Research Article
Reliable Acquisition of RAM Dumps from Intel-Based Apple Mac Computers over FireWire
@INPROCEEDINGS{10.1007/978-3-642-19513-6_5, author={Pavel Gladyshev and Afrah Almansoori}, title={Reliable Acquisition of RAM Dumps from Intel-Based Apple Mac Computers over FireWire}, proceedings={Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={5}, keywords={RAM Analysis Mac OS X FireWire AOL Instant Messenger (AIM)}, doi={10.1007/978-3-642-19513-6_5} }- Pavel Gladyshev
Afrah Almansoori
Year: 2012
Reliable Acquisition of RAM Dumps from Intel-Based Apple Mac Computers over FireWire
ICDF2C
Springer
DOI: 10.1007/978-3-642-19513-6_5
Abstract
RAM content acquisition is an important step in live forensic analysis of computer systems. FireWire offers an attractive way to acquire RAM content of Apple Mac computers equipped with a FireWire connection. However, the existing techniques for doing so require substantial knowledge of the target computer configuration and cannot be used reliably on a previously unknown computer in a crime scene. This paper proposes a novel method for acquiring RAM content of Apple Mac computers over FireWire, which automatically discovers necessary information about the target computer and can be used in the crime scene setting. As an application of the developed method, the techniques for recovery of AOL Instant Messenger (AIM) conversation fragments from RAM dumps are also discussed in this paper.
