One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 814 |
| Date de publication | 2016-04-26 17:57:41 (vue: 2016-04-26 17:57:41) |
| Titre | An Introduction to Mac memory forensics, (Tue, Apr 26th) |
| Texte | Unfortunately when its come to the memory forensics Mac in environment doesnt have the luxury that we have in the Windows environment.The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options.OSXPmem is the only available option for memory capturing that support El Capitan,https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zipNow let">cd osxpmem.app/">chown -R root:wheel MacPmem.kext/">kextload MacPmem.kext/">./osxpmem c none -o mem.dumpThe ">bulk_extractor -o bulkdir/ mem.dumpThe ">ls lS bulkdir/">total 1520-rw-r--r-- 1 root staff 398534 Apr 26 15:49 zip.txt-rw-r--r-- 1 root staff 202338 Apr 26 15:49 url.txt-rw-r--r-- 1 root staff 104701 Apr 26 15:49 domain.txt-rw-r--r-- 1 root staff 32010 Apr 26 15:49 report.xml-rw-r--r-- 1 root staff 1680 Apr 26 15:49 exif.txt-rw-r--r-- 1 root staff 1030 Apr 26 15:49 url_histogram.txt-rw-r--r-- 1 root staff 878 Apr 26 15:49 rfc822.txt-rw-r--r-- 1 root staff 493 Apr 26 15:49 email.txt-rw-r--r-- 1 root staff 427 Apr 26 15:49 domain_histogram.txt-rw-r--r-- 1 root staff 350 Apr 26 15:49 url_services.txt-rw-r--r-- 1 root staff 205 Apr 26 15:49 email_histogram.txt-rw-r--r-- 1 root staff 191 Apr 26 15:49 email_domain_histogram.txt-rw-r--r-- 1 root staff 0 Apr 26 15:48 aes_keys.txt-rw-r--r-- 1 root staff 0 Apr 26 15:48 alerts.txtNow let"># BANNER FILE NOT PROVIDED (-b option)# BULK_EXTRACTOR-Version: 1.5.0 ($Rev: 10844 $)# Feature-Recorder: domain# Filename: mem.dump# Histogram-File-Version: 1.1n=821 www.apple.comn=218 crl.apple.comn=4 www.iec.chn=4 www.w3.orgn=3 3.2.1.3n=2 aff4.orgn=2 bugreporter.apple.comn=2 lists.sourceforge.netn=2 schemas.xmlsoap.orgn=2 support.apple.comn=2 www.ietf.orgn=1 2.0.2.3n=1 4.2.6.1n=1 6.4.0.7n=1 tempuri.orgsh-3.2#">n=12633 @yahoo.comn=6135 @isc.sans.edun=4820 @imap.mail.yahoo.comn=4544 @lists.sans.orgn=3255 @sans.edun=2563 @sans.orgn=2546 @incidents.orgn=2253 @gmail.comn=1319 @isc.sans.orgn=866 @mail.gmail.comn=811 @web1d.den.giac.net">720717488 192.168.1.3 struct ip L (src) cksum-ok720717488 192.168.1.5 struct ip R (dst) cksum-ok720719296 192.168.1.3 struct ip L (src) cksum-ok720719296 192.168.1.5 struct ip R (dst) cksum-ok720719536 192.168.1.3 struct ip L (src) cksum-ok720719536 192.168.1.5 struct ip R (dst) cksum-ok720720304 192.168.1.3 struct ip L (src) cksum-ok720720304 192.168.1.5 struct ip R (dst) cksum-ok720721832 192.168.1.3 struct ip L (src) cksum-ok720721832 192.168.1.5 struct ip R (dst) cksum-ok720722352 192.168.1.3 struct ip L (src) cksum-ok720722352 192.168.1.5 struct ip R (dst) cksum-ok720723112 192.168.1.3 struct ip L (src) cksum-ok720723112 192.168.1.5 struct ip R (dst) cksum-ok720727976 192.168.1.3 struct ip L (src) cksum-ok720727976 192.168.1.5 struct ip R (dst) cksum-ok (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
| Envoyé | Oui |
| Condensat | $rev: /osxpmem 1030 104701 10844 1520 15:48 15:49 168 1680 191 192 1n=1 1n=821 2/osxpmem 202338 205 26th 32010 350 398534 3n=1 3n=2 427 493 7n=1 878 >720717488 >bulk >cd >chown >kextload >ls >n=12633 >total @gmail @imap @incidents @isc @lists @mail @sans @web1d @yahoo achieve aes aff4 alerts app/ apple apr attribution available banner bugreporter bulk bulkdir/ capitan capturing center chn=4 cksum com/google/rekall/releases/download/v1 come commons comn=1319 comn=2 comn=218 comn=4 comn=4544 comn=6135 comn=811 creative crl den doesnt domain domain# dst dump# dumpthe edu edun=2563 edun=4820 email environment exif extractor feature file filename: first forensics giac gmail have histogram https://github https://isc iec ietf internet introduction its kext/ keys let license lists luxury mac macpmem mail many mem memory net netn=2 noncommercial none not ok720717488 ok720719296 ok720719536 ok720720304 ok720721832 ok720722352 ok720723112 ok720727976 only option options orgn=1 orgn=2 orgn=2253 orgn=2546 orgn=3 orgn=3255 orgn=866 orgsh osxpmem provided recorder: report rfc822 root root:wheel sans schemas services sourceforge src staff states step storm struct support tempuri tools tue txt txtnow unfortunately united url version: very when windows www xml xmlsoap yahoo zip zipnow |
| Tags | |
| Stories | Yahoo |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.