Thursday, January 20, 2011

Mac Ram Dumps

Well its finally happened, at last a tool to dump RAM from OSX. Big thanks to ATC-NY for their Mac Memory Reader which can be downloaded for free here.

The tool is very easy to use, simply unpack and open a terminal.

cd to the folder MacMemoryReader (For newbies something like - cd /Users/name/Desktop/MacMemoryReader

Run - sudo ./MacMemoryReader filename

..where the 'filename' is the path to a connected storage device

You will prompted for your admin password and off it will go.

Remember to check that your connected storage has enough space for the entire RAM dump.

If you want to feel part of the action you can throw a -g into the command line and it will provide a percentage notifier.

The program outputs a Mach-0 raw file which should respond well to data carvers and the like. Well I've only conducted a couple of tests but Photorec and Foremost do a cracking job of getting at the files. They both successfully retrieved HTML, jpg, zips and a whole variety of other files including web pages going back 3 months. My 8 Gig of Ram offered up over 38000 files. Many of them were fairly uninteresting txt files so you need to wade through to find the good stuff.

If you are trying Foremost just bear in mind the 3Gig limit, perhaps take a look at Scalpel.

The next step is to start looking for running process information, fairly critical in basic RAM analysis. I'm away teaching next week so will have some evening time to play.

I'll try and blog again soon