An Approach to Analyze Physical Memory Image File of Mac OS X

An Approach to Analyze Physical Memory Image File of Mac OS X

Memory analysis is one of the key techniques in computer live forensics. Especially, the analysis of a Mac OS X operating system' s memory image file plays an important role in identifying the running status of an apple computer. However, how to analyze the image file without using extra" roach_ ker...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:哈尔滨工业大学学报(英文版) 2014-08, Vol.21 (4), p.116-120
1. Verfasser: Li-Juan Xu Lian-Hai Wang
Format: Artikel
Sprache:eng
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Memory analysis is one of the key techniques in computer live forensics. Especially, the analysis of a Mac OS X operating system' s memory image file plays an important role in identifying the running status of an apple computer. However, how to analyze the image file without using extra" roach_ kernel" file is one of the unsolved difficulties. In this paper, we firstly compare several approaches for physical memory acquisition and analyze the effects of each approach on physical memory. Then, we discuss the traditional methods for the physical memory file analysis of Mac OS X. A novel physical memory image file analysis approach without using extra" mach_kernel" file is proposed base on the discussion. We verify the performance of the new approach on Mac OS X 10. 8. 2. The experimental results show that the proposed approach is simpler and more practical than previous ones.
ISSN:1005-9113