macOS Memory Analysis
Overview
- First thing you should collect on a system
- Once a system restarts after malware is installed, it will be harder to detect the installation method when looking at the memory dump
- Also applied to any commands used
- Once a system restarts after malware is installed, it will be harder to detect the installation method when looking at the memory dump
- Tools
- Volatility Framework
- Works on OS X, Windows, Linux, and Android
- Rekall Memory Analysis Framework
- Live memory analysis or dump memory to the hard drive
- Load kext driver and run volatility commands directly on the system
- OSXPMem
- Volatility Framework
Artifacts
Physical Memory
- Data stored in the physical memory of the system -> memory dumps are referring to this
Swap Files
/private/var/vm/swapfile01
- Cache when physical memory fills
- Data in physical memory is pushed to the swapfile and then swapped back into physical memory when needed
- Similar to the Windows pagefile
- More than 1 of these file can exist (swapfile1, swapfile2, etc.)
- Size of these files depend on the memory of the computer
/private/var/vm/sleepimage
- When OS X goes into hibernation, data in memory is put into the sleepimage file
- When computer is woken, the memory is restored from the sleepimage, allowing the user to pick up where they left off
- Downside: any type of memory that exists in the hard drive will be encrypted by default on OS X 10.7 and greater
- Makes collecting the files a possible waste of hard drive space
- Need to adjust the OS settings to not encrypt these files, but not realistic that everybody will do it
- Check for encryption by looking at the output of ‘sysctl vm.swapusage.’
- Makes collecting the files a possible waste of hard drive space
Memory Acquisition
OSXPMem
- Using OSXPMem
- Download from Rekall and unzip
- Creates an app called osxpmem.app
- Mach-O binary to dump memory and KEXT bundle
- Loading KEXT
- Must be root and in wheel group
- chown -R root:wheel osxpmem.app/MacPmem.kext
- Applies new permissions to .kext and any contents within it
- chown -R root:wheel osxpmem.app/MacPmem.kext
- Must be root and in wheel group
- Once loaded, two new device files will be located at /dev/pmem and /dev/pmem_info
- /dev/pmem
- Raw memory
- /dev/pmem_info
- Information about the system that was collected
- /dev/pmem
- Dump memory using ./osxpmem.app/osxpmem -o memory.aff4
- -o lets us specify the name of the memory dump
- .aff4 extension stands for Advanced Forensic File Format
- -o lets us specify the name of the memory dump
- View contents using oxpmem -V memory.aff4
- Lists all sorts of data about the contents of the file
- Unique identifier ID for archive file
- Aff4 URN
- Any additional items added to the archive will use the same identification number
- Aff4 URN
- Collecting swapfiles
- osxpmem.app/ospmem -i /private/var/vm/swapfile* -o memory.aff4
- Download from Rekall and unzip
Strings and Grep
- Sometimes, just looking up words that exist can be the best way to find artifacts
- Raw memory dump is full of text that is not human readable
- Strings should be used on memory to pull human readable text -> save to a new file to save time for future searches
- Grep is used to search through the file for different keywords
- Raw memory dump is full of text that is not human readable
- Using Strings and Grep
- Example commands
- strings memory.dmp > memory.strings
- Dumps memory into the memory.strings file
- egrep “sudo su” memory.strings
- Searches the file for instances of ‘sudo su’
- egrep -n3 “sudo su” memory.strings
- Shows us three lines above any instance of ‘sudo su’ and three lines below
- strings memory.dmp > memory.strings
- Example commands
Volatility
- One of the most widely used memory analysis framework
- Open source and well documented
- Checking functionality in Volatility
-
_python vol.py –info grep mac__
-
- Before you use, check what version of OS X you are using as it needs a specific profile to be used
- sw_vers
- Example: If the output is 10.9.5, you need to load the 10.9.5 profile when using Volatility
- Search using the -info output for the profile
-
_python vol.py –info grep Mac grep 10\.9\.5_
-
- Load profile using the following
- _python vol.py –profile
-f _
- _python vol.py –profile
- Search using the -info output for the profile
- Example: If the output is 10.9.5, you need to load the 10.9.5 profile when using Volatility
- sw_vers
- Using Volatility
- Example using ifconfig module
- _python vol.py –profile
-f memory.dmp mac\_ifconfig_ - Would show the ifconfig info taken directly from the memory dump
- _python vol.py –profile
- Example using ifconfig module
Processes
- In memory, multiple different locations store running process information
- Can collect with ps aux, but data could be unreliable
- Rootkits can modify the ps command or hooked the system to filter the output
- Can collect with ps aux, but data could be unreliable
- mac_tasks
- Go to command for viewing running processes
- mac_pslist can sometimes skew during memory collection
- _python vol.py –profile
-f memory.dmp mac\_tasks_
- Go to command for viewing running processes
- mac_psaux
- Shows the command line argument of each process ran
- mac_dead_procs
- Pulls up a list of recently killed processes
- mac_psxview
- Search of six different Volatility process plugins and returns a true or false of whether or not each process showed up
- Helps find possible rootkits that are hiding their processes on the system
- mac_netstat
- Displays data regarding which processes is making which connections
- TCP and UDP connections made over UNIX Sockets can be seen
- mac_network_conns
- Similar to netstat, but more thorough
- Doesn’t display process information, but more comprehensive list and contains connections made by kernel extensions
- Similar to netstat, but more thorough
- mac_check_syscalls
- Checks for modified system calls
- Popular for rootkits to do
- Hide data from users by filtering results before displaying them
- Popular for rootkits to do
- Checks for modified system calls
- mac_recover_filesystem
- Recover cached portions of the file system directly from memory
- Output will contain a number of recovered directories and files
- _python vol.py –profile
-f memory.dmp mac\_recover\_filesystem –dump-dir cleanup_
- mac_arp
- Prints ARP table showing recent systems the host communicated with
- mac_bash
- Recovers commands typed into the bash shell
- Can potentially recover cleared bash history
- Recovers commands typed into the bash shell
- mac_procdump
- One of Volatility’s most valuable features
- Extraction of binaries directly from memory
Live Memory Analysis
- Rekall Framework is used for live memory analysis
- Saves the output of various Rekall plugins to text files
- Download, unzip Rekall, assign permissions, and load the KEXT file as root
- sudo su
- unzip Rekall_version.zip
- cd Rekall_version
- tar -xvf MacPmem.kext.tgz
- chown -R root:wheel MacPmem.kext
- kextload MacPmem.kext
- Execute ‘rekall’ in the same directory
- ./recall -f /dev/pmem
- Rekal is an interactive shell that can have commands ran within it
- Rekall can also be ran in one liners from the CLI
- ./rekall -f /dev/pmem lsmod
- Save the above to a new file via ./rekal -f /dev/pmem lsmod –output rekal_lsmod.txt