The technique forces you to shut the machine down which is no good if you want the RAM live whilst leaving the machine running. Sudo cp /var/vm/sleepimage /Volumes/USBkey (Where USBKey is the name of your drive.)Ĭhanging the hibernatemode makes a technical change to the machine. If you were doing a live data acquisition or search of the machine it is simply the case of plugging in a USB drive and typing:. Now simply image the drive as normal and extract the sleepimage file and analyze. Next, you need to set it back - sudo pmset –a hibernatemode 3 You could run MacLockpick which will extract the Keychain and possibly give you the password you need. The problem is that it will likely ask for the admin password. When you shut the lid it now creates a hibernate file and shuts machine down rather than putting it into sleep mode. If you come up against a running Mac and will be seizing it then it is possible to force the machine to create the sleepimage file. If your machine has been hibernated you should see a sleepimage file with a file size that is the same as your RAM. You can see if your Mac has one at the moment by doing the following:. OS X has a similar file called sleepimage. The resulting file can be converted into a raw RAM dump using either tools from Matthieu Suiche with the Sandman project or the version produced for Volatility. In Windows hiberfil is a file generated in the root of C when the PC is put into hibernate state. On a Linux machine you can simply dd /dev/mem and /dev/kmem but no such luck with OS X.įor the time being our best bet is the OS X counterpart of hiberfil.sys. Well, unless you are prepared to freeze the chips you need to acquire the RAM whilst the machine is live. Work has been done with DMA (Direct Memory Access) via Firewire which can theoretically work and some researchers had some success with Leopard but its all gone quiet with Snow Leopard. But with the incredible amount of information available from a Windows RAM dump it would be great to achieve the same from a Mac. Snow Leopard with its 64bit architecture has gone a long way to solve that. In Leopard there were some significant weaknesses in OS X RAM, well researched and documented by Dai Zovi (We're not worthy!) who demonstrated in 2009 a number of different attacks on the OS through the poorly implemented memory stack which enabled heap allocated memory to be executable, unlike Vista/7 etc - Windows more secure - who knew!! It is always good form to realize that whatever we think of as secure has probably been undermined by Dark Forces working from bunkers under grassy fields, or desert, or tundra depending on your Government Agency of choice. Acquisition of OS X RAM is a bit of a holy grail of memory analysis, quite simply because no-one has done it, or has admitted to it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |