Mac Memory Reader™
Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM on a suspect computer, letting an investigator gather volatile state information prior to shutting the machine down. Results are stored in either a Mach-O binary file or a raw-format file for later off-line analysis by the investigator. Researchers can also use Mac Memory Reader to capture memory-mapped device data, such as shared video memory.
Mac Memory Reader is available free of charge. It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.8 and requires a PowerPC G4 or newer or any Intel processor.
Mac Memory Reader 3.0.2 [released July 2012]
By using this software, you agree to the terms in the LICENSE.txt file included in the download and reproduced here.
Mac Memory Reader is the basis for the physical RAM acquisition tools in ATC-NY's Mac Marshal, a computer forensic tool for Mac OS X investigations.
Please read the README.txt file, included in the download, for full instructions.
Some tips on using Mac Memory Reader:
1. If you are saving the RAM snapshot to a FAT-32 formatted USB drive, FAT-32's file size restrictions will prevent you from writing RAM snapshots that are 4GB or larger. To get around this limitation, split the output into multiple 2GB files using a command line such as the following:
sudo ./MacMemoryReader - | split -b 2048m - ram_dump.mach-o.
This will create ram_dump.mach-o.aa, ram_dump.mach-o.ab, etc. If you don't want to split the file, consider using an ExFAT or HFS+-formatted drive. You can use NTFS, but be aware that the "ntfs-3g" driver commonly used to write to NTFS disks on Mac OS X is very slow and will slow down RAM snapshots dramatically.
2. You can also send the RAM snapshot to a remote machine over the network. To send it to a raw TCP socket on port portnum on host hostname using netcat:
sudo ./MacMemoryReader - | nc hostname portnum
To send it encrypted as a file to a host running SSH:
sudo ./MacMemoryReader - | ssh hostname cat \> /path/to/remote/destfile
3. Normally, MacMemoryReader saves RAM snapshots in Mach-O format, which includes a table of contents followed by the raw data. Adding the -p flag to MacMemoryReader will change the output format to a plain/raw DD style, with only the bytes of physical memory and no header information. Because the raw format does not preserve memory region information (types and offsets), MacMemoryReader will print a table of contents when done. Adding -P instead will cause unused memory regions to be zero-filled, removing the need for the table of contents but causing the RAM snapshot to (potentially) require significantly more disk space than the size of RAM.
4. MacMemoryReader can compute hashes on the fly if needed: add -H hashtype arguments (where hashtype is one of MD5, SHA-1, SHA-256, or SHA-512) to have hashes printed on stderr. For example,
sudo ./MacMemoryReader -H MD5 -H SHA-1 ...
will compute both MD5 and SHA-1 hashes of the memory dump.