Mac OS X Live Forensics 103 (Memory Analysis on OS X 10.9.2)
This is the 3rd part in my series on performing incident response and live forensics techniques specific to OS X (part 1 and part 2). This part will focus on memory forensics on OS X. To start, there are a lot of different options for memory analysis on Mac OS X, however, many of them are highly dependent on the version of OS X your running, to find out which version of OS X your running, simply issue the command 'sw_vers', in your terminal. I learned a great deal about process memory and core memory dumps from this chapter in the OS X book, which is a great resource.
You can find memory dumps generated by the OS for ram conservation and sleeping in the following locations, but after version 10.7 these are encrypted by default:
/var/vm/sleepimage
/var/vm/swapfile
/private/var/vm/sleepimage
/private/var/vm/swapfile
Tools for memory acquisition on Mac are heavily dependent on the version of OS X, below I've listed the current versions the public tools support:
Mac Memory Reader - OS X 10.4 - 10.8
Mac Memoryze - OS X 10.6 - 10.8
Tools for memory analysis are also heavily dependent on the version of OS X:
Volatility - OS X 10.5 - 10.8 (publicly)
Mac Memoryze - OS X 10.6 - 10.8
Volafox - OS X 10.6-10.9
To actually get a working memory analysis on OS X 10.9.2, I first had to set up OSXPmem with the proper permissions, when doing this you need to drop into a root shell before extracting the zip file, as to properly preserve the file owner and group, otherwise the program will throw errors. Similarly, when setting up Volafox, you will have to create a new overlay for your kernel, and move it into the proper directory. I did this like so:
python overlay_generator.py /mach_kernel ./overlays/13C64x64.overlay 64
Next, I simply dumped the memory into a mach-o binary format, flattened that with the Volafox flatten utility, then I could perform any analysis on the memory dump I wanted with Volafox. These steps are below:
Dumping the memory looked like this:
sudo ./osxpmem -f mach ~/Desktop/out.dump
I then used the Volafox utility to flatten the file like so:
python flatten.py ~/Desktop/out.dump ~/Desktop/out.dump.flat
Next, you can perform analysis using Volafox as such:
python vol.py -i ~/Desktop/out.dump.flat -o keychaindump
The Keychain master key will look like a 48 character hex number, here they are as output by Volafox:
[*] master key candidate: 000000000000000000000000000000000000000000000000
[*] master key candidate: 100000000000000000000000000000000000000000000000
[*] master key candidate: 010000000000000000000000000000000000000000000000
Let's take a look a closer look at what we can do with the Keychain now. There are a few different keychain locations on Mac OS X, but the one we want to look at is the local user keychain: ~/Library/Keychain/
Using chainbreaker, written by the same people who wrote Volafox, you can then decrypt the Keychain file. It's as simple as the following command, where I decrypt the user passwords stored in user's keychain:
And the output of that tool is all of my stored passwords, decrypted, and clear text. I used this paper to learn more about Keychain analysis via memory analysis.
You can find memory dumps generated by the OS for ram conservation and sleeping in the following locations, but after version 10.7 these are encrypted by default:
/var/vm/sleepimage
/var/vm/swapfile
/private/var/vm/sleepimage
/private/var/vm/swapfile
Tools for memory acquisition on Mac are heavily dependent on the version of OS X, below I've listed the current versions the public tools support:
Mac Memory Reader - OS X 10.4 - 10.8
Mac Memoryze - OS X 10.6 - 10.8
OSXPmem - Up to OS X 10.9
Tools for memory analysis are also heavily dependent on the version of OS X:
Volatility - OS X 10.5 - 10.8 (publicly)
Mac Memoryze - OS X 10.6 - 10.8
Volafox - OS X 10.6-10.9
To actually get a working memory analysis on OS X 10.9.2, I first had to set up OSXPmem with the proper permissions, when doing this you need to drop into a root shell before extracting the zip file, as to properly preserve the file owner and group, otherwise the program will throw errors. Similarly, when setting up Volafox, you will have to create a new overlay for your kernel, and move it into the proper directory. I did this like so:
python overlay_generator.py /mach_kernel ./overlays/13C64x64.overlay 64
Next, I simply dumped the memory into a mach-o binary format, flattened that with the Volafox flatten utility, then I could perform any analysis on the memory dump I wanted with Volafox. These steps are below:
Dumping the memory looked like this:
sudo ./osxpmem -f mach ~/Desktop/out.dump
I then used the Volafox utility to flatten the file like so:
python flatten.py ~/Desktop/out.dump ~/Desktop/out.dump.flat
Next, you can perform analysis using Volafox as such:
python vol.py -i ~/Desktop/out.dump.flat -o keychaindump
The Keychain master key will look like a 48 character hex number, here they are as output by Volafox:
[*] master key candidate: 000000000000000000000000000000000000000000000000
[*] master key candidate: 100000000000000000000000000000000000000000000000
[*] master key candidate: 010000000000000000000000000000000000000000000000
Let's take a look a closer look at what we can do with the Keychain now. There are a few different keychain locations on Mac OS X, but the one we want to look at is the local user keychain: ~/Library/Keychain/
Using chainbreaker, written by the same people who wrote Volafox, you can then decrypt the Keychain file. It's as simple as the following command, where I decrypt the user passwords stored in user's keychain:
python chainbreaker.py -i ~/Library/Keychains/login.keychain -k 000000000000000000000000000000000000000000000000
And the output of that tool is all of my stored passwords, decrypted, and clear text. I used this paper to learn more about Keychain analysis via memory analysis.