How to Image OS X's Memory

Question

so I am taking a Computer Forensics class (also hoping to go into Computer Forensics, so the practice helps). In my class we have to do a research project. I am doing it on Kali specifically with RAM Forensics and Web Browser Forensics. I am trying to use Volatility to take a look at my RAM but I need an image of my RAM first to read from. Does anyone know a way of imaging the RAM on an OS X? Thank you for your help!

score 0 · Answer 1 · edited May 18 '22 at 13:02

0

OS X used to have a /dev/mem device you could just read to read out physical memory, but they removed that a while back. Amit Singh's Mac OS X Internals book has a section on implementing a kernel extension to add that interface back in. There are various open-source implementations of the same idea out there, but I don't have direct experience with them.

edited May 18 '22 at 13:02

Glorfindel

21,988
13
81
109

answered Mar 16 '16 at 00:03

Mark Bessey

19,598
4
47
69

Ok, thanks, I'll take a look at that. Kind of weird to add a kernel that makes the computer less secure to forensics... haha – EndlessHyjack Mar 16 '16 at 00:30

score 0 · Answer 2 · answered May 10 '16 at 13:01

0

I dont know exactly the FTK Imager can get osx ram image but you can try it. It can get image of the ram from windows operating system. In my opinion it also get the image of the ram from osx system.

answered May 10 '16 at 13:01

burakb

1
4

How to Image OS X's Memory

2 Answers2