|
|
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Acquisition of OS X RAM is a bit of a holy grail of memory analysis, quite simply because no-one has done it, or has admitted to it. It is always good form to realize that whatever we think of as secure has probably been undermined by Dark Forces working from bunkers under grassy fields, or desert, or tundra depending on your Government Agency of choice. In Leopard there were some significant weaknesses in OS X RAM, well researched and documented by Dai Zovi We're not worthy who demonstrated in 2009 a number of different attacks on the OS through the poorly implemented memory stack which enabled heap allocated memory to be executable, unlike Vista 7 etc - Windows more secure - who knew Snow Leopard with its 64bit architecture has gone a long way to solve that. But with the incredible amount of information available from a Windows RAM dump it would be great to achieve the same from a Mac. Work has been done with DMA Direct Memory Access via Firewire which can theoretically work and some researchers had some success with Leopard but its all gone quiet with Snow Leopard. So where does that leave us Well, unless you are prepared to freeze the chips you need to acquire the RAM whilst the machine is live. On a Linux machine you can simply dd dev mem and dev kmem but no such luck with OS X. For the time being our best bet is the OS X counterpart of hiberfil.sys. In Windows hiberfil is a file generated in the root of C when the PC is put into hibernate state. The resulting file can be converted into a raw RAM dump using either tools from Matthieu Suiche with the Sandman project or the version produced for Volatility. OS X has a similar file called sleepimage. You can see if your Mac has one at the moment by doing the following - Open terminal Type - cd var vm Type - ls If your machine has been hibernated you should see a sleepimage file with a file size that is the same as your RAM. If you come up against a running Mac and will be seizing it then it is possible to force the machine to create the sleepimage file. Suggested 'Forensic' methodology - Open Terminal Type - sudo pmset a hibernatemode 1 When you shut the lid it now creates a hibernate file and shuts machine down rather than putting it into sleep mode. The problem is that it will likely ask for the admin password. You could run MacLockpick which will extract the Keychain and possibly give you the password you need. Next, you need to set it back - sudo pmset a hibernatemode 3 Shut the lid, take the machine. Now simply image the drive as normal and extract the sleepimage file and analyze. If you were doing a live data acquisition or search of the machine it is simply the case of plugging in a USB drive and typing - sudo cp var vm sleepimage Volumes USBkey Where USBKey is the name of your drive. Now the problems - Changing the hibernatemode makes a technical change to the machine. The technique forces you to shut the machine down which is no good if you want the RAM live whilst leaving the machine running. There are currently no tools available for the analysis of the sleepimage. The tools we use for Windows RAM analysis such as Volatility, Foremost, Memoryze etc do not work. Get coding This post is not desperately useful as it just explains how to get a pseudo-Ram dump out, what you then do with it is up to you. If you figure anything out I'd love to hear about it
Les derniers articles du site "CSITech Computer Forensics" :
- Extracting recent contacts from OSX Mail
- iPhone Video Metadata - Tool released
- iPhone Video Metadata
- Maltego Machines and other stuff
- Password extraction fun
- Volatility - cmdscan buggy
- Advanced Open Source Intelligence Gathering
- Firewire fun with Thunderbolt
- Skype IP addresses - in the clear
- Visualizing Online Investigations - LIVE
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
