[Vol-users] OSX and Volatility

3 Jun 2016

      Hello list,

I’m trying to use Volatility on an OSX memory dump. I was unable to download mac memory
reader as the site is offline. I’ve used osxpmem from recall.

The commands I used to perform the dump were:

sudo kextutil MacPmem.kext
sudo ./osxpmem --format elf -o ./ram.dump

I then moved ram.dump into my volatility directory

To check my downloaded profile is included I’ve run the command
./volatility_2.5_mac --plugins=./mac —imageinfo
and then I ran 

./volatility_2.5_mac --plugins=./mac --profile=MacElCapitan_10_11_4_15E65x64  -f
../ram.dump  mac_pslist

and got

Volatility Foundation Volatility Framework 2.5
Offset             Name                 Pid      Uid      Gid      PGID     Bits        
DTB                Start Time
------------------ -------------------- -------- -------- -------- -------- ------------
------------------ ----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 QemuCoreDumpElf: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0x4034b50
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

Apparently my OSXPmemElf signature is invalid. What can I do to dump memory with a valid
signature? Or does my problem lie elsewhere?

Regards,
Rob

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[Vol-users] OSX and Volatility