Mac Laptop Live Mem...
 
Notifications
Clear all

Mac Laptop Live Memory Dumps.

1 Posts
1 Users
0 Likes
169 Views
(@buster)
Posts: 28
Eminent Member
Topic starter
 

People on the board may already be aware of this "feature" which can be found on later (post Autumn 2005) Mac laptops (including the Air) but I have not seen it mentioned anywhere, so thought I would throw it up for everyone's information.

During a recent examination of a PowerBook G4 (running OS X 10.4) I started to find information pertinent to the investigation in a file located at

# private/var/vm/sleepimage
At first glance the contents of the file appeared to be random, junk data until it dawned on me that I was looking at some sort of RAM dump. It turned out that it was exactly that.

The process is conducted by the "Sleep Safe" function added to Mac laptops late in 2005. Basically when you put the machine to sleep it copies the entire contents of live memory to a pre-configured file on the hard disc so that a user can pick up where they left off, whenever they power the machine on again. At that point the contents of the file are copied back to live memory and puts the machine into exactly the same state that it was when hibernated, no matter how long it is before the user returns.

There is a slightly longer explanation on my blog including a link to a deeper explanation of the process and instructions as to how the feature can be enabled on older models and video showing it in action.

It is certainly a file that I will head to early on in my next Mac examination as it has provided lots of useful evidence in the current case.

Stu

 
Posted : 16/08/2008 9:28 pm
Share: