Apple Mac Memory Forensics Setup

I wanted to create a reference post for creating a quick set up to analyse a dump of RAM from a Mac. This is purely from my experience so far. It may be different, wrong, or otherwise, however, it has worked well for me so far. There may be a few ways to achieve the same outcome, however, in time limited situations this seemed to be a good fit.

This guide is for Mac users.

Acquisition 

You need to perform a dump of the ram so you need a tool for this. OSXPmem is the one I used and it worked well with some set up. Follow this setup and you should be good to go for this tool and you’ll have a dump of the RAM. It should be noted that you should dump the file off the computer to a USB stick or external hard drive so you don’t alter the data too much.

Download OSXPmem & and configure

1. git clone https://github.com/wrmsr/pmem

2. cd pmem/OSXPMem

3. tar xvf OSXPMem.tar.gz

4. cd OSXPMem

5. sudo chown -R root:wheel osxpmem
6. sudo chown -R root:wheel pmem.kext

7. sudo ./osxpmem –format raw memory.raw

Allow that to finish

8. sudo ./osxpmem memory.dump

What do we do with the dump now?

We use a tool to acquire the raw dump, now we use a tool called Volatility to analyse the data we have saved. First you’ll need to install a couple of python modules on your Mac to get this working.

sudo pip install pycrypto && pip install distorm3

Now you can go ahead and download Volatility from Github.

git clone https://github.com/volatilityfoundation/volatility

Profiles

Volatility cannot work out of the box without it first referencing a profile of the operating system. I’ll look into this further as I quickly made my own but for now, there is perfectly usable profiles on the volatility github page.

https://github.com/volatilityfoundation/profiles/tree/master/Mac

Download the zip file for your target OS. By that, I mean, the OS of the dump you took, and place it in the folder below without unzipping it.

volatility/volatility/plugins/overlays/mac

Next you need to pull out the name of the profile to pass it as an argument in the volatility script. Inside your volatility github repo use the below command:

python vol.py –info | grep “Mac”

You should see a reply similar to the one below:

MacSierra_10_12_6_16G29x64 – A Profile for Mac Sierra_10.12.6_16G29 x64

You need the first part of this ‘MacSierra_10_12_6_16G29x64‘ from your output.

Now you’re ready to start analysing the memory dump.

The volatility Github Wiki is a great place to start as they tell you what each of the commands do.

https://github.com/volatilityfoundation/volatility/wiki/Mac-Command-Reference

Commands

I’d advise the below layout of the command structure as there’s one part of the command that will change frequently. The link above ‘Mac-Command-Reference’ shows commands you can pass to Volatility to return data. An example command is below. This will show the ARP table as it was at the dump.

python vol.py –profile=MacSierra_10_12_6_16G29x64 -f location_of_dump_file/memory.raw mac_arp¬†

Note that the command goes at the end. It just saves time when repeating the command line and deleting out the last part as all the Mac commands start with ‘mac_’ – For a list of all the commands you can run against a dump, refer to the above ‘Mac-Command-Reference’ link, and also the python files in the volatility folder:

volatility/volatility/plugins/mac