Mac RAM Imaging and Analysis
Collecting and analyzing RAM on a Mac is, not surprisingly, different than it is on a Windows machine. Tools like MacQuisition can assist examiners in acquiring RAM from Mac computers.
On a Windows machine running a live memory capture is normally fairly easy; as long as the user has logged in as an administrator, a memory capture tool can be run. In order to access RAM on a Mac, examiners need to enter the administrator’s password — regardless of who is logged in to the computer. It is this permission issue that makes memory acquisition more challenging on a Mac.
Some Tricks Up Our Sleeve
Under normal circumstances one would think that restarting the computer would pretty much doom the possibility of gathering RAM. Again, Mac computers are different and this is not necessarily a hard and fast rule with Macs. Testing has shown that there may be some memory loss, but the amount of loss may not be significant. Regardless of the how much is actually lost, capturing some RAM is certainly better than nothing.
To facilitate the capture of RAM on a computer where Administrator access is not possible, perform a soft reboot of the computer (select ➔ Restart).
Figure 1: Soft reboot of Mac computer
Quickly hold down the <option/alt key> as soon as the Mac starts up (just prior to the chime).
Figure 2: Holding down the <option/alt> key at start up
This opens macOS’s startup manager. Have your MacQuisition dongle handy and insert it into the Mac. Because MacQuisition uses macOS at it’s core, select the latest version of MacQuisition (currently 2016R1), and boot the Mac into the MacQuisition interface. Using this method, you now have Administrator and root privileges since you are booted to OS X from the MacQuisition dongle, not the host computer.
Once MacQuisition has loaded and the interface appears, immediately select Physical Memory, the method of output as RAW, then an output device. Remember that you’re running OS X and you’ll need an HFS+ volume as the destination drive.
Note: It may be tempting to acquire RAM in an E01 format and even a segmented E01 set for large RAM captures. Most RAM analysis tools, including BlackLight, do not work with segmented memory images, regardless of their format. Always use the RAW format for memory.
Figure 3: Showing MacQuisition selected Physical Memory ➔ Output Format (RAW) ➔ Destination Volume (HFS+)
Once these have been selected, select Image Device.
A Numbers Game
In this instance this Mac is showing 8GB of Physical Memory or RAM. Examiners need to be aware that RAM on Apple computers is compressed, so the space available on the output volume needs to be about 50% larger than the base RAM installed on the system. Be prudent, be prepared.
Figure 4: Physical Memory on Mac computers is compressed, as a result output will be larger than what is installed on the system
Currently, BlackLight does not officially support full processing of Mac memory. Full support is coming. But it will work and you can search for text strings or RegEx pattern, carve for graphics, etc.
Here’s how to do it. Once a new case has been created, select the Add button. The Add Evidence Window opens, select Add again and navigate to the location of your memory image.
Figure 5: Adding a memory image to BlackLight
Once the memory image has been added, BlackLight prompts for the processing options. We can triage or do complete memory processing, which we will do.
Figure 6: Memory ingestion options in BlackLight
During your processing you may receive a warning from Blacklight that your memory image is not supported. Ignore this warning.
Here is the reason why you get the warning. For Windows memory, BlackLight displays under System ➔ Memory the active Processes, Libraries, Sockets, Handles and Drivers. Once again, we have to remember that Mac uses memory differently and these Windows memory artifacts are not part of the memory process on Macs. BlackLight is currently expecting to see Windows memory, not Mac memory. Hence, you get the warning. However, all the other features of the memory analysis work.
Automatic Keyword Searches
If selected, BlackLight will conduct several keyword searches of the memory image and present the results to examiners. These searches include:
- Internet Searches
- Email Domains
- Phone Numbers
- RFC822 Headers
- JSON Data
- GPS Data
- Email Addresses
- Internet Domains
- Internet Searches
- Zip Files
- IP Addresses
- Ethernet MAC addresses
Figure 7: Keyword searches of Mac memory in BlackLight
Examiners can certainly create their own custom searches consisting of text strings and RegEx patterns for items specific to their case and run them against the memory image in BlackLight. Further, BlackLight will carve the memory image for media and other files and present the results to the examiner.
So, acquire that Mac memory and easily process it with BlackLight. You already know how to do this with Windows memory. You may find the hidden gems!