macOS Tutorial

This guide will give you a brief overview of how volatility3 works as well as a demonstration of several of the plugins available in the suite.

Acquiring memory

Volatility3 does not provide the ability to acquire memory. The example below is an open source tool. Other commercial tools are also available.

osxpmem

Procedure to create symbol tables for macOS

To create a symbol table please refer to Mac or Linux symbol tables.

Tip

It may be possible to locate pre-made ISF files from the download link , which is built and maintained by volatilityfoundation. After creating the file or downloading it from the link, place the file under the directory volatility3/symbols/.

Listing plugins

The following is a sample of the macOS plugins available for volatility3, it is not complete and more plugins may be added. For a complete reference, please see the volatility 3 list of plugins. For plugin requests, please create an issue with a description of the requested plugin.

$ python3 vol.py --help | grep -i mac. | head -n 4
    mac.bash.Bash       Recovers bash command history from memory.
    mac.check_syscall.Check_syscall
    mac.check_sysctl.Check_sysctl
    mac.check_trap_table.Check_trap_table

Note

Here the the command is piped to grep and head in-order to provide the start of the list of macOS plugins.

Using plugins

The following is the syntax to run the volatility CLI.

$ python3 vol.py -f <path to memory image> <plugin_name> <plugin_option>

Example

banners

In this example we will be using a memory dump from the Securinets CTF Quals 2019 Challenge called Contact_me. We will limit the discussion to memory forensics with volatility 3 and not extend it to other parts of the challenge. Thanks go to stuxnet for providing this memory dump and writeup.

$ python3 vol.py -f contact_me banners.Banners

    Volatility 3 Framework 2.4.2

    Progress:  100.00               PDB scanning finished
    Offset  Banner

    0x4d2c7d0       Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64
    0xb42b180       Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64
    0xcda9100       Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64
    0x1275e7d0      Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64
    0x1284fba4      Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64
    0x34ad0180      Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64

The above command helps us to find the memory dump’s Darwin kernel version. Now using the above banner we can search for the needed ISF file. If ISF file cannot be found then, follow the instructions on Procedure to create symbol tables for macOS. After that, place the ISF file under the volatility3/symbols directory.

mac.pslist

$ python3 vol.py -f contact_me mac.pslist.PsList

    Volatility 3 Framework 2.4.2
    Progress:  100.00               Stacking attempts finished

    PID     PPID    COMM

    0       0       kernel_task
    1       0       launchd
    35      1       UserEventAgent
    38      1       kextd
    39      1       fseventsd
    37      1       uninstalld
    45      1       configd
    46      1       powerd
    52      1       logd
    58      1       warmd
    .....

mac.pslist helps us to list the processes which are running, their PIDs and PPIDs.

mac.pstree

$ python3 vol.py -f contact_me mac.pstree.PsTree
    Volatility 3 Framework 2.4.2
    Progress:  100.00               Stacking attempts finished
    PID     PPID    COMM

    35      1       UserEventAgent
    38      1       kextd
    39      1       fseventsd
    37      1       uninstalld
    204     1       softwareupdated
    * 449   204     SoftwareUpdateCo
    337     1       system_installd
    * 455   337     update_dyld_shar

mac.pstree helps us to display the parent child relationships between processes.

mac.ifconfig

$ python3 vol.py -f contact_me mac.ifconfig.Ifconfig

    Volatility 3 Framework 2.4.2
    Progress:  100.00               Stacking attempts finished
    Interface       IP Address      Mac Address     Promiscuous

    lo0                     False
    lo0     127.0.0.1               False
    lo0     ::1             False
    lo0     fe80:1::1               False
    gif0                    False
    stf0                    False
    en0     00:0C:29:89:8B:F0       00:0C:29:89:8B:F0       False
    en0     fe80:4::10fb:c89d:217f:52ae     00:0C:29:89:8B:F0       False
    en0     192.168.140.128 00:0C:29:89:8B:F0       False
    utun0                   False
    utun0   fe80:5::2a95:bb15:87e3:977c             False

we can use the mac.ifconfig plugin to get information about the configuration of the network interfaces of the host under investigation.