Memory forensics and the Macintosh OS X operating system
Loading...
Authors
Leopard, Charles B.
Rowe, Neil C.
McCarrin, Michael R.
Subjects
digital forensics
acquisition
main memory
Apple
Macintosh
OSX
testing
MacQuisition
OSXPMem
RECON
reserved area
acquisition
main memory
Apple
Macintosh
OSX
testing
MacQuisition
OSXPMem
RECON
reserved area
Advisors
Date of Issue
2018-03-01
Date
January 06, 2018
Publisher
SpringerLink
Language
Abstract
Memory acquisition is essential to defeat anti-forensic operating system features and investigate clever cyberattacks that leave little or no evidence on physical storage media. The forensic community has developed tools to acquire physical memory from Appleās Macintosh computers, but they have not much been tested. This work in progress tested three major OS X memory-acquisition tools. Although all tools tested could capture system memory in most cases, the open-source tool OSXPmem bettered its proprietary counterparts in reliability and support for memory configurations and versions of the OS X operating system.
Type
Article
Description
This paper appeared in the Proceedings of the 9th EAI International Conference on Digital Forensics and Computer Crime, Prague, CZ, October 2017.
Series/Report No
Department
Organization
Naval Postgraduate School (U.S.)
Identifiers
NPS Report Number
Sponsors
Funder
Format
4 p.
Citation
Leopard, Charles B., Neil C. Rowe, and Michael R. McCarrin. "Memory forensics and the Macintosh OS X operating system." International Conference on Digital Forensics and Cyber Crime. Springer, Cham, 2017.
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.