Monday, January 28, 2013

Backtrack Forensics: volafox

Menu: Forensics -> RAM Forensic Tools
Directory: /pentest/forensics/volafox

Volafox is a Mac OS X memory analysis tool based on volatility. Unfortunately I couldn't get a Mac OS X memory image, so I couldn't really test this. Two images (memory and kernel) should be available here, provided by the author, but the links are not working:

http://forensic.korea.ac.kr/volafox/files/SnowLeopard/MemoryImage.zip
http://forensic.korea.ac.kr/volafox/files/SnowLeopard/mach_kernel.zip

Usage:

In order to get it run we need to remove the first line from the code:
#!c:\python\python.exe
and also give executable permissions:
chmod +x volafox.py

some commands:

volafox.py -i MemoryImage.mem -s mach_kernel -o machine_info - display mac os x version info
volafox.py -i MemoryImage.mem -s mach_kernel -o mount_info - dispaly mounted device info
volafox.py -i MemoryImage.mem -s mach_kernel -o proc_info - process list information
volafox.py -i MemoryImage.mem -s mach_kernel -o proc_info -x [PID] - more info from a process with PID

Here is the help:


Official website: http://code.google.com/p/volafox/
Author's blog: http://forensic.n0fate.com/

No comments: