Authors: Hajime Inoue, Frank Adelstein, Ph.D. (ATC-NY Corp), Robert Joyce
DFRWS USA 2011
Abstract
We have developed a tool to extract the contents of volatile memory of Apple Macs running recent versions of OS X, which has not been possible since OS X 10.4. This paper recounts our efforts to test the tool and introduces two visualization techniques for that purpose. We also introduce four metrics for evaluating physical memory imagers: correctness, completeness, speed, and the amount of “interference” an imager makes to the state of the machine. We evaluate our tool by these metrics and then show visualization using dotplots, a technique borrowed from bioinformatics can be used to reveal bugs in the implementation and to evaluate correctness, completeness, and the amount of interference an imager has. We also introduce a visualization we call the density plot which shows the density of repeated pages at various addresses within an image. We use these techniques to evaluate our own tool, Apple’s earlier tools, and compare physical memory images to the hibernation file.