This paper reports on the development of a tool to extract the contents of volatile memory of Apple Macs running recent versions of OS X, which has not been possible since OS X 10.4.
This paper recounts the authors’ efforts to test the tool and introduces two visualization techniques for that purpose. The authors also introduce four metrics for evaluating physical memory imagers: correctness, completeness, speed, and the amount of “interference” an imager makes to the state of the machine. They evaluate their tool by these metrics and then show visualization using dot plots, a technique borrowed from bioinformatics, which can be used to reveal bugs in the implementation and to evaluate correctness, completeness, and the amount of interference an imager has. They also introduce a visualization they call the density plot, which shows the density of repeated pages at various addresses within an image. They use these techniques to evaluate their own tool, Apple’s earlier tools, and in comparing physical memory images to the hibernation file. (Published abstract provided)
Downloads
Similar Publications
- Forensic Applicability of Femur Subtrochanteric Shape to Ancestry Assessment in Thai and White American Males
- Biological Distance Analysis, Cranial Morphoscopic Traits, and Ancestry Assessment in Forensic Anthropology
- Evaluation of Digital Evidence Processing Efficiencies in Publicly Funded Crime Laboratories: A Formative Study on how Crime Laboratories and Law Enforcement Ag