Wednesday, May 12, 2010
Acquisition of OS X RAM is a bit of a holy grail of memory analysis, quite simply because no-one has done it, or has admitted to it. It is always good form to realize that whatever we think of as secure has probably been undermined by Dark Forces working from bunkers under grassy fields, or desert, or tundra depending on your Government Agency of choice.
In Leopard there were some significant weaknesses in OS X RAM, well researched and documented by Dai Zovi (We're not worthy!) who demonstrated in 2009 a number of different attacks on the OS through the poorly implemented memory stack which enabled heap allocated memory to be executable, unlike Vista/7 etc - Windows more secure - who knew!!
Snow Leopard with its 64bit architecture has gone a long way to solve that. But with the incredible amount of information available from a Windows RAM dump it would be great to achieve the same from a Mac. Work has been done with DMA (Direct Memory Access) via Firewire which can theoretically work and some researchers had some success with Leopard but its all gone quiet with Snow Leopard. So where does that leave us?
Well, unless you are prepared to freeze the chips you need to acquire the RAM whilst the machine is live. On a Linux machine you can simply dd /dev/mem and /dev/kmem but no such luck with OS X.
For the time being our best bet is the OS X counterpart of hiberfil.sys. In Windows hiberfil is a file generated in the root of C when the PC is put into hibernate state. The resulting file can be converted into a raw RAM dump using either tools from Matthieu Suiche with the Sandman project or the version produced for Volatility. OS X has a similar file called sleepimage. You can see if your Mac has one at the moment by doing the following:-
Type - cd /var/vm
Type - ls
If your machine has been hibernated you should see a sleepimage file with a file size that is the same as your RAM.
If you come up against a running Mac and will be seizing it then it is possible to force the machine to create the sleepimage file.
Suggested 'Forensic' methodology:-
Type - sudo pmset –a hibernatemode 1
When you shut the lid it now creates a hibernate file and shuts machine down rather than putting it into sleep mode. The problem is that it will likely ask for the admin password. You could run MacLockpick which will extract the Keychain and possibly give you the password you need.
Next, you need to set it back - sudo pmset –a hibernatemode 3
Shut the lid, take the machine.
Now simply image the drive as normal and extract the sleepimage file and analyze.
If you were doing a live data acquisition or search of the machine it is simply the case of plugging in a USB drive and typing:-
sudo cp /var/vm/sleepimage /Volumes/USBkey (Where USBKey is the name of your drive.)
Now the problems:-
Changing the hibernatemode makes a technical change to the machine.
The technique forces you to shut the machine down which is no good if you want the RAM live whilst leaving the machine running.
There are currently no tools available for the analysis of the sleepimage. The tools we use for Windows RAM analysis such as Volatility, Foremost, Memoryze etc do not work. Get coding!
This post is not desperately useful as it just explains how to get a pseudo-Ram dump out, what you then do with it is up to you. If you figure anything out I'd love to hear about it!