In Part 1 of this post, I showed you how to acquire the contents of physical RAM of a Mac OS X computer using ATC-NY's Mac Memory Reader, and did some simple analysis using strings and grep searches. Today I'll provide a few more examples of what evidence can be found in a Mac OS X memory dump and how to extract it using file carving techniques. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)
A simple how-to on capturing contents of physical RAM on Mac OS computer using Mac Memory Reader. I will demonstrate how incident responders can do a simple analysis on the resulting binary file using strings, a hex-editor and foremost. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)
Due to my supervisor's reluctance to purchase more drive space (now it's a financial crisis), I recently embarked on a quest to put my disk images on a diet by switching from RAW to compressed AFF images. Arguably, I should have done this moons ago, but as I recently discovered, some things are easier with RAW images.
One obstacle appeared when I wanted to carve out a partition from a full disk image. My image file (P0wnedDisk.AFF) contained a Dell Utility partition and a Windows boot partition. For this case, I was only interested in the Windows partition, so I wanted to carve it out and save it to a separate compressed AFF file (P0wnedPartition.AFF). Unless I've missed something (it turns out, I had... read on), there's no way to do this with AFF Tools alone.
After many listserv posts, cries for help, and prayers to divine entities, I cobbled together the following