By Kevin J. Ripa
PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
Feb 15, 2016
This tutorial is based off of research done by Sam Bowne and a tool written by Johannes Stuettgen. The instructions have been updated by me to reflect the latest OSXs and to correct some code/syntax.
The instructions below are designed to extract a RAM dump from a running Mac Computer. This has NOT been tested on every Apple OS, but I have tested it on Mountain Lion, Mavericks, Yosemite, and El Capitan. It should work on any Intel based Mac. Instructions and screen shots are from El Capitan. Your system may vary slightly. Read all instructions FIRST, before attempting. This tutorial is about as simple and “step-by-step” as it gets. If, after reading this, there are still things you don’t understand, STOP before you START. If this is your first time dealing with acquisition of Apple computers, now is not the time to practice on a real case.
It goes without saying that if you are doing a RAM dump, the computer is ON and LIVE. As such, you need to be extra careful about your processes and steps. The number one rule to live by is RECORD RECORD RECORD. Everything you do on the live machine needs to be recorded either via video/pictures, or in writing. Better yet, both. You WILL be changing system settings, and you WILL be potentially overwriting data. This is quite alright, as long as you have a GOOD reason, and can explain why.
There are some necessary steps to perform prior to actually collecting the RAM.
- It is assumed that you have already done a proper evidentiary collection of the device.
- Prepare an external drive to save the data to. If you are only collecting RAM, anything larger than the RAM dump will be big enough. If you will also be collecting a live acquisition of the Mac computer, you will need an external drive large enough to hold that too. You can view a tutorial for live acquisition of Mac computer HERE. The external drive needs to be formatted for use on a Mac. You can view a tutorial on formatting Mac drives and partitions at HERE.
- On a separate computer, download the open source program OSXPmem from http://bit.ly/20zyCFo or http://bit.ly/1mDxymI
- Copy that program to your external destination drive that you will be saving the data to.
- Now we turn our attention to the subject computer.
- Ensure it is connected to a power cord. Do not do this on battery!
- Go to Apple > System Preferences > Energy Saver
- Make sure Computer Sleep and Display Sleep are both set to NEVER as shown below.
- Next go to Apple > Security & Privacy
- Click on the lock at the bottom left corner and enter the password if prompted, as shown below. If you do not have the password, you cannot make these changes. All this means is that you will have to work around the security prompt if you get it.
- Make sure that “Allow apps downloaded from:” is set to “Anywhere”, as shown below.
- Close all windows that you have opened.
- Connect the destination external drive to the subject machine.
- Access it, and move the program OSXPMem-RC1.tar.gz to the desktop of the subject machine. All of the rest of the steps are assumed to be on the subject machine.
- Open a Terminal window. When typing the instructions below, only type what is inside the quotes. Don’t type the quotes themselves. It is assumed that you will hit Enter at the end of each instruction. It will not always look like you accomplished anything. Don’t worry about it. Keep following the steps unless you get some kind of error message. Anything placed inside < > is a variable that will be determined by you. Don’t type the < >.
- Type “pwd”
- Note the Username, as you will need it later. In the example below, it is “JF”.
- Type “sudo su –“
- You will be prompted for the subject computer user password. Enter it. If you don’t have it, you are done unless you can find it.
- Type “cd /Users/<username from result of step 6>/Desktop”
- Type “tar xzf OSXPmem-RC1.tar.gz”
- Type “cd OSXPMem”
- Type “Date”, and immediately take a photo of the output. Do not waste any time from this point forward.
- Type “./osxpmem /Volumes/<name of your destination>/<name you want to call your RAM dump>.dump”. You can double check your typing below.
- If you get an error message regarding a Kernel Extension from an unidentified developer, just click OK.
- If all went well, you will now start to see data being populated in your terminal window, as seen below.
- Once complete, you will see something like “Successfully wrote elf image of memory”, and you will be back at your command prompt, as seen below.
- Again, type “Date”, and immediately take a photo. The reason you have done this is to show that you have not had time to alter data in the dump.
- Immediately hash the RAM dump by typing md5 /Volumes/<name of your destination>/<name you called your RAM dump>.dump”.
- Once done, the hash of the file will be shown as below.
- If you would rather hash using other processes like SHA, refer to the document outlining the different commands located HERE.
- You are now done. Close the terminal window, and navigate to your destination drive. Right click on the .dd file you just created, and select “Get Info”. In the screen that appears, click in the box beside the word “Locked”, as seen below. This will lock the file and protect from inadvertent writing later.
If all you were doing was collecting RAM, you are done. Close the terminal window, eject your destination drive from the desktop BEFORE you unplug it, and unplug.
If you are also gathering a live acquisition of the computer, proceed to the steps in the tutorial for Live Acquisition of Mac Computers, which can be found HERE.
As a point of reference, the RAM collection performed above, was on a MacBook Pro with Retina Display (mid 2012) with a 2.6 GHz Intel Core i7. It had 8 GB of DDR3 RAM, and was running El Capitan version 10.11.3.
It was imaged to a SanDisk Extreme 64 GB thumb drive, and it took approximately 6 minutes.