An Approach to Analyze Physical Memory Image File of Mac OS X

An Approach to Analyze Physical Memory Image File of Mac OS X

下载PDF

导出

摘要 Memory analysis is one of the key techniques in computer live forensics. Especially,the analysis of a Mac OS X operating system's memory image file plays an important role in identifying the running status of an apple computer. However,how to analyze the image file without using extra"mach-kernel"file is one of the unsolved difficulties. In this paper,we firstly compare several approaches for physical memory acquisition and analyze the effects of each approach on physical memory. Then,we discuss the traditional methods for the physical memory file analysis of Mac OS X. A novel physical memory image file analysis approach without using extra"mach-kernel"file is proposed base on the discussion. We verify the performance of the new approach on Mac OS X 10. 8. 2. The experimental results show that the proposed approach is simpler and more practical than previous ones. Memory analysis is one of the key techniques in computer live forensics. Especially, the analysis of a Mac OS X operating system＇ s memory image file plays an important role in identifying the running status of an apple computer. However, how to analyze the image file without using extra＂ roach_ kernel＂ file is one of the unsolved difficulties. In this paper, we firstly compare several approaches for physical memory acquisition and analyze the effects of each approach on physical memory. Then, we discuss the traditional methods for the physical memory file analysis of Mac OS X. A novel physical memory image file analysis approach without using extra＂ mach_kernel＂ file is proposed base on the discussion. We verify the performance of the new approach on Mac OS X 10. 8. 2. The experimental results show that the proposed approach is simpler and more practical than previous ones.

作者 Li-Juan Xu Lian-Hai Wang

机构地区 Shandong Provincial Key Laboratory of Computer Network

出处《Journal of Harbin Institute of Technology(New Series)》 EI CAS 2014年第4期116-120,共5页 哈尔滨工业大学学报（英文版）

基金 Sponsored by the National Natural Science Foundation of China (Grant No.61303199) Natural Science Foundation of Shandong Province (Grant No.ZR2013FQ001 and ZR2011FQ030) Outstanding Research Award Fund for Young Scientists of Shandong Province (Grant No.BS2013DX010) Academy of Sciences Youth Fund Project of Shandong Province (Grant No.2013QN007)

关键词 computer forensics live forensics Mac OS X operating system physical memory analysis computer forensics live forensics Mac OS X operating system physical memory analysis

分类号 TP309 [自动化与计算机技术—计算机系统结构]

引文网络
相关文献

参考文献16

1Matthew J, Warren G, Bill L, et al.Dispelling Common Myths of “Live Digital Forensics”.https://www.dfcb.org/docs/LiveDigitalForensics-MythVersusReality.pdf.2011-01-01.
2Inoue H, Adelstein F, Joyce R A.Visualization in testing a volatile memory forensic tool.Digital Investigation, 1,8(Suppl.): S42-S51.
3Singh A.In Mac OS X Internals: A Systems Approach (Bonus Content).United States of America: Pearson Education, Inc., 2006.
4Suiche M.Mac OS X physical memory analysis.Black Hat DC.https://www.blackhat.com/presentations/bh-dc-10/Suiche-Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf.2010-01-01.
5Cyber Marshal Utilities.Mac Memory Reader.http://www.cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader.2014-03-01.
6Johannes S.OSXPmem.https://code.google.com/p/rekall/source/browse/OSXPmem.2013-02-16.
7Ligh M H, Adair S, Hartstein B, et al.Malware Analyst’S Cookbook and DVD: Tools and Techniques for Fighting Malicious Code.Indianapolis, IN: Wiley, 2011.
8Adam B.Hit by a Bus: Physical Access Attacks with FireWire.http://www.security-assessment.com/files/presentations/ab-firewire-rux2k6-final.pdf.2014-05-01.
9Becher M, Dornseif M, Klein C N.FireWire: All your memory are belong to us .CanSecWest.2005.https://cansecwest.com/core05/2005-firewire-cansecwest.pdf.2005-01-01.
10Hermann U.Physical memory attacks via Firewire/DMA.Personal Blog.http://www.hermann-uwe.de/blog/physical-memory-attacksvia-firewire-dma-part-1-overview-and-mitigation.2008-01-01.

164位Windows7无法玩CS[J].电脑爱好者,2011(21):72-72.
2内存导致玩游戏容易蓝屏[J].电脑爱好者（普及版）,2010(A02):244-245.
3系统[J].电脑爱好者,2009(7):71-72.
4贾富.再不用为硬盘容量发愁 1TB硬盘面世[J].电脑爱好者,2007(3):9-9.
5Xu Lijuan Wang Lianhai Zhang Lei Kong Zhigang.Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System[J].China Communications,2010,7(6):71-77.
6王磊.专家释疑[J].大众硬件,2006(7):137-139.
7明叔亮.苹果手机悬念[J].互联网周刊,2007(2):16-16.
8Lian-Hai Wang,Qiu-Liang Xu.Primary Exploration of Reliability Evaluation of Computer Live Forensics Model on Physical Memory Analysis[J].Journal of Harbin Institute of Technology(New Series),2014,21(4):121-128. 被引量：1
9姜仲秋,刘长荣,张文明,郑屹帆.面向Android系统的动态内存管理策略[J].测控技术,2013,32(12):73-77.
10梁星.储存技术的过去、现在与未来[J].今日电子,1997(12):59-62.

Journal of Harbin Institute of Technology(New Series)

2014年第4期

浏览历史

内容加载中请稍等...

An Approach to Analyze Physical Memory Image File of Mac OS X

参考文献16

相关作者

相关机构

相关主题

浏览历史