volafox a.k.a ‘Memory Analyzer for Mac OS X’ is developed on python 2.5

System Environment

Lang: Python 2.x
Requirement

• Mach Kernel Image
• Memory Image
• Loadable Kernel Version(volafox support Intel x86 yet)

Information

1. Machine Information
2. Mounted Filesystem
3. Process List
4. KEXT information
5. System Call List
6. Detecting System Call Hooking
7. KEXT Dump

Example file

hosted by dfrc (digital forensic research center)

http://forensic.korea.ac.kr/volafox/files/SnowLeopard/mach_kernel.zip
Mach Kernel Image – SHA1: D97D3B84B71D656186DB044486E4588620193A57

http://forensic.korea.ac.kr/volafox/files/SnowLeopard/MemoryImage.zip
Memory Image(512MB) – SHA1: D315D78979645C1C0CA7D8FAEF105EB1168320EA

Kernel architecture: Intel x86

volafunx

Introduction

Memory Analyzer for FreeBSD
Tested OS: FreeBSD x86 7.x, 8.x
Requirement

• Kernel Image(kernel)
• Memory Image

Information

1. KLD list
2. KLD dump
3. System call hooking detection
4. Process list(LIST, HASH) (0.2 beta2)
5. Process dump (HASH)
6. Network Information (IP, Port, flag) (0.2 beta2)
7. Module list in KLD (0.2 beta1)

Example file

(little challenge for testing: I write some message using ‘vi’ but, it doesn’t save text file because of my mistake. you can find ‘secret’ message in this memory image.)

http://forensic.korea.ac.kr/volafox/files/FreeBSD8/kernel.gz
MD5 (kernel.gz) = 5f29c8b44ca5210ff96c3d8baf96658d

http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz
MD5 (FreeBSD.vmem.gz) = c0fffa1e6b7ad5f601b9f825468efa68 -> 64MB