Monday, January 28, 2013

Backtrack Forensics: volafox

Menu: Forensics -> RAM Forensic Tools
Directory: /pentest/forensics/volafox

Volafox is a Mac OS X memory analysis tool based on volatility. Unfortunately I couldn't get a Mac OS X memory image, so I couldn't really test this. Two images (memory and kernel) should be available here, provided by the author, but the links are not working:


In order to get it run we need to remove the first line from the code:
and also give executable permissions:
chmod +x

some commands: -i MemoryImage.mem -s mach_kernel -o machine_info - display mac os x version info -i MemoryImage.mem -s mach_kernel -o mount_info - dispaly mounted device info -i MemoryImage.mem -s mach_kernel -o proc_info - process list information -i MemoryImage.mem -s mach_kernel -o proc_info -x [PID] - more info from a process with PID

Here is the help:

Official website:
Author's blog:

