±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35260
New Yesterday: 4 Visitors: 177

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

MAC memory dump

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

dandaman_24
Senior Member
 

Re: MAC memory dump

Post Posted: May 16, 18 11:38

- pr3cur50r
Axiom now has Volatility support also. Smile


Have you tried a mac RAM dump in AXIOM since the volatility support ?

I have and it wasnt able to parse the RAM dump.  
 
  

mcman
Senior Member
 

Re: MAC memory dump

Post Posted: May 16, 18 12:20

- dandaman_24
- pr3cur50r
Axiom now has Volatility support also. Smile


Have you tried a mac RAM dump in AXIOM since the volatility support ?

I have and it wasnt able to parse the RAM dump.


The new Mac profiles came out after we released our support with Volatility, we'll update to include the new profiles in the next update I believe.

If you want to add them before then, you can get the new volatility executable that includes the new mac profiles, go to the AXIOM install folder and swap out the volatility executable for the new one and it should work. The exe swap works pretty great if you want to use beta/test builds from Volatility too.

Jamie McQuaid
Magnet Forensics  
 
  

hoyt.harness
Newbie
 

Re: MAC memory dump

Post Posted: Jul 13, 18 07:00

Another option is the pmem suite of tools here. Volatility has support for the format as does Google's Rekall.
_________________
Hoyt Harness, CFCE
-----------------
github.com/hoyt-harness
positronikal.github.io/
thepositronikal.blogspot.com/
www.revealforensic.com/ 
 
  

keydet89
Senior Member
 

Re: MAC memory dump

Post Posted: Jul 14, 18 05:00

- jv89
I will also agree with the above comments.


Unless I missed something or some messages were deleted, the original poster seems to be asking about dumping memory from a Mac, not performing analysis of a memory dump.

Where between the original post and the first response did the context change?  
 
  

Beleka
Member
 

Re: MAC memory dump

Post Posted: Sep 13, 18 06:11

ponderthebits.com/2017...olatility/

You can follow this guide to extract and create the profile associated with your Mac. I tried it on different distributions and builds, and it worked perfectly.

About analysis in my opinion, the best choice is extracting RAW memory from the AFF4 format rekall create, and analyze it with Volatility.

Regards  
 

Page 2 of 2
Page Previous  1, 2