Rekall itself is actually a very useful utility built for both memory acquisition and live memory analysis on Windows, Linux, and OSX systems. OSXpmem is a part of the pmem suite created by the developers of Rekall. Let’s have a look at memory acquisition of OSX systems using a nifty tool called OSXpmem. Macs need love and disk/memory analysis as well, amirite? Well, with my most recent two part Mac post as well as this one, I’m attempting to change this, my friends! I find this odd, considering the surge in usage and deployment over the last several years, particularly within enterprises. We see blog posts all the time about Windows forensics and malware analysis techniques, along with some Linux forensic analysis, but rarely do we see any posts about Mac technical/forensic analysis or techniques. Macs don’t get much love in the forensics community, aside from (Sarah Edwards), (Patrick Olsen), (Patrick Wardle), and a few other incredibly awesome pioneers in the field.
