Loading ...
Sorry, an error occurred while loading the content.

/private/var/vm/sleepimage (was Re: [linux_forensics] /dev/mem is gone on MacOS)

Expand Messages
  • Simson Garfinkel
    I am happy to announce the following: 1. /private/var/vm/sleepimage is in fact a copy of the Macintosh Laptop s memory, as it was when the mac went to sleep
    Message 1 of 11 , Oct 7, 2008
    View Source
    • 0 Attachment
      I am happy to announce the following:

      1. /private/var/vm/sleepimage is in fact a copy of the Macintosh
      Laptop's memory, as it was when the mac went to sleep and the
      hibernation file was saved.

      2. The file is not erased when the machine is awoken from sleep.

      3. I have "Secure Virtual memory" enabled. But the /private/var/vm/
      sleepimage file is not encrypted.

      4. The file is filled with useful tibits. It's a byte-for-byte copy of
      RAM (and least, it is the same size as my Mac's RAM)! And it's not in
      motion. Go to town!

      (In particular, my bulk_extractor tool works like a charm on this file.)
    • echo6
      ... Hash: SHA1 Simson, Yes, I have got it working. More reliably on *nix target systems than Windows. (Windows Forensic Analysis by Harlan Carvey) Ideally use
      Message 2 of 11 , Oct 7, 2008
      View Source
      • 0 Attachment
        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA1

        Simson,

        Yes, I have got it working. More reliably on *nix target systems than
        Windows. (Windows Forensic Analysis by Harlan Carvey)

        Ideally use a laptop which you know has the supported hardware.

        Helix 1.9a has all the tools required, providing you have the hardware
        which is ieee1394 compliant.

        Don't concern yourself with the "firewire iPods" stuff, Adam Boileau
        http://storm.net.nz/ who first presented the tools provided a few
        examples of the CSR (content status register) stuff required for the
        firewire method to work. He even included an example ipod.csr file. I
        have also have had it working for a firewire/IDE->usb/firewire bridge
        device.

        Having said all that...I've never tested it on OSX 10.5!!

        Jon.

        Simson Garfinkel wrote:
        > On Oct 7, 2008, at 6:18 AM, echo6 wrote:
        >
        >> -----BEGIN PGP SIGNED MESSAGE-----
        >> Hash: SHA1
        >>
        >> http://www.osxbook.com/book/bonus/chapter8/kma
        >>
        >> Or you could acquire memory over firewire !
        >>
        >
        > I've never gotten the firewire trick to work. Have you gotten it to
        > work? These days I can't even find firewire iPods...
        >

        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1.4.6 (GNU/Linux)
        Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

        iD8DBQFI6+iIbSv1saVS9ucRAiecAJ4qGelZESGOcqVuhGw37aDpmdXNcACfQmdX
        qvIaA5nc2uImW7Td4RYURRc=
        =UgJ+
        -----END PGP SIGNATURE-----
      • Simson Garfinkel
        ... Awesome. Which programs do we use? ... Thanks. I ll give it a try and report back if you can fill me in on what to use...
        Message 3 of 11 , Oct 7, 2008
        View Source
        • 0 Attachment
          On Oct 7, 2008, at 3:54 PM, echo6 wrote:
          > Helix 1.9a has all the tools required, providing you have the hardware
          > which is ieee1394 compliant.
          >

          Awesome. Which programs do we use?

          >
          >
          > Don't concern yourself with the "firewire iPods" stuff, Adam Boileau
          > http://storm.net.nz/ who first presented the tools provided a few
          > examples of the CSR (content status register) stuff required for the
          > firewire method to work. He even included an example ipod.csr file. I
          > have also have had it working for a firewire/IDE->usb/firewire bridge
          > device.
          >
          > Having said all that...I've never tested it on OSX 10.5!!
          >

          Thanks. I'll give it a try and report back if you can fill me in on
          what to use...
        Your message has been successfully submitted and would be delivered to recipients shortly.