Many of us have long waited for a tool that would allow incident responders to grab the contents of RAM from a live Mac. While access to memory was possible using acquisition methods such as the Cold Boot attack, by exploiting the Firewire interface which provides DMA (Direct Memory Access) or, under some circumstances, grabbing the file called sleepimage (OS X counterpart of hiberfil.sys), the forensic community lacked tools that could sample the state of a Mac's physical memory in the same way that win32dd, mdd, winen or memoryze can do on a Windows machine.
Lucky for us Cyber Marshal released last week Mac Memory Reader, a command line utility that runs directly on the target Mac and that can be downloaded for free. The tool generates a dump file in Apple's Mach-O format containing the offsets and lengths of each available segment of physical RAM (ignoring memory ports or memory-mapped I/O devices) with output to a USB device or any other mounted volume like an NFS share.
According to Cyber Marshal Mac Memory Reader executes directly on 32-bit and 64-bit target machines running Mac OS X 10.4, 10.5, or 10.6 and requires a PowerPC G4 or newer, or any Intel processor. All the commands and examples that I include in this post have been tested on my Macbook Pro and iMac both running Snow Leopard (10.6) on Intel based processors. It's been reported though that it doesn't work on all systems so if you get different results it would be interesting to know.
Memory Acquisition
Usage is really simple. Open a terminal, change into the MacMemoryReader directory and execute:
($) sudo ./MacMemoryReader -v -H SHA-256 memory.img
The —v switch will show progress on the memory dump process and additional debugging information like available memory ranges. When the dump is completed the hash of the output file will be shown. You can compute additional hashes on the fly if needed, adding "?-H hashtype'" arguments where hashtype can be MD5, SHA-1, SHA-256 or SHA-512.
Don't forget that, in order to use this tool to collect the contents of RAM, it must be loaded into memory as a running process, consuming memory space and therefore leaving a "digital footprint" (remember Locard's?). It will also produce an output file that is slightly larger than the system's physical memory due to the Mach-O header. This header lists all the segments of memory contained in the file, followed by the memory segments themselves, preserving offset information. If you're given one of these snapshots, you can use the "otool" command to list the physical memory segments captured in the file:
($) otool -l memory.img memory.img: Load command 0 cmd LC_SEGMENT_64 cmdsize 152 segname __TEXT vmaddr 0x0000000000000000 vmsize 0x000000000008f000 fileoff 8192 filesize 585728 maxprot 0x00000001 initprot 0x00000001 nsects 1 flags 0x0 ...
Only if the target system is using virtualization technology, the memory dump will be slightly smaller than the full size of the system's RAM as the hypervisor reserves some memory for itself. In this case, the snapshot obtained with MacMemoryReader will include the RAM used by the guest virtual machines.
Memory Analysis
Ok, so we have a memory dump containing volatile data that might be extremely valuable for our forensic investigation. However, collecting, parsing and analyzing the entire contents of physical memory in Mac OS is still a new field even today, and while some researchers like Matthieu Suiche have published some work on the subject, the truth is that Mac tools are about where Windows tools were about years ago.
However, performing an offline analysis with good old data search and extraction tools is relatively simple. At the end, Mach-O files are (aside from the header) raw data files that respond well to Hex Editors, strings, grep and data carvers like Foremost and the like.
In example, I used strings and the following grep expression to search for File Vault passwords that can be found in clear text in the memory image:
($) strings - memory.img | grep -A 4 -i longname ... — longname Imael_Valenzuela managedUser password MyP@ssw0rd — ...
Here we look for text after "longname" to locate user names and actual passwords in plain text. Be aware that strings treats Mach-O files specially and only examines part of the file by default, hence the need to use ?-? to force it to examine the whole file. In any case, whether you run a grep search using single keywords or a dirty word list using a plain text file and the -f switch, focus on keywords that can reduce the results to a manageable amount.
In Part 2 we will continue our analysis on the Mac's memory dump. Stay tuned!
Ismael Valenzuela (CISSP, CISM, GCFA, GCIA, GPEN, GWAPT, GCWN, 27001 Lead Auditor & ITIL Certified) is a Community SANS Instructor and Global IT Security Manager for iSOFT Group Ltd., one of the world's largest providers of healthcare IT solutions. Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in numerous international projects across EMEA, India and Australia in the last 10 years. Ismael has also authored several articles that are freely available at http://blog.ismaelvalenzuela.c... / Mr. Valenzuela can be followed on twitter at @aboutsecurity.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
