•  
  •  
 

Abstract

Memory acquisition is essential to defeat anti-forensic operating-system features and investigate cyberattacks that leave little or no evidence in secondary storage. The forensic community has developed tools to acquire physical memory from Apple’s Macintosh computers, but they have not much been tested. This work tested three major OS X memory-acquisition tools. Although the tools could capture system memory accurately, the open-source tool OSXPmem appeared advantageous in size, reliability, and support for memory configurations and versions of the OS X operating system.

References

[1] Ahmed W., Aslam B. (2015). A Comparison of Windows Physical Memory Acquisition Tools. Proc. IEEE Military Communications Conference, Tampa, Florida, US, October, pp. 1292-1297.

[2] BlackBag Technologies. (2017). Mac RAM Imaging and Analysis. Retrieved November 14, 2017 from www.blackbagtech.com/blog/ 2017/02/24/mac-ram-imaging-analysis, February 24.

[3] Carvajal L., Varol C., Chen L. (2013). Tools for Collecting Volatile Data: A Survey Study. Proc. IEEE Conf. on Technological Advances in Electrical, Electronics, and Computer Engineering, Konya, Turkey, May.

[4] Gu Y., Lin Z. (2016). Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics. Proc. Sixth ACM Conf. on Data and Application Security and Privacy, New Orleans, Louisiana, US, March, pp. 62-72.

[5] Intel Corporation. (2012). Desktop 4th Generation Intel Core Processor Family, Desktop Intel Pentium Processor Family, and Desktop Intel Celeron Processor Family. Retrieved from May 25, 2015 from www.intel.com/ content/dam/www/public/us/en/documents/datasheets/4th-gen-core-family-desktop-vol-2-datasheet.pdf.

[6] Kamal K., Alfadel M., Munia M. (2016). Memory Forensics Tools: Comparing Time and Left Artifacts on Volatile Memory. Proc. Intl. Workshop on Computational Intelligence, Dhaka, Bangladesh, December, pp. 84-90.

[7] Leopard, C. (2015). Memory Forensics and the Macintosh OS X Operating System. M.S. thesis, U.S. Naval Postgraduate School, June. Retrieved June 15, 2015 from faculty.nps.edu/ ncrowe/oldstudents/cleopard_thesis.htm.

[8] Li Z., Xi B., and Wu S. (2016). Digital Forensics and Analysis for Android Devices. Proc. 11th Intl. Conf. on Computer Science and Education, Nagoya, Japan, August, pp. 496-500.

[9] Libser E., Kornblum J. (2008) A Proposal for an Integrated Memory Acquisition Mechanism. ACM SIGOPS Operating Systems Review, Vol. 42, No. 3, April, pp. 14-20.

[10] Ligh M., Case A., Levy J., Walters A. (2014). Art of Memory Forensics. Indianapolis, IN: Wiley.

[11] Neetha J., Sherina S., Dija S., Thomas K. (2014). Volatile Internet Evidence Extraction from Windows Systems. Proc. IEEE Intl. Conf. on Computational Intelligence and Computing Research, Coimbatore, India, September.

[12] Pan L., Savoldi A., Gubian P., and Batten L. (2008). Measure of Integrity Leakage in Live Forensic Context. Proc. Intl. Conf. on Intelligence Information Hiding and Multimedia Signal Processing, August, Harbin, China.

[13] Rekall Team. (2015). Rekall Memory Forensic Framework: About the Rekall Memory Forensic Framework. Retrieved March 13, 2015 from www.rekall-forensic.com/ about.html.

[14] Stuttgen, J., Cohen M. (2013). Anti-Forensic Resilient Memory Acquisition. Digital Investigation, Vol. 10, pp. S105-S115.

[15] Sutherland, I., Evans, J., Tryfonas, T., Blyth A. (2008). Acquiring Volatile Operating System Data Tools and Techniques. ACM SIGOPS Operating Systems Review, Vol. 42, No. 3, April, pp. 65-73.

[16] Volatility Foundation. (2015). The Volatility Foundation – Open Source Memory Forensics. Retrieved March 13, 2015 from www.volatilityfoundation.org/#!about/cmf3.

[17] Vömel, S., Freiling, F. (2012). Correctness, Atomicity, and Integrity: Defining Criteria for Forensically-Sound Memory Acquisition. Digital Investigation, Vol. 9, pp. 125-137.

[18] Zhang, L., Zhang D., Wang L. (2010) Live Digital Forensics in a Virtual Machine. Proc. IEEE Conf. on Computer Application and System Modeling, Taiyuan, China, October.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.