The 2.3 release of Volatility will contain four plugins that are capable of recovering networking information from Mac samples. Combined, these plugins allow for deep inspection of system network activity and can be used in conjunction with network forensics.
mac_arp
This plugin prints the ARP table, including sent/recv statistics, time the entry was created, and its expiration.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_arp
Volatile Systems Volatility Framework 2.3_alpha
Source IP Dest. IP Name Sent Recv Time Exp. Delta
------------------------ ------------------------ ---------- ------------------ ------------------ ------------------------------ ---------- -----
192.168.228.255 ff:ff:ff:ff:ff:ff vmnet8 10 0 2013-03-29 12:13:59 UTC+0000 39913 0
172.16.244.255 ff:ff:ff:ff:ff:ff vmnet1 10 0 2013-03-29 12:13:59 UTC+0000 39913 0
10.0.1.255 ff:ff:ff:ff:ff:ff en1 12 0 2013-03-29 12:13:59 UTC+0000 39913 0
10.0.1.8 e8:8d:28:cb:67:07 en1 19 924 2013-03-29 11:56:30 UTC+0000 40065 1201
10.0.1.2 ac:16:2d:32:fc:d7 en1 1 47 2013-03-29 11:56:02 UTC+0000 40037 1201
10.0.1.1 00:26:bb:6c:8e:64 en1 4551 4517 2013-03-29 01:08:53 UTC+0000 40318 40310
This information is very useful when tracking lateral movement as systems that the investigated computer interacted with can be determined.
mac_ifconfig
mac_ifconfig prints each interface on the system as well its IP addresses.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_ifconfig
Volatile Systems Volatility Framework 2.3_alpha
Interface Address
---------- -------
lo0 fe80:1::1
lo0 127.0.0.1
lo0 ::1
gif0
stf0
en1 8c:2d:aa:41:1e:3b
en1 fe80:4::8e2d:aaff:fe41:1e3b
en1 10.0.1.3
en0 10:dd:b1:9f:d5:ce
p2p0 0e:2d:aa:41:1e:3b
fw0 00:0a:27:02:00:4b:19:5c
vmnet1 00:50:56:c0:00:01
vmnet1 172.16.244.1
vmnet8 00:50:56:c0:00:08
vmnet8 192.168.228.1
mac_netstat
The netstat plugin prints each active connection on a system along with its state. Analysis of listening sockets can reveal backdoors and established connections reveal remote connections.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_netstat
Volatile Systems Volatility Framework 2.3_alpha
UNIX -
UNIX /var/tmp/launchd/sock
UNIX -
UNIX /var/tmp/com.barebones.authd.socket
UNIX /var/run/com.apple.ActivityMonitor.socket
TCP :::548 :::0 TIME_WAIT
TCP 0.0.0.0:548 0.0.0.0:0 TIME_WAIT
UDP 127.0.0.1:60762 0.0.0.0:0
UNIX /var/run/mDNSResponder
UNIX /var/rpc/ncacn_np/lsarpc
UNIX /var/rpc/ncalrpc/lsarpc
TCP 10.0.1.3:49179 173.194.76.125:5222 TIME_WAIT
TCP 10.0.1.3:49188 205.188.248.150:443 TIME_WAIT
TCP 10.0.1.3:49189 205.188.254.208:443 TIME_WAIT
TCP 10.0.1.3:50614 205.188.13.76:443 TIME_WAIT
UDP 0.0.0.0:137 0.0.0.0:0
UDP 0.0.0.0:138 0.0.0.0:0
UNIX /var/run/vpncontrol.sock
UNIX /var/run/portmap.socket
TCP :::5900 :::0 TIME_WAIT
[snip]
mac_route
The mac_route plugin prints the system’s routing table. It also prints the number of packets sent and received on each route. This can especially useful during internal network breach investigations.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_route
Volatile Systems Volatility Framework 2.3_alpha
Source IP Dest. IP Name Sent Recv Time Exp. Delta
------------------------ ------------------------ ---------- ------------------ ------------------ ------------------------------ ---------- -----
0.0.0.0 10.0.1.1 en1 4342 50431 2013-03-29 01:08:55 UTC+0000 0 0
10.0.1.0 en1 8331 31691 2013-03-29 01:08:56 UTC+0000 8 0
10.0.1.1 00:26:bb:6c:8e:64 en1 4551 4517 2013-03-29 01:08:53 UTC+0000 40318 40310
10.0.1.2 ac:16:2d:32:fc:d7 en1 1 47 2013-03-29 11:56:02 UTC+0000 40037 1201
10.0.1.3 127.0.0.1 lo0 0 6168 2013-03-29 01:08:55 UTC+0000 0 0
10.0.1.8 e8:8d:28:cb:67:07 en1 19 924 2013-03-29 11:56:30 UTC+0000 40065 1201
10.0.1.255 ff:ff:ff:ff:ff:ff en1 12 0 2013-03-29 12:13:59 UTC+0000 39913 0
17.171.4.15 10.0.1.1 en1 39 39 2013-03-29 01:08:55 UTC+0000 0 0
17.172.232.105 10.0.1.1 en1 2 60 2013-03-29 01:09:16 UTC+0000 0 0
17.172.238.203 10.0.1.1 en1 0 58 2013-03-29 01:09:46 UTC+0000 0 0
[snip]