Abstract
RAM content acquisition is an important step in live forensic analysis of computer systems. FireWire offers an attractive way to acquire RAM content of Apple Mac computers equipped with a FireWire connection. However, the existing techniques for doing so require substantial knowledge of the target computer configuration and cannot be used reliably on a previously unknown computer in a crime scene. This paper proposes a novel method for acquiring RAM content of Apple Mac computers over FireWire, which automatically discovers necessary information about the target computer and can be used in the crime scene setting. As an application of the developed method, the techniques for recovery of AOL Instant Messenger (AIM) conversation fragments from RAM dumps are also discussed in this paper.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Boileau, A.: Hit by Bus: Physical Access Attacks with Firewire, http://www.security-assessment.com/nz/publications/security_publications.html
Boileau, A.: Releases: Winlockpwd, Pythonraw1394-1.0.tar.gz, http://www.storm.net.nz/projects/16
Wikipedia Article: AOL Instant Messenger, http://en.wikipedia.org/wiki/AOL_Instant_Messenger
Singh, A.: Process Photography on Mac OS X (Handcrafting Process Core Dumps), http://www.osxbook.com/book/bonus/chapter8/core
Apple Open Source Connection, http://opensource.apple.com/
Suiche, M.: Advanced Mac OS X memory analysis, Presentation at BlackHat Briefing Washington DC (February 2010), http://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf
Apple Developer Connection, http://developer.apple.com/
Unified Extendible Firmware Interface Specifications, http://www.uefi.org/specs
Goldfish tool, http://cci.ucd.ie/goldfish
Becher, M., Dornseif, M., Klein, C.N.: 0wn3d by an iPod. In: Proceedings of PacSec 2004 Applied Security Conference, Tokyo (2004), http://pacsec.jp/psj04/psj04-dornseif-e.ppt
0xED hexadecimal editor, http://www.suavetech.com/0xed/0xed.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Gladyshev, P., Almansoori, A. (2011). Reliable Acquisition of RAM Dumps from Intel-Based Apple Mac Computers over FireWire. In: Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19513-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-19513-6_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19512-9
Online ISBN: 978-3-642-19513-6
eBook Packages: Computer ScienceComputer Science (R0)