Mac OS X and Linux Physical

Memory Acquisition and Analysis

Technical White Paper

September 20, 2011

Authored by: Bobby Roos
Rar22567@huskies.bloomu.edu

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

Background
Physical memory dumps can hold vital information for an investigator. They can contain usernames,
passwords, open processes, and the contents of open windows. However, there is currently a lack of
tools that investigators can utilize to image physical memory on machines running Mac OS X and Linux.
This white paper will focus on creating and analyzing physical memory dumps from Mac OS X and Linux
machines.
You will learn how to use MacMemoryReader, 1394memimage, Volafox, and Libforensic1394. Both
1394memimage and Libforensic1394 allow you to image the physical memory using a firewire cable.

Introduction
There are two different ways to image the physical memory of a computer running either Mac OS X or
Linux. You can either plug an external drive into the target computer with software to acquire the
physical memory, or attack the target computer using a firewire cable.
The table below shows the operating system and the program(s) which will successfully image the
physical memory from it.
Operating System
OS X Snow Leopard 32 Bit
OS X Snow Leopard 64 Bit
OS X Lion 32 Bit
OS X Lion 64 Bit
Ubuntu 32 Bit
Ubuntu 64 Bit
Fedora 32 Bit
Fedora 64 Bit
Linux Mint 32 Bit
Linux Mint 64 Bit

Program(s) Used
Mac Memory Reader, Libforensic1394, 1394memimage
Mac Memory Reader, Libforensic1394, 1394memimage
Mac Memory Reader, Libforensic1394, 1394memimage
Mac Memory Reader, Libforensic1394, 1394memimage
Libforensic1394
Libforensic1394
Libforensic1394
Libforensic1394
Libforensic1394
Libforensic1394

Please note that Ubuntu, Fedora, and Linux Mint were the only Linux distributions I had time to test.
However, I believe it should possible to use Libforensic1394 to acquire the physical memory from a wide
variety of Linux distributions.

Page | 1

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

Note about firewire forensics:

When you attempt to read the physical memory from a target machine, your computer sends out a
request to access this information. The target computer then sends back information which tells your
computer how much memory you can access. You will never be allowed to access more than 4GB,
however some computers limit this even further to around 2GB. There is currently no way to work
around this. The following is a small list of computers and the limits I have found.
Computer
Unibody MacBook Pro (Built in 2010)
MacBook Pro (Built 2008)
Dell Studio XPS
Lenovo R61

Physical Memory Acquired

2.3GB
4GB
4GB
4GB

Page | 2

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

Mac OS X
This section will teach you how to acquire and analyze physical memory from a computer running Mac
OS X. I was able to test my research on Mac OS X Snow Leopard (10.6) and OS X Lion (10.7).

Mac Memory Reader v2.0.4

Mac Memory Reader is a free command line utility published by Cyber Marshal. Mac Memory Reader
can run on both 32 bit and 64 bit machines running OS X Tiger (10.4) through OS X Lion (10.7). You may
view the chart below to read about the pros and cons for this program.
Pros
Capable of creating a complete ram image
Simple to use

Cons
Slow, takes about an hour to image 4GB of ram
The image is stored in the Mach-O format making
it impossible to interpret the image using Volafox
Must know the password of the target computer

To use this program simply download it from http://www.cybermarshal.com/index.php/cyber-marshalutilities/mac-memory-reader and extract the entire MacMemoryReader folder onto a flash drive.
Make sure that the flash drive is large enough to hold an entire memory dump. Also remember that
FAT32 drives are limited to storing files that are 4GB. However, it is possible to split the output file if you
have to use a FAT32 drive. Instructions to split the output file can be found in the readme file for Mac
Memory Reader.
With Mac Memory Reader on your flash drive you can plug it into the suspect computer and navigate
inside of the MacMemoryReader folder using terminal. Note that terminal is case sensitive. Then issue
the command:
sudo ./MacMemoryReader <filename and path>
For example, if your external drive is titled Storage you would issue the command:
sudo ./MacMemoryReader /Volumes/Storage/ram_dump.mach-o
You can also add the flag h to run the program in verbose mode in order to see the status of the
operation.

Page | 3

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

1394memimage v1.0
1394memimage was created by Adam Boileau in 2006; unfortunately he only released one version
before his website went offline. You can use 1394memimage to access Windows and Mac OS X
machines using firewire, however it does not support the newer kernels of Linux. Boileaus programs
were integrated into Helix v1.9 and Helix 2008R1 (last free update). Since it is difficult to find a working
download for 1394memimage, it is very convenient to simply download Helix and boot into it. You may
view the chart below to read about the pros and cons for this program.
Pros
Fast imaging, about 10 minutes for 4GB
Convenient download
Can still image physical memory if the target
computer is locked
Can use Volafox to interpret the image

Cons
Firewire can only access 4GB of ram, some
machines limit this further to about 2GB
Target computer must have a firewire port
Can be confusing at first
Tends to freeze after about 2.6GB
Only works with Python 2.3

To use this tool you can download the Helix 2008R1 ISO at http://distrowatch.com/?newsid=05102 and
burn it to a disc. Before booting into Helix I found that it is quicker to store the ram dumps onto a
separate NTFS partition on your hard drive rather than onto an external drive. Now you want to boot
into it on the computer which will be doing the analysis (not the target machine).
First you should open the partition editor to view the mountpoint of the partition of which you want to
dump the ram to (ex. /dev/sda5). Then open terminal and type:
sudo mount t ntfs-3g <mountpoint> /mnt
As a default Helix does not allow you to read or write from any device. However the command listed
above loads the NTFS-3G driver and mounts your partition to /mnt. The NTFS-3G driver grants the user
read and write access to their device. Now while in terminal navigate to </usr/local/pythonraw1394>.
The pythonraw1394 folder contains all of the tools needed to create a ram dump from a target machine.
The default firewire drivers also do not allow read/write access to physical memory. However, Helix
comes with two additional firewire drivers which allow this. To activate them type the following
commands into terminal:
sudo modprobe raw1394
sudo modprobe ohci1394
Now you can connect your computer to the target computer with the firewire cable. Once the target
computer is connected you have to find out what port and node is assigned to the target computer. To
find this type the following command into terminal:
sudo ./businfo

Page | 4

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

The output of this command will look something like the following. I have highlighted the important
parts.
Firewire initialized, with 1 ports available:
Enumerating port & node tree...
Port(number=0, generation=3, busid=1023, localid=0, nodeCount=2, name='ohci1394')
Node(number=0, nodeid=0xffc0)
ConfigROM(
Length
: 16 bytes
CRC Length
: 16 bytes
CRC
: 0x88b0 (Valid)
Bus ID
: "1394"
GUID
: 0x00016c00005e9c1f
Vendor
: 0x0000016c (FOXCONN)
Link Speed
: 2 (S400)
Max Record Size
: 10 (2048 bytes)
Isochronous Capable
: 1 (Yes)
Bus Master Capable
: 0 (No)
Cycle Master Capable
: 1 (Yes)
Cycle Master Clock Accuracy
: 100 ppm
Isochronous Resource Manager Capable : 1 (Yes)
Root Directory: 12 bytes, crc: 0x018b (Valid)
0 (Immediate Value), 3 (Module Vendor ID): 0x16c (FOXCONN)
2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 8 bytes
TextLeaf: 24 bytes, crc: 0x2c2a (Valid), language spec: 0x00000000 (XEROX
CORPORATION), language id: 0x00000000,
text: "Linux - ohci1394"
0 (Immediate Value), 12 (Node Capabilities): 0x83c0
)
Node(number=1, nodeid=0xffc1)
ConfigROM(
Length
: 16 bytes
CRC Length
: 16 bytes
CRC
: 0xd92c (Valid)
Bus ID
: "1394"
GUID
: 0xe80688fffec6cc32
Vendor
: 0x00e80688 ()
Link Speed
: 3 (Unknown)
Max Record Size
: 11 (4096 bytes)
Isochronous Capable
: 1 (Yes)
Bus Master Capable
: 0 (No)
Cycle Master Capable
: 1 (Yes)
Cycle Master Clock Accuracy
: 0 ppm
Isochronous Resource Manager Capable : 1 (Yes)
Root Directory: 36 bytes, crc: 0xaad8 (Valid)
0 (Immediate Value), 56 (Unknown 56): 0x5
0 (Immediate Value), 3 (Module Vendor ID): 0xa27 (Apple Computer, Inc.)
2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 28 bytes
TextLeaf: 28 bytes, crc: 0xac75 (Valid), language spec: 0x00000000 (XEROX
CORPORATION), language id: 0x00000000,
text: "Apple Computer, Inc."
0 (Immediate Value), 23 (Model ID): 0xa
2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 52 bytes
TextLeaf: 20 bytes, crc: 0xddde (Valid), language spec: 0x00000000 (XEROX
CORPORATION), language id: 0x00000000,
text: "Macintosh"
0 (Immediate Value), 12 (Node Capabilities): 0x83c0
2 (Offset to Leaf), 13 (Node Unique ID): Offset: 68 bytes
TextLeaf: 8 bytes, crc: 0xa063 (Valid), language spec: 0xe80688ff (), language id:
0xfec6cc32,
text: ""
3 (Offset to Directory), 17 (Unit Directory): Offset: 76 bytes

Page | 5

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper
Unit Directory: 8 bytes, crc: 0xf8d2 (Valid)
0 (Immediate Value), 18 (Unit Spec ID): 0x5e (USC INFORMATION SCIENCES INST)
0 (Immediate Value), 19 (Unit SW Version): 0x1
3 (Offset to Directory), 17 (Unit Directory): Offset: 84 bytes
Unit Directory: 8 bytes, crc: 0xc8b1 (Valid)
0 (Immediate Value), 18 (Unit Spec ID): 0x5e (USC INFORMATION SCIENCES INST)

As you can see, the MacBook Pro is connected through port 0 and node 1. The computer at port 0 and
node 0 is mine. I have found that the target computer will be located on node 1 90% of the time. Now
that you know the port and node of the target computer you can start the memory dump process using
1394memimage. Type the following command into terminal to begin the memory dump:
sudo ./1394memimage port node outputfile [range]
For example, if I was targeting a computer with 4GB of ram I would type:
sudo ./1394memimage 0 1 /mnt/memory_dump.mem -4G
The range can be expressed as start-end, start, or -end. The size must be typed with either K, M,
or G suffixes which correspond to Kilobytes, Megabytes and Gigabytes respectively.
When the process has completed successfully you will be presented with a message similar to the
following:
5242880 bytes read
Elapsed time 1.05 seconds
Writing metadata and hashes...
Inside of your output folder there will be 3 files: memory_dump.mem.log, memory_dump.mem.md5,
memory_dump.mem.sha1. The log file contains information about the computer you received the
physical memory from, the two hash values, as well as dates and times. The md5 and sha1 files contain
the md5 hash and sha1 hash values respectively.
If the process does not complete successfully you will receive message similar to the following:
Unable to read 1048576 bytes at 0x00c00000 on port: 0 node 1
If you receive this error instantly there is a good chance that you accidently tried to image the physical
memory from your computer. To fix this you can simply change the port and node to the correct values.
Another cause for this error is if the firewire drivers were not loaded. And finally you may receive this
message if you tried to image more memory than allowed. Even though you may receive this error, the
physical memory dump will still be saved on the computer. However the hash values and log file will not
be generated.

Page | 6

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

Libforensic1394 v1193ac1
Libforensic1394 was created by Freddie Witherden as an update to the abandoned 1394memimage
project. Witherden added support for the new Juju firewire stack which is present in all Linux kernels
released after July 2007. Libforensic1394 is capable of being installed on Linux running the 2.6.22 kernel
or later, and Mac OX X 10.5 or later. For my testing I ran Libforensic1394 on Ubuntu 11.04. You may
view the chart below to read about the pros and cons for this program.
Pros
Fast imaging, about 10 minutes for 4GB
Works with newer Linux distributions
Works with Python 3
Can still image physical memory if the target
computer is locked

Cons
Firewire can only access 4GB of ram, some machines
limit this further to about 2GB
Target computer must have a firewire port
Can be confusing to install
Does not support Volafox since the imaging starts at
1MB

You may download Libforensic1394 at https://freddie.witherden.org/tools/libforensic1394/. Once

downloaded you need to extract the forensic1394 folder anywhere on your computer. Install the
program following the directions in the README file, however instead of issuing the command sudo
make install, I found that it is easier to issue the command make package. This will create a .deb file
which can be installed using the Ubuntu package manager. Do not forget to install the Python bindings
by navigating into the python folder and issuing the command sudo python setup.py install in terminal.
Libforensic1394 is only a library of bindings which allows you to write your own code to do memory
forensics. This means that if you simply install the software you will not be able to do any forensics right
away. Below is the code that Freddie Witherden wrote for this research:
# Code written by Freddie Witherden, contact at freddie@witherden.org
from forensic1394 import Bus
from time import sleep
b = Bus()
# Enable SBP-2 support for access to Linux/Windows targets
b.enable_sbp2()
# Sleep to give the bus time to reinitialize
sleep(2.0)

MemoryDump
refers to the
name of the
output file which
will be created
when this code is
run.

# Attempt to open the first attached device

d = b.devices()[0]
d.open()
d._request_size = 512
f = open('MemoryDump','wb')
for addr in range(1*1024*1024,4*1024*1024*1024,1*1024*1024):
data = d.read(addr, 1*1024*1024)
f.write(data)

Start reading the

memory at 1MB,
continue until
4GB, read the
memory in 1MB
steps.

Page | 7

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

You can take the above code and save it in a file titled MemDump.py. The exact name of the file is not
important; however the .py extension is vital. The memory dump file will also be saved in the same
directory as this file.
Now you can attach the target computer to your computer with the firewire cable. To run
Libforensic1394 simply navigate to the location of the MemDump.py folder and type the following
command in terminal:
sudo python MemDump.py
There are two possible error messages that you can receive when using this program. One of these
messages is:
bobby@ubuntu:/media/MemDump$ sudo python MemDump.py
Traceback (most recent call last):
File "MemDump.py", line 16, in <module>
d = b.devices()[0]
IndexError: list index out of range
bobby@ubuntu:/media/MemDump$
The above message indicates that there was an error with the firewire connection. Ensure that you have
the cable properly connected and try again.
bobby@ubuntu:/media/MemDump$ sudo python MemDump.py
Traceback (most recent call last):
File "MemDump.py", line 23, in <module>
data = d.read(addr, 1*1024*1024)
File "/usr/local/lib/python2.7/dist-packages/forensic1394/device.py", line 48, in newf
return f(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/forensic1394/device.py", line 158, in read
self._readreq(list(zip(addrs, lens)), buf)
File "/usr/local/lib/python2.7/dist-packages/forensic1394/device.py", line 134, in _readreq
forensic1394_read_device_v(self, creq, len(creq))
File "/usr/local/lib/python2.7/dist-packages/forensic1394/errors.py", line 59, in process_result
raise Forensic1394BusReset(err)
forensic1394.errors.Forensic1394BusReset: forensic1394_read_device_v: Bus reset has occurred
The above message indicates that you tried to image more ram than there was installed, or more than
the target computer will allow.
A successful image will result in the following:
bobby@ubuntu:/media/MemDump$ sudo python MemDump.py
bobby@ubuntu:/media/MemDump$

Page | 8

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

Analysis
Volafox v0.6 Beta 1 Fixed 1
Currently the only tool available to analyze Mac memory dumps is Volafox. Volafox can be run on any
machine with Python 2.5 or later. This program can give you machine info, process list, process dumps,
and more. You may download Volafox at http://code.google.com/p/volafox/.
It is vital that you use a raw memory dump with Volafox. This means that there can be no additional
information added, such as a Mach-O header. This also means it must start from the first byte. This is
why memory dumps from Libforensic1394 wont work since they need to start at 1MB.
In order for Volafox to work you need two things; the raw memory dump, and the kernel from the
operating system which the memory dump is from. If you have access to the physical hard drive the Mac
kernel is located on the root of the drive. It is also possible to copy the kernel from the target computer
onto a flash drive. In order to do this you must show hidden files on the target computer. Open up
terminal and type:
defaults write com.apple.Finder AppleShowAllFiles TRUE
Now you have to restart Finder in order to see the changes, to do this type:
killall Finder
Now open up Finder, you can do this by left clicking on the desktop and pressing Command-N. On the
left side of the finder window click on Macintosh HD and then find the file titled mach_kernel. You
can then copy this file by dragging it onto the icon for your flash drive.
To undo the changes from above, simply retype both commands, but change TRUE to FALSE.
Volafox must be run through either the command prompt, or terminal. The proper syntax to use Volafox
is:
python volafox.py -i MEMORY_IMAGE -s KERNEL_IMAGE -[o INFO][-m KEXT ID][-x PID]
The -o flag can be used to gather more information about the memory image. While the -m and -x flags
are used to dump specific modules and processes. You can find more information about how to use this
program by simply typing python Volafox.py.
User Password
Mac OS X stores the user password all over the physical memory. I ran a test by switching my password
to something I never typed in the computer before. I then typed the new password to login, slept the
computer, and entered it one more time. I then imaged the physical memory and found the password
twelve times, after only using it twice.
I was also able to find a standard storage scheme for the user password which you can view below.

Page | 9

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

This is my
username

Bobby RoosmanagedUserpasswordosxlionpassshell

This is my
password

Using the knowledge of how Mac OS X stores passwords I was able to create a GREP expression which
will find the password for you. You can view the code and the breakdown below.
\x6D\x61\x6E\x61\x67\x65\x64\x55\x73\x65\x72.*\x70\x61\x73\x73\x77\x6F\x72\x64.*\x73\x68\x65\x6C\x6C

This searches for the term managedUser

This states that there will be any character repeated zero or more times
This searches for the term password
This states again that there will be any character repeated zero or more times (this is where your
password will be)
This will find the last part of the phrase which is shell
You will receive some false positives with this, however it is your best chance of finding the user
password.
Plist Files
Plist files are used to store user settings and application data. Using the program Scalpel by Digital
Forensics Solutions (download at http://www.digitalforensicssolutions.com/Scalpel/) it is possible to
carve the physical memory dump for these files. Inside of them it is possible to find which networks a
user has connected to, autorun locations for applications, recent items, and more.
Private Browsing
I ran two tests with Safari private browsing. For the first test I opened private browsing and searched
Google for This is a search in private browsing. I then left Safari open and imaged the ram. I found 67
hits for that phrase in EnCase. I then completely closed Safari, reimaged the physical memory, and
searched for the same Google search in EnCase. Even though the browser was closed and private
browsing was used I was still able to find 45 hits. Since this search stayed in the physical memory during
private browsing, I believe that it is possible to use Scalpel and carve for images which were viewed
during private browsing sessions.

Page | 10

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

Linux Distributions
This section will teach you how to acquire and analyze physical memory from a computer running
various Linux distributions. Ubuntu, Fedora, and Linux Mint were the only Linux distributions I had time
to test. However, I believe it should possible to use Libforensic1394 to acquire the physical memory
from a wide variety of Linux distributions.

Old method
In older Linux kernels you could simply type /dev/mem to image the physical memory on a machine.
However, in recent distributions of Linux this command has been disabled.
The new Juju stack which was introduced in all Linux kernels after July 2007 has also made most old
methods of imaging impossible.

Libforensic1394
As discussed in the Mac OS X section, Libforensic1394 was created by Freddie Witherden as an update
to the abandoned 1394memimage project. The syntax and usage of this program stays exactly the same
on Linux as it does with Mac OS X.

Second Look
Second Look is a tool created by Pikewerks which captures and analyzes physical memory. You can view
more information on Second Look by going to http://pikewerks.com/sl/.
Unfortunately I did not have access to a copy of Second Look for my research so I am unable to give my
opinions on the program.

Analysis
There are no programs which will analyze physical memory dumps from a Linux machine, so all of the
analysis must be done by hand. I was also unable to find a standard storage scheme for passwords for
the Linux distributions that I tested; however most of the time the user password showed up directly
after the username.
Scalpel is a useful tool to search Linux physical memory dumps. Similar to Mac OS X you can search for
images, movies, webpages, and more.

Page | 11

Mac OS X and Linux Physical Memory Acquisition and Analysis

Technical White Paper

Conclusion
Even though there is a shortage of memory forensic tools for Mac OS X and Linux there are a few
valuable tools which are available for free. By having a basic understanding of Mac Memory Reader,
1394memimage, and Libforensic1394 you can image the memory on nearly any machine. By utilizing
these programs you will no longer be missing out on potentially vital information during your cases.
If you have any questions feel free to contact me by email at rar22567@huskies.bloomu.edu

Page | 12