Also, you can learn online Course from one of the best Cybersecurity Elearning platforms. Also Read: Collections of Computer Forensics Tools. – Collection of forensic resources for learning and research.
– Improved strings utility. – Extracts informations like email adresses, creditscard numbers and histrograms of disk images.
– Static analysis tool to automatically deobfuscate strings from malware binaries. – File carving tool Memory Forensics more at. – High speed memory analysis framework developed in.NET supports all Windows x64, includes code integrity and write support.
– Extract KeePass passwords from memory. – Memory Forensic Framework. – The memory forensic framework.
– Web App for Volatility framework. – Windows/MacOS Computer Forensics tools client supporting hiberfil, pagefile, raw memory analysis.
– Differential Analysis of Malware in Memory, built on Volatility. – Web interface for the Volatility Memory Forensics Framework. – Find AES encryption keys in memory. – High speed memory analysis framework developed in.NET supports all Windows x64, includes code integrity and write support.
– A script to automate portions of analysis using Volatility, and create a readable report. – Memory analysis framework, forked from Volatility in 2013. – Script based on Volatility for automating various malware analysis tasks.
– Run Volatility on memory images before and after malware execution, and report changes. – Advanced memory forensics framework. – Web Interface for Volatility Memory Analysis framework. – WinDBG Anti-RootKit Extension.
– Live memory inspection and kernel debugging for Windows systems. Network Forensics. – SiLK is a suite of network traffic collection and Computer Forensics tools analysis tools. – The network traffic analysis tool.
– Analytics platform to process network data on Spark.
Rapidly growth of the usage of OS X inspires the forensics researchers turning to analyze the devices such iPad, iPhone and Mac deeply. Therefore, OS X forensics, starting from Jonathan Zdziarski in 2008, became a very hot topic. However, most of the researches and trainings are focused on file system analysis. Although there are some methods: eg Volatility, Volafox, Memoryze for Mac, Mac Memory Reader, MacLockPick and Rekall, able to analyze mac memory, mac memory analysis is relatively strange. This paper is to demonstrate a fast track of mac memory forensics via studying the evidence of a very popular social networking application ‘WeChat’. INTRODUCTION ‘ Memory Forensics is the art of analyzing computer memory (RAM) to solve digital crimes ’ defined by Michael Hale Ligh, Andrew Case and, Jamie Levy.
Pac4mac Forensics Framework For Mac Download
Computer forensics science is not only a science but an art. With the widely used of the smart phones and internet, most of the people communicate with their friends using mobile social networking applications ‘Facebook and Whatsapp’. Meanwhile, WeChat is the most famous chatting platform in China and the area nearby, especially Hong Kong. Those applications provide not only the smart phone version but also the desktop version.
Therefore, we could not ignore any possibility of evidence either file system or memoryfrom a desktop machine. As memory analysis would be an important intersection,this paper will perform this ‘Art’of science to examine the memory dump from a Mac machine, by acquisition, process analysis and data collection through an example of running WeChat on OS X.
ENVIRONMENT According to the research of Desktop Operation System from Net Application as of April 2014, the market share of Mac OS X is around 8% which is followed by the latest operation system Windows 8. With the effect from the ‘end-of-life’ of Windows XP, Mac OS X might occupy more market share afterwards. Now, it is a good time to study much more of the OS X attributes. ACQUISITION Two acquisition methods are suggested and preformed in this research.
One is MacLockPick 3.0 from MacForensicsLab and the other is OSXPmem from Rekall Memory Forensics Framework. MacLockPick 3.0 MacLockPick is a cross-platform forensics triage which could capture the live data such as system information and process in the field. It also supports gathering information from iPhone and iPad using Apple Mobile Sync application. LE version includes Apple Keychain Extractor. Usage The MacLockPick 3.0 is come with a USB Flash Drive with many of built-in Plugins.
It could be configured in the MacLockPick Manager depended on the examiner ’ s preference. A process of ‘WeChat’ was identified by the MacLockPick. It executed under the path /Application/WeChat.app/Contents/MacOS/WeChat on 2014-05-19. OSXPmem Memory is volatile. All the data were gone if the machine is powered off. Although there is an alternative to recover the lost memory, for example ‘hibfil.sys’ in Windows OS, the best way is to acquire the memory dump as soon as possible.
The latest version of OSXPmem is RC3, developed by Rekall Memory Forensics Framework. It is an open source memory acquisition tool for Mac OS X which supports up to OS version 10.9. The default format is ELF Usage Super user privilege is required while dumping the memory. $sudo su./osxpmem mac-memory.dump.
Rekall Memory Forensics Framework Another analysis tool is Rekall Memory Forensics Analysis Framework. The project is officially launched at the end of year 2013. The distribution is available from Internet. Likes Volatility, it processes with corresponding OS profile, but it could detect automatically. For OS X, it supports up to version 10.9.x.
The profile repository contains over 300 different OS profiles. You could also create your favor profile for your own use. WeChat application has been identified by the MacLockPick at a live system as shown in Figure 4. It was executed from the path /Applcication/WeChat.app/Contents/MacOS/WeChat on 2014-05-19 as shown in Figure 4 & 9.
Rekall then parses the relevant information from the memory directly. Pslist shown that the PID of WeChat is 267 which connected to the IP Address 203.205.143.143:8080 as shown in Figure 9, 10 & 11. Usage $ rekall — help. The user clicked on the icon and downloaded it from the server.
The file will be eventually saved at the path /User/xxxxx/Library/Containers/com. Tencent.xin/WeChat/Data/././video/2.mp4, as a mpeg 4 format with a file name starting from a number, ie the second file is 2.mp4. Therefore, the file could be recovered from the physical Mac machine. The file based on the “FileID”was downloaded by the user at 22:04:07 hrs +8 on 2014-05-19.
CONCLUSION This demonstration showed you how to tackle the mac memory. Other than the above mentioned mac memory forensics tools, Volafox, Memorize for Mac and Mac Memory Reader are used for the mac memory acquisition and analysis.
Volatility and Rekall might not be the best memory forensics tools in the market but they provide the related effective and efficient solution to the forensics examiners or investigators. During the examination, we could understand much on the mac memory also reveal the security issue of the ‘WeChat’. Forensics Ninja, Kelvin has over 10 year experience in computer forensics and investigation in Law Enforcement Agency. He has delivered the speech and workshop in DFRWS EU, DefCon, APWG and HTCIA (APAC). References 1, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, 2014 2 Johannes S.