In this post we want to show you how to create Mac OS X memory image with Rekall’s OSXPMem tool. This tool was written by Johannes Stuettgen and, according to official documentation, consists of 2 components:
1. The usermode acquisition tool ‘osxpmem’, which parses the accessible sections of physical memory and writes them to disk in a specific format.
2. A generic kernel extension ‘pmem.kext’, that provides read only access to physical memory. After loading it into the kernel it provides a device file (‘/dev/pmem/’), from which physical memory can be read.
Ok, the first step of our memory acquisition process will be downloading of the tool. You can use this link to do it.
The second step is unpacking the archive. Make sure you are using a root shell (‘sudo su’):
Before starting imaging process, we should load a driver written by Adam Sindelar called MacPmem.kext. Let’s do it:
Now we are ready for the final step – memory imaging. Before you start, make sure you have chosen the format you prefer, at the moment the tool supports Mach-O, ELF and zero-padded RAW. In this example we chose RAW:
For testing purposes we have saved our image to the Desktop. DO NOT do it in real cases! Use external media instead! And not only for storing of the image, but for running OSXPMem too!