|
| 1 | +macOS Tutorial |
| 2 | +============== |
| 3 | + |
| 4 | +This guide will give you a brief overview of how volatility3 works as well as a demonstration of several of the plugins available in the suite. |
| 5 | + |
| 6 | +Acquiring memory |
| 7 | +---------------- |
| 8 | + |
| 9 | +Volatility3 does not provide the ability to acquire memory. The example below is an open source tool. Other commercial tools are also available. |
| 10 | + |
| 11 | +* `osxpmem <https://github.com/Velocidex/c-aff4/releases/download/3.2/osxpmem_3.2.zip>`_ |
| 12 | + |
| 13 | + |
| 14 | + |
| 15 | +Procedure to create symbol tables for macOS |
| 16 | +-------------------------------------------- |
| 17 | + |
| 18 | +To create a symbol table please refer to :ref:`symbol-tables:Mac or Linux symbol tables`. |
| 19 | + |
| 20 | +.. tip:: It may be possible to locate pre-made ISF files from the `download link <https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip>`_ , |
| 21 | + which is built and maintained by `volatilityfoundation <https://www.volatilityfoundation.org/>`_. |
| 22 | + After creating the file or downloading it from the link, place the file under the directory ``volatility3/symbols/``. |
| 23 | + |
| 24 | + |
| 25 | +Listing plugins |
| 26 | +--------------- |
| 27 | + |
| 28 | +The following is a sample of the macOS plugins available for volatility3, it is not complete and more plugins may |
| 29 | +be added. For a complete reference, please see the volatility 3 :doc:`list of plugins <volatility3.plugins>`. |
| 30 | +For plugin requests, please create an issue with a description of the requested plugin. |
| 31 | + |
| 32 | +.. code-block:: shell-session |
| 33 | +
|
| 34 | + $ python3 vol.py --help | grep -i mac. | head -n 4 |
| 35 | + mac.bash.Bash Recovers bash command history from memory. |
| 36 | + mac.check_syscall.Check_syscall |
| 37 | + mac.check_sysctl.Check_sysctl |
| 38 | + mac.check_trap_table.Check_trap_table |
| 39 | +
|
| 40 | +.. note:: Here the the command is piped to grep and head in-order to provide the start of the list of macOS plugins. |
| 41 | + |
| 42 | + |
| 43 | +Using plugins |
| 44 | +------------- |
| 45 | + |
| 46 | +The following is the syntax to run the volatility CLI. |
| 47 | + |
| 48 | +.. code-block:: shell-session |
| 49 | +
|
| 50 | + $ python3 vol.py -f <path to memory image> <plugin_name> <plugin_option> |
| 51 | +
|
| 52 | +
|
| 53 | +Example |
| 54 | +------- |
| 55 | + |
| 56 | +banners |
| 57 | +~~~~~~~ |
| 58 | + |
| 59 | +In this example we will be using a memory dump from the Securinets CTF Quals 2019 Challenge called Contact_me. We will limit the discussion to memory forensics with volatility 3 and not extend it to other parts of the challenge. |
| 60 | +Thanks go to `stuxnet <https://github.com/stuxnet999/>`_ for providing this memory dump and `writeup <https://stuxnet999.github.io/securinets-ctf/2019/08/24/SecurinetsQuals2019-Contact-Me.html>`_. |
| 61 | + |
| 62 | + |
| 63 | +.. code-block:: shell-session |
| 64 | +
|
| 65 | + $ python3 vol.py -f contact_me banners.Banners |
| 66 | + |
| 67 | + Volatility 3 Framework 2.4.2 |
| 68 | +
|
| 69 | + Progress: 100.00 PDB scanning finished |
| 70 | + Offset Banner |
| 71 | + |
| 72 | + 0x4d2c7d0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 |
| 73 | + 0xb42b180 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 |
| 74 | + 0xcda9100 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 |
| 75 | + 0x1275e7d0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 |
| 76 | + 0x1284fba4 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 |
| 77 | + 0x34ad0180 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 |
| 78 | + |
| 79 | +
|
| 80 | +The above command helps us to find the memory dump's Darwin kernel version. Now using the above banner we can search for the needed ISF file. |
| 81 | +If ISF file cannot be found then, follow the instructions on :ref:`getting-started-macos-tutorial:Procedure to create symbol tables for macOS`. After that, place the ISF file under the ``volatility3/symbols`` directory. |
| 82 | + |
| 83 | +mac.pslist |
| 84 | +~~~~~~~~~~~~ |
| 85 | + |
| 86 | +.. code-block:: shell-session |
| 87 | +
|
| 88 | + $ python3 vol.py -f contact_me mac.pslist.PsList |
| 89 | +
|
| 90 | + Volatility 3 Framework 2.4.2 |
| 91 | + Progress: 100.00 Stacking attempts finished |
| 92 | +
|
| 93 | + PID PPID COMM |
| 94 | +
|
| 95 | + 0 0 kernel_task |
| 96 | + 1 0 launchd |
| 97 | + 35 1 UserEventAgent |
| 98 | + 38 1 kextd |
| 99 | + 39 1 fseventsd |
| 100 | + 37 1 uninstalld |
| 101 | + 45 1 configd |
| 102 | + 46 1 powerd |
| 103 | + 52 1 logd |
| 104 | + 58 1 warmd |
| 105 | + ..... |
| 106 | +
|
| 107 | +``mac.pslist`` helps us to list the processes which are running, their PIDs and PPIDs. |
| 108 | + |
| 109 | +mac.pstree |
| 110 | +~~~~~~~~~~~~ |
| 111 | + |
| 112 | +.. code-block:: shell-session |
| 113 | +
|
| 114 | + $ python3 vol.py -f contact_me mac.pstree.PsTree |
| 115 | + Volatility 3 Framework 2.4.2 |
| 116 | + Progress: 100.00 Stacking attempts finished |
| 117 | + PID PPID COMM |
| 118 | +
|
| 119 | + 35 1 UserEventAgent |
| 120 | + 38 1 kextd |
| 121 | + 39 1 fseventsd |
| 122 | + 37 1 uninstalld |
| 123 | + 204 1 softwareupdated |
| 124 | + * 449 204 SoftwareUpdateCo |
| 125 | + 337 1 system_installd |
| 126 | + * 455 337 update_dyld_shar |
| 127 | +
|
| 128 | +``mac.pstree`` helps us to display the parent child relationships between processes. |
| 129 | + |
| 130 | +mac.ifconfig |
| 131 | +~~~~~~~~~~ |
| 132 | + |
| 133 | +.. code-block:: shell-session |
| 134 | +
|
| 135 | + $ python3 vol.py -f contact_me mac.ifconfig.Ifconfig |
| 136 | +
|
| 137 | + Volatility 3 Framework 2.4.2 |
| 138 | + Progress: 100.00 Stacking attempts finished |
| 139 | + Interface IP Address Mac Address Promiscuous |
| 140 | +
|
| 141 | + lo0 False |
| 142 | + lo0 127.0.0.1 False |
| 143 | + lo0 ::1 False |
| 144 | + lo0 fe80:1::1 False |
| 145 | + gif0 False |
| 146 | + stf0 False |
| 147 | + en0 00:0C:29:89:8B:F0 00:0C:29:89:8B:F0 False |
| 148 | + en0 fe80:4::10fb:c89d:217f:52ae 00:0C:29:89:8B:F0 False |
| 149 | + en0 192.168.140.128 00:0C:29:89:8B:F0 False |
| 150 | + utun0 False |
| 151 | + utun0 fe80:5::2a95:bb15:87e3:977c False |
| 152 | + |
| 153 | +we can use the ``mac.ifconfig`` plugin to get information about the configuration of the network interfaces of the host under investigation. |
0 commit comments