File Marshal: Automatic extraction of peer-to-peer data
Abstract
We have developed a tool to extract the contents of volatile memory of
Apple Macs running recent versions of OS X, which has not been
possible since OS X 10.4. This paper recounts our efforts to test the
tool and introduces two visualization techniques for that purpose. We
also introduce four metrics for evaluating physical memory imagers:
correctness, completeness, speed, and the amount of "interference"
an imager makes to the state of the machine. We evaluate our tool by
these metrics and then show visualization using dotplots, a technique
borrowed from bioinformatics, can be used to reveal bugs in the
implementation and to evaluate correctness, completeness, and the
amount of interference an imager has. We also introduce a
visualization we call the density plot which shows the density of
repeated pages at various addresses within an image. We use these
techniques to evaluate our own tool, Apple's earlier tools, and
compare physical memory images to the hibernation file.
Keywords:
Volatile Memory, Memory Forensics, OS X, Memory Dump,
Visualization, Dotplot, Density Plot
Return to the Publication list.
This page last modified Jun 03, 2011.
Home
feed
![[Title Bar]](/images/header.gif)