Loading ...
Sorry, an error occurred while loading the content.

/dev/mem is gone on MacOS

Expand Messages
  • Simson Garfinkel
    Does anybody know how to acquire memory from a MacOS machine running MacOS 10.5? /dev/mem is gone...
    Message 1 of 11 , Oct 5, 2008
    • 0 Attachment
      Does anybody know how to acquire memory from a MacOS machine running
      MacOS 10.5? /dev/mem is gone...
    • Stuart Bird
      Simson You could try hibernating it to create a sleepimage file making use of Mac s Safe Sleep function then image it as normal. There is a short
      Message 2 of 11 , Oct 7, 2008
      • 0 Attachment
        Simson

        You could try hibernating it to create a 'sleepimage' file making use of Mac's 'Safe Sleep' function then image it as normal. There is a short explanation on my blog although I must warn that I have not had the time to test the theory since writing the post so I would heartily recommend your own testing first if you are able.

        Hope that helps.

        Stu



        ----- Original Message ----
        From: Simson Garfinkel <simsong@...>
        To: linux_forensics@yahoogroups.com
        Sent: Monday, 6 October, 2008 2:49:58
        Subject: [linux_forensics] /dev/mem is gone on MacOS


        Does anybody know how to acquire memory from a MacOS machine running
        MacOS 10.5? /dev/mem is gone...






        [Non-text portions of this message have been removed]
      • echo6
        ... Hash: SHA1 http://www.osxbook.com/book/bonus/chapter8/kma Or you could acquire memory over firewire ! Jon. ... Version: GnuPG v1.4.6 (GNU/Linux) Comment:
        Message 3 of 11 , Oct 7, 2008
        • 0 Attachment
          -----BEGIN PGP SIGNED MESSAGE-----
          Hash: SHA1

          http://www.osxbook.com/book/bonus/chapter8/kma

          Or you could acquire memory over firewire !

          Jon.

          Simson Garfinkel wrote:
          > Does anybody know how to acquire memory from a MacOS machine running
          > MacOS 10.5? /dev/mem is gone...
          >
          >
          >

          -----BEGIN PGP SIGNATURE-----
          Version: GnuPG v1.4.6 (GNU/Linux)
          Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

          iD8DBQFI62G7bSv1saVS9ucRAtaIAJ4n1ElRVStCQgVhYQk7MohfMhy7UwCfUF2e
          hIgYzNo+QO4tw4qMEqPWVhs=
          =HhSM
          -----END PGP SIGNATURE-----
        • Simson Garfinkel
          That s an interesting idea! So you are recommending this procedure: 1. Just close the lid of the laptop. 2. Wait a few minutes 3. Pop the battery. 4. Boot the
          Message 4 of 11 , Oct 7, 2008
          • 0 Attachment
            That's an interesting idea!

            So you are recommending this procedure:
            1. Just close the lid of the laptop.
            2. Wait a few minutes
            3. Pop the battery.
            4. Boot the computer with the "T" key down to go to TARGET mode.

            Will this work for desktops?

            I'd like a better procedure, honestly. But I guess this will work! Do
            you know where the hibernation file is stored?

            Now then --- slightly unrelated --- what do we know about Secure
            Virtual Memory? Is it by process, or for the whole kernel?

            Thanks!

            On Oct 7, 2008, at 12:38 AM, Stuart Bird wrote:

            > Simson
            >
            > You could try hibernating it to create a 'sleepimage' file making
            > use of Mac's 'Safe Sleep' function then image it as normal. There is
            > a short explanation on my blog although I must warn that I have not
            > had the time to test the theory since writing the post so I would
            > heartily recommend your own testing first if you are able.
            >
            > Hope that helps.
            >
            > Stu
            >
            > ----- Original Message ----
            > From: Simson Garfinkel <simsong@...>
            > To: linux_forensics@yahoogroups.com
            > Sent: Monday, 6 October, 2008 2:49:58
            > Subject: [linux_forensics] /dev/mem is gone on MacOS
            >
            > Does anybody know how to acquire memory from a MacOS machine running
            > MacOS 10.5? /dev/mem is gone...
            >
            > [Non-text portions of this message have been removed]
            >
            >
            >



            [Non-text portions of this message have been removed]
          • Simson Garfinkel
            That s an interesting idea! So you are recommending this procedure: 1. Just close the lid of the laptop. 2. Wait a few minutes 3. Pop the battery. 4. Boot the
            Message 5 of 11 , Oct 7, 2008
            • 0 Attachment
              That's an interesting idea!

              So you are recommending this procedure:
              1. Just close the lid of the laptop.
              2. Wait a few minutes
              3. Pop the battery.
              4. Boot the computer with the "T" key down to go to TARGET mode.

              Will this work for desktops?

              I'd like a better procedure, honestly. But I guess this will work! Do
              you know where the hibernation file is stored?

              Now then --- slightly unrelated --- what do we know about Secure
              Virtual Memory? Is it by process, or for the whole kernel?

              Thanks!

              On Oct 7, 2008, at 12:38 AM, Stuart Bird wrote:

              > Simson
              >
              > You could try hibernating it to create a 'sleepimage' file making
              > use of Mac's 'Safe Sleep' function then image it as normal. There is
              > a short explanation on my blog although I must warn that I have not
              > had the time to test the theory since writing the post so I would
              > heartily recommend your own testing first if you are able.
              >
              > Hope that helps.
              >
              > Stu
              >
              > ----- Original Message ----
              > From: Simson Garfinkel <simsong@...>
              > To: linux_forensics@yahoogroups.com
              > Sent: Monday, 6 October, 2008 2:49:58
              > Subject: [linux_forensics] /dev/mem is gone on MacOS
              >
              > Does anybody know how to acquire memory from a MacOS machine running
              > MacOS 10.5? /dev/mem is gone...
              >
              > [Non-text portions of this message have been removed]
              >
              >
              >



              [Non-text portions of this message have been removed]
            • Stuart Bird
              Simson Recommending is probably not the phrase I would have chosen, I merely offer it as a suggested workaround if you have no other options : ) and I would
              Message 6 of 11 , Oct 7, 2008
              • 0 Attachment
                Simson

                "Recommending" is probably not the phrase I would have chosen, I merely offer it as a suggested workaround if you have no other options : ) and I would reiterate that I have not tested this procedure (mainly because I have not been able to source a Mac notebook that someone will let me play about with as yet).

                I found the file at # private/var/vm/sleepimage. As far as I know it is only a feature on notebooks although I haven't confirmed this. As I understand it you do not need to pop the battery although that is what the feature is designed for i.e. long term recovery from hibernation.

                I've just noticed that the link to my blog post did not appear in the previous message. The entry can be found at http://pc-eye.blogspot.com and it contains a link to an article on the subject (if you haven't seen it already).

                I would be interested to know the outcome if you do decide to give it a go!

                Stu




                ----- Original Message ----
                From: Simson Garfinkel <simsong@...>
                To: linux_forensics@yahoogroups.com
                Sent: Tuesday, 7 October, 2008 18:42:51
                Subject: Re: [linux_forensics] /dev/mem is gone on MacOS


                That's an interesting idea!

                So you are recommending this procedure:
                1. Just close the lid of the laptop.
                2. Wait a few minutes
                3. Pop the battery.
                4. Boot the computer with the "T" key down to go to TARGET mode.

                Will this work for desktops?

                I'd like a better procedure, honestly. But I guess this will work! Do
                you know where the hibernation file is stored?

                Now then --- slightly unrelated --- what do we know about Secure
                Virtual Memory? Is it by process, or for the whole kernel?

                Thanks!

                On Oct 7, 2008, at 12:38 AM, Stuart Bird wrote:

                > Simson
                >
                > You could try hibernating it to create a 'sleepimage' file making
                > use of Mac's 'Safe Sleep' function then image it as normal. There is
                > a short explanation on my blog although I must warn that I have not
                > had the time to test the theory since writing the post so I would
                > heartily recommend your own testing first if you are able.
                >
                > Hope that helps.
                >
                > Stu
                >
                > ----- Original Message ----
                > From: Simson Garfinkel <simsong@acm. org>
                > To: linux_forensics@ yahoogroups. com
                > Sent: Monday, 6 October, 2008 2:49:58
                > Subject: [linux_forensics] /dev/mem is gone on MacOS
                >
                > Does anybody know how to acquire memory from a MacOS machine running
                > MacOS 10.5? /dev/mem is gone...
                >
                > [Non-text portions of this message have been removed]
                >
                >
                >

                [Non-text portions of this message have been removed]






                [Non-text portions of this message have been removed]
              • Stuart Bird
                Simson I found a further article here: http://brockwoolf.com/safe-sleep-guide-for-mac-os-x It would appear that Safe Sleep and Secure Virtual Memory do not
                Message 7 of 11 , Oct 7, 2008
                • 0 Attachment
                  Simson

                  I found a further article here: http://brockwoolf.com/safe-sleep-guide-for-mac-os-x


                  It would appear that 'Safe Sleep' and 'Secure Virtual Memory' do not play nice together.

                  Stu


                  ----- Original Message ----
                  From: Stuart Bird <e_tective@...>
                  To: linux_forensics@yahoogroups.com
                  Sent: Tuesday, 7 October, 2008 20:04:39
                  Subject: Re: [linux_forensics] /dev/mem is gone on MacOS


                  Simson

                  "Recommending" is probably not the phrase I would have chosen, I merely offer it as a suggested workaround if you have no other options : ) and I would reiterate that I have not tested this procedure (mainly because I have not been able to source a Mac notebook that someone will let me play about with as yet).

                  I found the file at # private/var/ vm/sleepimage. As far as I know it is only a feature on notebooks although I haven't confirmed this. As I understand it you do not need to pop the battery although that is what the feature is designed for i.e. long term recovery from hibernation.

                  I've just noticed that the link to my blog post did not appear in the previous message. The entry can be found at http://pc-eye. blogspot. com and it contains a link to an article on the subject (if you haven't seen it already).

                  I would be interested to know the outcome if you do decide to give it a go!

                  Stu


                  ----- Original Message ----
                  From: Simson Garfinkel <simsong@acm. org>
                  To: linux_forensics@ yahoogroups. com
                  Sent: Tuesday, 7 October, 2008 18:42:51
                  Subject: Re: [linux_forensics] /dev/mem is gone on MacOS

                  That's an interesting idea!

                  So you are recommending this procedure:
                  1. Just close the lid of the laptop.
                  2. Wait a few minutes
                  3. Pop the battery.
                  4. Boot the computer with the "T" key down to go to TARGET mode.

                  Will this work for desktops?

                  I'd like a better procedure, honestly. But I guess this will work! Do
                  you know where the hibernation file is stored?

                  Now then --- slightly unrelated --- what do we know about Secure
                  Virtual Memory? Is it by process, or for the whole kernel?

                  Thanks!

                  On Oct 7, 2008, at 12:38 AM, Stuart Bird wrote:

                  > Simson
                  >
                  > You could try hibernating it to create a 'sleepimage' file making
                  > use of Mac's 'Safe Sleep' function then image it as normal. There is
                  > a short explanation on my blog although I must warn that I have not
                  > had the time to test the theory since writing the post so I would
                  > heartily recommend your own testing first if you are able.
                  >
                  > Hope that helps.
                  >
                  > Stu
                  >
                  > ----- Original Message ----
                  > From: Simson Garfinkel <simsong@acm. org>
                  > To: linux_forensics@ yahoogroups. com
                  > Sent: Monday, 6 October, 2008 2:49:58
                  > Subject: [linux_forensics] /dev/mem is gone on MacOS
                  >
                  > Does anybody know how to acquire memory from a MacOS machine running
                  > MacOS 10.5? /dev/mem is gone...
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  >
                  >

                  [Non-text portions of this message have been removed]

                  [Non-text portions of this message have been removed]






                  [Non-text portions of this message have been removed]
                • Simson Garfinkel
                  ... I ve never gotten the firewire trick to work. Have you gotten it to work? These days I can t even find firewire iPods...
                  Message 8 of 11 , Oct 7, 2008
                  • 0 Attachment
                    On Oct 7, 2008, at 6:18 AM, echo6 wrote:

                    > -----BEGIN PGP SIGNED MESSAGE-----
                    > Hash: SHA1
                    >
                    > http://www.osxbook.com/book/bonus/chapter8/kma
                    >
                    > Or you could acquire memory over firewire !
                    >

                    I've never gotten the firewire trick to work. Have you gotten it to
                    work? These days I can't even find firewire iPods...
                  • Simson Garfinkel
                    I am happy to announce the following: 1. /private/var/vm/sleepimage is in fact a copy of the Macintosh Laptop s memory, as it was when the mac went to sleep
                    Message 9 of 11 , Oct 7, 2008
                    • 0 Attachment
                      I am happy to announce the following:

                      1. /private/var/vm/sleepimage is in fact a copy of the Macintosh
                      Laptop's memory, as it was when the mac went to sleep and the
                      hibernation file was saved.

                      2. The file is not erased when the machine is awoken from sleep.

                      3. I have "Secure Virtual memory" enabled. But the /private/var/vm/
                      sleepimage file is not encrypted.

                      4. The file is filled with useful tibits. It's a byte-for-byte copy of
                      RAM (and least, it is the same size as my Mac's RAM)! And it's not in
                      motion. Go to town!

                      (In particular, my bulk_extractor tool works like a charm on this file.)
                    • echo6
                      ... Hash: SHA1 Simson, Yes, I have got it working. More reliably on *nix target systems than Windows. (Windows Forensic Analysis by Harlan Carvey) Ideally use
                      Message 10 of 11 , Oct 7, 2008
                      • 0 Attachment
                        -----BEGIN PGP SIGNED MESSAGE-----
                        Hash: SHA1

                        Simson,

                        Yes, I have got it working. More reliably on *nix target systems than
                        Windows. (Windows Forensic Analysis by Harlan Carvey)

                        Ideally use a laptop which you know has the supported hardware.

                        Helix 1.9a has all the tools required, providing you have the hardware
                        which is ieee1394 compliant.

                        Don't concern yourself with the "firewire iPods" stuff, Adam Boileau
                        http://storm.net.nz/ who first presented the tools provided a few
                        examples of the CSR (content status register) stuff required for the
                        firewire method to work. He even included an example ipod.csr file. I
                        have also have had it working for a firewire/IDE->usb/firewire bridge
                        device.

                        Having said all that...I've never tested it on OSX 10.5!!

                        Jon.

                        Simson Garfinkel wrote:
                        > On Oct 7, 2008, at 6:18 AM, echo6 wrote:
                        >
                        >> -----BEGIN PGP SIGNED MESSAGE-----
                        >> Hash: SHA1
                        >>
                        >> http://www.osxbook.com/book/bonus/chapter8/kma
                        >>
                        >> Or you could acquire memory over firewire !
                        >>
                        >
                        > I've never gotten the firewire trick to work. Have you gotten it to
                        > work? These days I can't even find firewire iPods...
                        >

                        -----BEGIN PGP SIGNATURE-----
                        Version: GnuPG v1.4.6 (GNU/Linux)
                        Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

                        iD8DBQFI6+iIbSv1saVS9ucRAiecAJ4qGelZESGOcqVuhGw37aDpmdXNcACfQmdX
                        qvIaA5nc2uImW7Td4RYURRc=
                        =UgJ+
                        -----END PGP SIGNATURE-----
                      • Simson Garfinkel
                        ... Awesome. Which programs do we use? ... Thanks. I ll give it a try and report back if you can fill me in on what to use...
                        Message 11 of 11 , Oct 7, 2008
                        • 0 Attachment
                          On Oct 7, 2008, at 3:54 PM, echo6 wrote:
                          > Helix 1.9a has all the tools required, providing you have the hardware
                          > which is ieee1394 compliant.
                          >

                          Awesome. Which programs do we use?

                          >
                          >
                          > Don't concern yourself with the "firewire iPods" stuff, Adam Boileau
                          > http://storm.net.nz/ who first presented the tools provided a few
                          > examples of the CSR (content status register) stuff required for the
                          > firewire method to work. He even included an example ipod.csr file. I
                          > have also have had it working for a firewire/IDE->usb/firewire bridge
                          > device.
                          >
                          > Having said all that...I've never tested it on OSX 10.5!!
                          >

                          Thanks. I'll give it a try and report back if you can fill me in on
                          what to use...
                        Your message has been successfully submitted and would be delivered to recipients shortly.