This mini-course started with forensic memory ..

Rotman Essays - Memory Forensic + Thesis


However, Richard and Case make an argument that theMacintosh OS X encrypted swap file may not be such a bad thing for forensicexaminers. They present the difficulties of “capturing mutually consistentmemory dumps and swap files” as well as coping with operating systems usingencrypted swap [11]. It is difficult to get a complete and consistent pictureof memory when comparing what is found in the swap file to what is recoveredfrom a physical memory capture. If the swap file is unreadable due toencryption, it may result in some data loss, but it frees a forensic examinerand the analysis tools from the burden of correlating what is recovered fromthe swap file with the data located in physical memory. Furthermore, memorycompression, introduced in OS X Mavericks (10.9), partially mitigates theconcern about artifacts that are lost due to swap encryption. We discuss memorycompression in more detail in Section B, below.

The Rekall Memory Forensic Framework uses a …

The layout of the physical address space and how OS Xutilizes memory compression are essential to understanding how OS X memoryanalysis tools must work. For example, if, during memory acquisition, a toolinterferes with a region of memory reserved for a graphics card, the system maycrash, rendering all volatile data lost. Analysis tools must also be able todecompress regions of compressed memory.

There are various ways a user can protect his or her personalinformation on smartphones. Android and iOS phones can be set up require alogin password. Some phones include a data encryption method to protectsensitive data. Also, third-party developers’ market mobileprotection/encryption software [5] can be installed on both Android and iOSphones. The iPhone has hardware encryption enabled by default for all datastored in memory. There is also a Data Protection API provided by Apple thatcan be used to implement application-level encryption.

>MEMORY IN THE COURTROOM - Forensic Psychology

All smartphones provide a way to erase (reset)personal information from flash memory. The main focus of this thesis will beto evaluate the effectiveness of “factory data reset” feature on smartphones. Adetailed and comprehensive survey can benefit not only the forensic community, butalso anyone who uses a smartphone. The end result will help illustrate thelimits of privacy protection offered by factory-reset features. It can alsocontribute to improved smartphone security and privacy policies if venders usethis research to improve their products.

Forensic Acquisition and Analysis of Volatile Data in Memory

Macintosh OS X memory software acquisition tools must berun from the user’s interface on an unlocked system. There are only a few ofthese tools that work on current Macintosh OS X operating systems. Internetsearches and a survey of forensic examiners indicate that OSXPMem, BlackBagTechnologies’ MacQuisition, and Sumuri’s RECON are the only acquisition toolsthat provide support for OS X Mavericks (10.9) and/or Yosemite (10.10).

Forensic Potential of Flash Memory Master's Thesis, ..

OSXPmem is an open-source memory-acquisition tool thatcan be downloaded from the Rekall Memory Forensic Framework GitHub website [9].The source code for Rekall Memory Forensic Framework’s latest release, version1.2.1, also contains OSXPmem.

The Forensic Potential of Flash Memory

Since the launch of Macintosh OS X 10.7 (Lion), Apple hasprovided the ability to encrypt the entire volume containing the operatingsystem. Apple describes the feature, named FileVault2, as full-disk XTS-AES128bit encryption “to help keep your data secure” [7]. In reality the full diskis not encrypted since the recovery partition and the Extensible FirmwareInterface (EFI) partition are not encrypted. However, enabling this feature maybe sufficient to defeat traditional post-mortem forensic analysis if theanalyst is unable to recover the key.

the forensic potential of flash memory | Download …

BlackBag Technologies offers a live forensics andmemory-acquisition tool named MacQuisition. The current version, 2014 R1, wasreleased in February 2014. MacQuisition is available for purchase forapproximately $1000.00 [19].