January 19, 2011

Mac Memory Reader

The fine folks at ATC-NY have released Mac Memory Reader, a free tool for dumping memory from a running 32 or 64-bit OS X 10.4+ system. There aren't currently any free tools for analyzing the resulting output, but some of the structures were documented by Matthieu Suiche in this Blackhat DC 2010 Paper [PDF].

My book is more or less "done"

I've been quiet for a while, mostly because I've been spending the bulk of my "free" time working on a new book with Harlan Carvey: Digital Forensics With Open Source Tools (or, DFWOST for short). It is currently due to be released May 15, 2011.

In the book, we discuss operational aspects of using open source tools to perform an end-to-end forensic investigation, starting from basic file system analysis using the various tools of The Sleuth Kit, to analysis of artifacts of interest found within complex carrier files like ZIP archives and Microsoft Office Documents, to the installation and use of modern forensic apps like the Digital Forensics Framework. We approach this from a purely operational perspective. Each chapter should be full of things that you can implement and use right away. Taken together, you should hopefully be able to perform a complete investigation with open source tools.

I'll be using this site to continue discussing the topics I brought up in the book, and to discuss further additional topics that I wasn't able to get to. I'm also happy to field any questions anyone has about the book here as well. To that end, I've created a Google Group for discussion of the book or any topics related to the book. I hope the book is a useful resource for the forensics community.