Forensics¶
RAM dump and analysis¶
Use OSXPMem (only working till macOS 10.13 due to kernel extension)
osxpmem /path/to/memdump.bin
Another tool is Memoryze https://www.fireeye.com/services/freeware/memoryze.html (officially supports macos up to 10.8)
To analyze a memory dump use Volatility https://www.volatilityfoundation.org
Syscall tracing¶
You may have to disable system integrity protection to get the desired results
dtruss -f -p <pid> -t <syscall>
The following command enables system integrity protection without disabling dtrace used by dtruss
crsutil enable --without dtrace
Disk image¶
Either boot into rescue mode or from live usb / cd
dd if=/dev/diskX of=container.img conv=noerror
Attach APFS container image¶
hdiutil attach -nomount container.img
mount -o rdonly,noexec,noowners /dev/diskX /Volumes/Container
Known wifi networks¶
And their last connection timestamp can be found in /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
To display the stored password
security find-generic-password -ga <SSID_or_MAC_OF_ACCESS_POINT>
Known bluetooth devices¶
plutil -p /Library/Preferences/com.apple.Bluetooth.plist
Link keys can be found with
plutil -p /private/var/root/Library/Preferences/com.apple.bluetoothd.plist