump file in Apple's Mach-O format containing the offsets and lengths of each available segment of physical RAM (ignoring memory ports or memory-mapped I/Odevices) with output to a USB device or any other mounted volume like an NFS share...' http://computer-forensics.sans.org/blog/2011/01/28/mac-os-forensics-howto-sim...
No comments:
Post a Comment