MOVP II – 4.4 – What’s in Your Mac OSX Kernel Memory?
by Volatility | Jun 9, 2013 | forensics, kernel, macosx, movp, volatility
Today’s post will discuss a number of plugins that can retrieve forensically interesting information from within the kernel. Keep in mind, you can also use mac_yarascan to search kernel memory with yara signatures and you can use mac_volshell as an interactive...MoVP II – 4.3 – Recovering Mac OS X Network Information from Memory
by Volatility | Jun 7, 2013 | forensics, macosx, movp, volatility
The 2.3 release of Volatility will contain four plugins that are capable of recovering networking information from Mac samples. Combined, these plugins allow for deep inspection of system network activity and can be used in conjunction with network forensics. mac_arp...MoVP II – 4.2 – Dumping, Scanning, and Searching Mac OSX Process Memory
by Volatility | Jun 6, 2013 | forensics, macosx, movp, volatility
In our previous post we discussed multiple ways of finding process structures in memory. Today we will discuss analysis of a process’ address space. First we’ll describe how Volatility handles all the possible scenarios that must be understood and properly...MOVP II – 4.1 – Leveraging Process Cross-View Analysis for Mac Rootkit Detection
by Volatility | Jun 5, 2013 | macosx, malware, movp, volatility
In our final week of Month of Volatility Plugins II we will analyze the wide range of memory forensics capabilities against Mac OS X systems that are included in the latest release of Volatility (version 2.3). These capabilities span 38 different builds including 32-...MoVP II – 3.5 – Utilizing the kmem_cache for Android Memory Forensics
by Volatility | Jun 4, 2013 | android, forensics, kernel, linux, malware, movp, volatility
This post will discuss utilizing plugins that leverage the kmem_cache in order to perform deep memory forensics of Android devices. In previous Linux posts, we have briefly mentioned these plugins, but a full walk through has not been done. Also, as we will see, these...
You must be logged in to post a comment.