This paper reports on the development of a tool to extract the contents of volatile memory of Apple Macs running recent versions of OS X, which has not been possible since OS X 10.4.
This paper recounts the authors’ efforts to test the tool and introduces two visualization techniques for that purpose. The authors also introduce four metrics for evaluating physical memory imagers: correctness, completeness, speed, and the amount of “interference” an imager makes to the state of the machine. They evaluate their tool by these metrics and then show visualization using dot plots, a technique borrowed from bioinformatics, which can be used to reveal bugs in the implementation and to evaluate correctness, completeness, and the amount of interference an imager has. They also introduce a visualization they call the density plot, which shows the density of repeated pages at various addresses within an image. They use these techniques to evaluate their own tool, Apple’s earlier tools, and in comparing physical memory images to the hibernation file. (Published abstract provided)
Downloads
Similar Publications
- A data set of bloodstain patterns for teaching and research in bloodstain pattern analysis: Impact beating spatters
- Linking Ammonium Nitrate – Aluminum (AN-AL) Post-Blast Residues to PreBlast Explosive Materials Using Isotope Ratio and Trace Elemental Analysis for Source Attribution
- Skeletal Trauma in Forensic Anthropology: Improving the Accuracy of Trauma Analysis and Expert Testimony