Directory: /pentest/forensics/volafox
Volafox is a Mac OS X memory analysis tool based on volatility. Unfortunately I couldn't get a Mac OS X memory image, so I couldn't really test this. Two images (memory and kernel) should be available here, provided by the author, but the links are not working:
http://forensic.korea.ac.kr/volafox/files/SnowLeopard/MemoryImage.zip
http://forensic.korea.ac.kr/volafox/files/SnowLeopard/mach_kernel.zip
Usage:
In order to get it run we need to remove the first line from the code:
#!c:\python\python.exe
and also give executable permissions:
chmod +x volafox.py
some commands:
volafox.py -i MemoryImage.mem -s mach_kernel -o machine_info - display mac os x version info
volafox.py -i MemoryImage.mem -s mach_kernel -o mount_info - dispaly mounted device info
volafox.py -i MemoryImage.mem -s mach_kernel -o proc_info - process list information
volafox.py -i MemoryImage.mem -s mach_kernel -o proc_info -x [PID] - more info from a process with PID
Here is the help:
Official website: http://code.google.com/p/volafox/
Author's blog: http://forensic.n0fate.com/
No comments:
Post a Comment