Forensics

RAM dump and analysis

• Use OSXPMem (only working till macOS 10.13 due to kernel extension)

osxpmem /path/to/memdump.bin

• Another tool is Memoryze https://www.fireeye.com/services/freeware/memoryze.html (officially supports macos up to 10.8)

• To analyze a memory dump use Volatility https://www.volatilityfoundation.org

Syscall tracing

• You may have to disable system integrity protection to get the desired results

dtruss -f -p <pid> -t <syscall>

• The following command enables system integrity protection without disabling dtrace used by dtruss

crsutil enable --without dtrace

Disk image

• Either boot into rescue mode or from live usb / cd

dd if=/dev/diskX of=container.img conv=noerror

Attach APFS container image

hdiutil attach -nomount container.img
mount -o rdonly,noexec,noowners /dev/diskX /Volumes/Container

Known wifi networks

And their last connection timestamp can be found in /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist

To display the stored password

security find-generic-password -ga <SSID_or_MAC_OF_ACCESS_POINT>

Known bluetooth devices

plutil -p /Library/Preferences/com.apple.Bluetooth.plist

• Link keys can be found with

plutil -p /private/var/root/Library/Preferences/com.apple.bluetoothd.plist