Accession Number ADA562777
Title Forensic Memory Analysis for Apple OS X.
Publication Date Jun 2012
Media Count 166p
Personal Author A. F. Hay
Abstract Analysis of raw memory dumps has become a critical capability in digital forensics because it gives insight into the state of a system that cannot be fully represented through traditional disk analysis. Interest in memory forensics has grown steadily in recent years, with a focus on the Microsoft Windows operating systems. However, similar capabilities for Linux and Apple OS X have lagged by comparison. The volafox open source project has begun work on structured memory analysis for OS X. The tool currently supports a limited set of kernel structures to parse hardware information, system build number, process listing, loaded kernel modules, syscall table, and socket connections. This research addresses one memory analysis deficiency on OS X by introducing a new volafox module for parsing file handles. When open files are mapped to a process, an examiner can learn which resources the process is accessing on disk. This listing is useful for determining what information may have been the target for exfilitration or modification on a compromised system. Comparing output of the developed module and the UNIX lsof (list open files) command on two version of OS X and two kernel architectures validates the methodology used to extract file handle information.
Keywords Apple OS X
Computer crimes
Computer memory
Digital forensics
File handles
Kernel architectures
Memory analysis
Memory devices
Operating systems(Computers)
Parsing
Running processes
System state
Theses
Volafox


 
Source Agency Non Paid ADAS
NTIS Subject Category 62B - Computer Software
Corporate Author Air Force Inst. of Tech., Wright-Patterson AFB, OH. Graduate School of Engineering and Management.
Document Type Thesis
Title Note Master's thesis.
NTIS Issue Number 1225
Contract Number N/A

Science and Technology Highlights

See a sampling of the latest scientific, technical and engineering information from NTIS in the NTIS Technical Reports Newsletter

Acrobat Reader Mobile    Acrobat Reader