Testing Memory Forensics Tools for the Macintosh OS X Operating System
Loading...
Authors
Leopard, Charles B.
Rowe, Neil C.
McCarrin, Michael R.
Subjects
digital forensics
acquisition
main memory
Macintosh
OSX
testing
acquisition
main memory
Macintosh
OSX
testing
Advisors
Date of Issue
2018-03-31
Date
3/31/2018
Publisher
Embry-Riddle Aeronautical University
Language
Abstract
Memory acquisition is essential to defeat anti-forensic operating-system features and investigate
cyberattacks that leave little or no evidence in secondary storage. The forensic community has
developed tools to acquire physical memory from Apple's Macintosh computers, but they have not
much been tested. This work tested three major OS X memory-acquisition tools. Although the
tools could capture system memory accurately, the open-source tool OSXPmem appeared
advantageous in size, reliability, and support for memory configurations and versions of the OS X
operating system.
Type
Article
Description
A shortened version
of this paper appeared in the Proceedings of the Ninth EAI International Conference on Digital Forensics and
Computer Crime, Prague, Czech Republic, October 2017.
The article of record as published may be found at http://dx.doi.org/10.15394/jdfsl.2018.1491
The article of record as published may be found at http://dx.doi.org/10.15394/jdfsl.2018.1491
Series/Report No
Department
Computer Science (CS)
Organization
Naval Postgraduate School (U.S.)
Identifiers
NPS Report Number
Sponsors
Funder
Format
12 p.
Citation
Leopard, Charles B., Neil C. Rowe, and Michael R. McCarrin. "TESTING MEMORY FORENSICS TOOLS FOR THE MACINTOSH OS X OPERATING SYSTEM." The Journal of Digital Forensics, Security and Law: JDFSL 13.1 (2018): 31-42.
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.