Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings

Research Article

Memory Forensics and the Macintosh OS X Operating System

Download
196 downloads
Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-319-73697-6_13,
    author={Charles Leopard and Neil Rowe and Michael McCarrin},
    title={Memory Forensics and the Macintosh OS X Operating System},
    proceedings={Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings},
    proceedings_a={ICDF2C},
    year={2018},
    month={1},
    keywords={Digital forensics Acquisition Main memory Apple Macintosh OSX Testing MacQuisition OSXPMem RECON Reserved area},
    doi={10.1007/978-3-319-73697-6_13}
}
  • Charles Leopard
    Neil Rowe
    Michael McCarrin
    Year: 2018
    Memory Forensics and the Macintosh OS X Operating System
    ICDF2C
    Springer
    DOI: 10.1007/978-3-319-73697-6_13
Charles Leopard1,*, Neil Rowe1,*, Michael McCarrin1,*
  • 1: U.S. Naval Postgraduate School
*Contact email: cbleopard@gmail.com, ncrowe@nps.edu, mrmccarr@nps.edu

Abstract

Memory acquisition is essential to defeat anti-forensic operating system features and investigate clever cyberattacks that leave little or no evidence on physical storage media. The forensic community has developed tools to acquire physical memory from Apple’s Macintosh computers, but they have not much been tested. This work in progress tested three major OS X memory-acquisition tools. Although all tools tested could capture system memory in most cases, the open-source tool OSXPmem bettered its proprietary counterparts in reliability and support for memory configurations and versions of the OS X operating system.

Keywords
Digital forensics Acquisition Main memory Apple Macintosh OSX Testing MacQuisition OSXPMem RECON Reserved area
Published
2018-01-23
Appears in
SpringerLink
http://dx.doi.org/10.1007/978-3-319-73697-6_13
Copyright © 2017–2024 EAI