Reliable Acquisition of RAM Dumps from Intel-Based Apple Mac Computers over FireWire
RAM content acquisition is an important step in live forensic analysis of computer systems. FireWire offers an attractive way to acquire RAM content of Apple Mac computers equipped with a FireWire connection. However, the existing techniques for doing so require substantial knowledge of the target computer configuration and cannot be used reliably on a previously unknown computer in a crime scene. This paper proposes a novel method for acquiring RAM content of Apple Mac computers over FireWire, which automatically discovers necessary information about the target computer and can be used in the crime scene setting. As an application of the developed method, the techniques for recovery of AOL Instant Messenger (AIM) conversation fragments from RAM dumps are also discussed in this paper.
KeywordsRAM Analysis Mac OS X FireWire AOL Instant Messenger (AIM)
Unable to display preview. Download preview PDF.
- 1.Boileau, A.: Hit by Bus: Physical Access Attacks with Firewire, http://www.security-assessment.com/nz/publications/security_publications.html
- 2.Boileau, A.: Releases: Winlockpwd, Pythonraw1394-1.0.tar.gz, http://www.storm.net.nz/projects/16
- 3.Wikipedia Article: AOL Instant Messenger, http://en.wikipedia.org/wiki/AOL_Instant_Messenger
- 4.Singh, A.: Process Photography on Mac OS X (Handcrafting Process Core Dumps), http://www.osxbook.com/book/bonus/chapter8/core
- 5.Apple Open Source Connection, http://opensource.apple.com/
- 6.Suiche, M.: Advanced Mac OS X memory analysis, Presentation at BlackHat Briefing Washington DC (February 2010), http://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf
- 7.Apple Developer Connection, http://developer.apple.com/
- 8.Unified Extendible Firmware Interface Specifications, http://www.uefi.org/specs
- 9.Goldfish tool, http://cci.ucd.ie/goldfish
- 10.Becher, M., Dornseif, M., Klein, C.N.: 0wn3d by an iPod. In: Proceedings of PacSec 2004 Applied Security Conference, Tokyo (2004), http://pacsec.jp/psj04/psj04-dornseif-e.ppt
- 11.0xED hexadecimal editor, http://www.suavetech.com/0xed/0xed.html