Forums
Main Category
General (Technical,...
RAM acquisition of ...
 
Notifications
Clear all

RAM acquisition of Mac

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by kovar 15 years ago
14 Posts
9 Users
0 Reactions
1,415 Views
RSS
 dcollins
(@dcollins)
New Member
Joined: 18 years ago
Posts: 3
Topic starter 23/06/2009 10:46 pm  

What tools if any are people using to grab memory from a live Mac? In my case, an Intel Mac Book Pro.

Thanks.

Doug C.
VITCU


   
Quote
 echo6
(@echo6)
Trusted Member
Joined: 21 years ago
Posts: 87
24/06/2009 1:45 am  

You will need an appropriate device driver since 10.4! I believe, since Apple removed access to /dev/mem for security reasons.

The firewire method is quite succesful, and sleepimage is another less desirable one.


   
ReplyQuote
 dcollins
(@dcollins)
New Member
Joined: 18 years ago
Posts: 3
Topic starter 24/06/2009 2:20 am  

Thanks.

I have been using the Firewire method up until now, but wasn't sure if other tools had emerged.

-dc


   
ReplyQuote
 kovar
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
24/06/2009 3:14 am  

Greetings,

F-Response might. It does on Windows and I am certain they'd make RAM available on OS X if it is possible….

-David


   
ReplyQuote
 echo6
(@echo6)
Trusted Member
Joined: 21 years ago
Posts: 87
24/06/2009 7:12 pm  

Sadly F-Response currently does not support OSX memory acquisition.

There's -a switch for the f-response client to add additional devices on the Mac which if /dev/mem existed may have worked (


   
ReplyQuote
 dcollins
(@dcollins)
New Member
Joined: 18 years ago
Posts: 3
Topic starter 25/06/2009 2:01 am  

Yep, unfortunately it does not.

They have indicated it is a goal, but far in the future.

-dc


   
ReplyQuote
mwp2008
 mwp2008
(@mwp2008)
Active Member
Joined: 16 years ago
Posts: 15
25/06/2009 10:53 am  

I cannot answer with certainty*, because I have had no hands on experience with a Mac.

However, Helix 3 Pro, which I recently purchased but have not had time to work with yet, at least advertises that their product will capture a forensic image of physical memory from Windows, Unix and OS X devices. The website address for the product is http//www.e-fense.com/helix3pro.php. Perhaps others with more experience with Helix or Helix Pro can comment/help as to whether it will actually perform as advertised.

(Please note that I have no financial relationship with e-fense and am only offering this as a suggestion in an attempt to be helpful.)

* I'm a relative newbie with 3 years in computer forensics…lots of training, only a small amount of hands-on experience


   
ReplyQuote
nickfx
 nickfx
(@nickfx)
Estimable Member
Joined: 20 years ago
Posts: 131
25/06/2009 6:46 pm  

Hiya

I've been doing quite a bit with Helix Pro and although it will do RAM from all Windows flavours including 64 bit and Linux, the OSX button is still greyed out. Talking to e-fense they are working through the issues of the locked RAM in the OSX environment and should have a version out in due course.

One really cool thing with Helix Pro, when you pop it into an OSX environment it enables you to image the online iDisk environment from MobileMe. Even though the data is in the cloud it works a treat!! Undocumented feature.

Sorry off topic.

Cheers

Nick


   
ReplyQuote
 Infern0
(@infern0)
Trusted Member
Joined: 17 years ago
Posts: 54
26/06/2009 3:17 am  

Will the ability to acquire memory from OS X (using Helix or any other tool) vary depending if File Vault is used? I recall seeing a "Secure Memory" option when enabling File Vault.


   
ReplyQuote
 echo6
(@echo6)
Trusted Member
Joined: 21 years ago
Posts: 87
27/06/2009 3:56 pm  

"Secure Memory" option when enabling File Vault.

Hmm, I believe this has more to do with encrypting virtual memory and/or wiping memory between reboots, Vista has a similar option.


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: