The users device will be notified by a message sent you a video, together with a cdnvidoeurl(later known as a FileID).
![]() Although there are some methods: eg Volatility, Volafox, Memoryze for Mac, Mac Memory Reader, MacLockPick and Rekall, able to analyze mac memory, mac memory analysis is relatively strange. This paper is to demonstrate a fast track of mac memory forensics via studying the evidence of a very popular social networking application WeChat. Computer forensics science is not only a science but an art. ![]() Therefore, we could not ignore any possibility of evidence (either file system or memory) from a desktop machine. With the effect from the end-of-life of Windows XP, Mac OS X might occupy more market share afterwards. Now, it is a good time to study much more of the OS X attributes. The application WeChat was downloaded from the official website of Weixin. One is MacLockPick 3.0 from MacForensicsLab and the other is OSXPmem from Rekall Memory Forensics Framework. It also supports gathering information from iPhone and iPad using Apple Mobile Sync application. It could be configured in the MacLockPick Manager depended on the examiner s preference. Although there is an alternative to recover the lost memory, for example hibfil.sys in Windows OS, the best way is to acquire the memory dump as soon as possible. It is an open source memory acquisition tool for Mac OS X which supports up to OS version 10.9. The default format is ELF. Volatility 2.3.1 is fully supporting the analysis on mac memory. It requires corresponding OS profiles while performing the process. Wechat 10.9 Archive Of TheThe archive of the pre-built profiles up to version Mountain Lion 10.8.3 could be downloaded from its official website. However, it builds in only 20 Windows operation system profiles. The user should know and select the correct profile when processing. Of course, a custom-profile for Linux or Mac OS might be created, if necessary. Likes Volatility, it processes with corresponding OS profile, but it could detect automatically. For OS X, it supports up to version 10.9.x. The profile repository contains over 300 different OS profiles. It was executed from the path ApplcicationWeChat.appContentsMacOSWeChat on 2014-05-19 as shown in Figure 4 9.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |