volafox & volafunx Memory Analyzer for Mac OS X & FreeBDS v0.2 Beta 2 released
volafox a.k.a ‘Memory Analyzer for Mac OS X’ is developed on python 2.5
System Environment
Lang: Python 2.x
Requirement
- Mach Kernel Image
- Memory Image
- Loadable Kernel Version(volafox support Intel x86 yet)
Information
- Machine Information
- Mounted Filesystem
- Process List
- KEXT information
- System Call List
- Detecting System Call Hooking
- KEXT Dump
Example file
hosted by dfrc (digital forensic research center)
http://forensic.korea.ac.kr/volafox/files/SnowLeopard/mach_kernel.zip
Mach Kernel Image – SHA1: D97D3B84B71D656186DB044486E4588620193A57
http://forensic.korea.ac.kr/volafox/files/SnowLeopard/MemoryImage.zip
Memory Image(512MB) – SHA1: D315D78979645C1C0CA7D8FAEF105EB1168320EA
Kernel architecture: Intel x86
volafunx
Introduction
Memory Analyzer for FreeBSD
Tested OS: FreeBSD x86 7.x, 8.x
Requirement
- Kernel Image(kernel)
- Memory Image
Information
- KLD list
- KLD dump
- System call hooking detection
- Process list(LIST, HASH) (0.2 beta2)
- Process dump (HASH)
- Network Information (IP, Port, flag) (0.2 beta2)
- Module list in KLD (0.2 beta1)
Example file
(little challenge for testing: I write some message using ‘vi’ but, it doesn’t save text file because of my mistake. you can find ‘secret’ message in this memory image.)
http://forensic.korea.ac.kr/volafox/files/FreeBSD8/kernel.gz
MD5 (kernel.gz) = 5f29c8b44ca5210ff96c3d8baf96658d
http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz
MD5 (FreeBSD.vmem.gz) = c0fffa1e6b7ad5f601b9f825468efa68 -> 64MB