Wednesday, June 20, 2012

SANS Summit Pre-Talk Teaser

A week from today I will be speaking at the SANS DFIR Summit about the research and development I performed to add Mac OS X support to Volatility. The proliferation of Macs for both business and personal use is well known, and investigators will be increasingly seeing them during their course of work.

While there are a number of people who have analyzed Mac's on-disk artifacts, including upcoming talks at the summit by Sarah Edwards, there has been little documented work covering the in-memory data structures and algorithms. Previous work by Matthew Suiche as well as by the Volafox team have covered the beginnings of Mac memory analysis, but both stopped short of the full coverage needed for deep investigations.

During the presentation, I will be discussing the types of artifacts recoverable through Volatility's Mac support, such as process listings, memory maps, loaded kernel extensions, network connections, and also some Mac-specific constructs such as the I/O Registry. The new Mac support also includes the ability to handle both 32 and 64 bit Mac memory reader captures, and I will be discussing this as well as how to use Mac Memory reader during investigations. I will conclude the talk by going over some interesting kernel-level Mac rootkits that alter dynamic data structures and discuss how Volatility can be used to detect them.

Since everyone in the audience will not be a programmer and/or expert on operating systems internals, I have abstracted some of the details away, but a light dive into kernel internals is inevitable when dealing with kernel memory analysis.

After the talk, the source code for all of the current Mac support and analysis plugins will be available within the Volatility SVN repository. People will then be able to use the functionality themselves as well as provide testing of the new features. The Mac support is under active development and I expect many new features to be added soon as well as stabilizing of the existing source code.

If you have any questions or comments before the talk, please send an Email or reply in the comments.

For those attending the first day of the conference, I highly suggest you check out the talk by Joe Sylve as he will be discussing acquiring memory from Android devices and then subsequent analysis with Volatility.

2 comments:

  1. Andrew,

    The support for Mac devices Forensics analysis is a much needed step with the added memory forensics vol support. I have been excited as you already know. I'm sure many others are as well

    ReplyDelete
  2. Nice work. I look forward to the talk.

    ReplyDelete