Memory Test For Mac Os X



Volafox: Kyeong-Sik Lee and the Korean Digital Forensic Research Center have released Volafox, a free and open-source tool to analyze Mac OS X memory images. Volafox is based on work by Matthieu Suiche and the Volatility memory analysis framework. Memory Stick Data Recovery Software Mac tool is used to retrieve lost or deleted files from Mac OS X 10.5.8 versions that include Leopard, Snow Leopard, Lion and Mountain Lion etc. This Mac recovery tool retrieves data files from emptied trash bins.

If you have recently upgraded your Mac RAM, or if you are experiencing strange system crashes, it’s a good idea to test your memory modules integrity using a free tool called memtest.

Essentially, memtest is a utility designed to stress test RAM for errors. Without getting overly technical in the explanation, memtest works by writing random data to the RAM, then verifying that the data written to the RAM is readable and without conflict. If errors are detected using this method, it typically means there is a faulty memory module, and that’s why memtest is such a valuable tool. Though it’s technical in nature, it’s quite easy to use, so let’s begin.

Download MemTest for Mac for Free

Memtest is from the broader UNIX world and it that has been ported to Mac OS X. For whatever reason, there are some websites who are charging for the free utility, but you should not need to pay for it because it is free, open source, and there are Mac versions available from developers as free downloads:

  • Download MemTest now (direct download link)

The above link downloads a zipped package installer that simply places the memtest port in /usr/bin and does nothing else.

Test your Macs RAM

Once you have installed memtest for Mac, launch the Terminal and type the following command:

memtest all 2

This will immediately launch memtest, testing all modules twice (thus why the 2 is attached to the command). You can specify another number of tests to perform by replacing that, but two is fairly standard if you aren’t experiencing anything unusual.

Memtest will take a little while (15+ minutes is not unusual) and you’ll see an actively updated screen like the screenshot above showing progress of the app. Again, the aforementioned command will test your RAM twice, which is generally enough to detect errors, but for unusual system freezes and crashes it can be a good idea to test your memory longer by removing the ’2′, and then letting memtest run repeatedly until it has been ended, this is done by running memtest without any numerical specification like so:

memtest all

Without specifying a number of passes at the end, the app run a long time but can be stopped any time by hitting Control+C in the terminal window. Letting memtest run a while will consume a lot of CPU cycles so if you’re going to run the utility on a Mac laptop be sure to plug it in first.

Error Reports and Bad RAM

If any errors are reported, memtest will let you know. Likewise, if you run memtest and the utility freezes or crashes, that’s a pretty good indicator that your RAM is bad. If you’re running the test and you encounter any errors or freezes, you should return the memory modules to the place of purchase and get a replacement.

I’ve used this utility for a while now and never run into any problems with Mac RAM, but it does happen from time to time. If you have recently bought an upgrade it’s always a good idea to use this app to verify that what you bought is trouble-free.

General System Testing Routine

Memory Test For Mac Os X

Testing RAM with memtest should be considered part of a multi-step process of performing general system tests. This should also include running Disk Utility to check hard disk health which is done by verifying hard drive functionality and repairing any problems that are found, and also performing a general stress test on the processor and fans by placing a Mac under heavy load. These are all decent methods to perform general system testing, and are particularly worthwhile to do after upgrading elements like RAM or a hard disk, or replacing hardware, whether for troubleshooting purposes or as part of an upgrade path.

This article is an overview of current methods and tools for volatile memory analysis of a Apple Mac OS X system; additional references for each subject are listed. This is not a guide for dumping or analysing memory.

The forensic analysis of a computer involves many complex and delicate tasks. To make an accurate and reliable copy of the data stored on hard disks, there are well documented and reliable procedures. The reasons are simple: the acquisition procedure is quite easy, so an expert is not strictly required, and there are a plenty of examination tools available on the market that can be used to investigate the collected data. More complex and unreliable is the acquisition of volatile memory.

The Random-Access Memory (RAM) is an area of the computer which is used to store data while the computer is working on it. A large amount of clear text sensitive information resides only within the RAM, assuming that the OS will prevent unauthorized access and that when the computer is powered off the content will be unavailable.

It is quite obvious that we can loose evidence if we omit volatile data during an acquisition procedure. Additionally, a growing number of infections show us that the memory content will be the only place where evidence can be found.

From a forensic perspective, RAM is extremely important, because it gives an idea of what the computer was doing at the time of analysis. With the increasing number of Apple Macintosh computers in the industry, the investigation of Mac OSXRAM content is becoming very important.

Most standards and best practice guidelines, such as the “Computer Security Incident Handling Guide” from NIST or RFC 3227 “Guidelines for Evidence Collection and Archiving”, include procedures of gathering volatile data: current network connections, running processes, users sessions, kernel parameters, open files etc. The problem is that to acquire data, some tools like netstat, lsof, ifconfig must be executed. These tools collect only obvious data, leaving most of the system’s memory unanalyzed. Moreover, these tools are executed from user mode and even if statically linked they can print unreliable data because of a kernel level modification. The perfect tool for collecting volatile data should not rely on an operating system (see the Tribble PCI device, [Carrier2003]).

A memory acquisition procedure should be useful in different environments so in most cases it relies on a software solution, and, if well designed, just uses a very short collection process, if possible, reduced to a single command in order to minimize the impact on the machine.

Several methods for the acquisition of the memory of a Mac OSX system may be used, all with some problems/limitations. Following a list of currently most used procedures some of them not specific for the Mac world.

This method, implemented for example in MacMemoryReader, uses a kernel extension to create temporary, read-only /dev/mem and /dev/pmap devices. /dev/mem provides the same functionality provided by /dev/mem on other Unix operating systems and gives access to physical memory of the following types, as defined by EFI: “available”, Loader Code, Loader Data, Bootstrap Code, Bootstrap Data, Runtime Code, Runtime Data, and, optionally, “reserved”.

Memory Speed Test Mac Os X

It does not allow access to memory ports or memory-mapped I/O devices, so it cannot be used to write device drivers.

Superuser access is required to load the extension. In addition, since something is loaded in the memory, a footprint is left in the memory itself and changes the state of the acquired system.

As a trivial alternative to the kernel extension, it is possible to use the kmem=1 boot-time argument. If kernel supports the argument, this setting will reenable the kernel memory device. Since is a boot-time argument, a reboot is required, so it is useless in case acquisition of a running computer.

This method uses a “feature” of the Firewire spec (OHCI-1394), that allows read/write access to physical memory (via DMA) for external Firewire devices. As this is DMA, the CPU/OS will not even know what’s going on, so may work regardless of whether you have locked your screen; If not mitigated, Mac OSX prior to Lion 10.7.2 was vulnerable to this kind of attack; in Lion 10.7.2 it only works if a user is logged in.

Due to the firewire bus limitation, only 2GB on memory can be dumped, so with the growing memory size in modern machines, this method may be limited.

With specific HW, Macs with only the new Thunderbolt interface are also vulnerable. A summary of papers, attacks and tools related to the Firewire DMA attack can be found at Physical memory attacks via Firewire/DMA

Mac

Powering off a computer has the consequence of RAM clearing, but not immediately! Research demonstrate that without power, memory chips may retain values for a short period of time (from seconds to minutes) giving the possibilities to read the full memory content. Additionally, if the chips are cooled, they may retain values for hours.

Memory

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. Placing the key in memory was thought to be safe because the operating system protect them while running, and there was no way to get rid of the operating system without cutting power to the machine, which “everybody knew” would cause the keys to be erased.

If the computer if configured to go in sleep mode, the content of the memory is saved to /var/vm/sleepimage for future restore of the exact state; this file can be used to analyze the memory. It is not a perfect image of the running system, because a process is started to put the machine in sleep-mode influencing the content itself, but a lot of valuable information can still be collected.

Having a memory dump is the first step, methods to extract useful information from memory such as opened files, detailed information about each process (start/stop …), network status etc. are still needed.

Mac Os X Latest

Compared to Microsoft world, the Mac OSX tools are in an prehistoric era. As stated in the the MacMemoryReader Readme.txt,

There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data.

Memory

In addition, the memory can be dumped in different formats (using different offsets), and this may make some investigating tools useless.

For example, MacMemoryReader, the plug-and-play dumper, dumps the data in Mach-O binary or raw-format, while volafox (the analysis tool) requires the “linear” format (for memory addressing mechanism, consult the Intel Programmers Handbook), unless you checkout the head volafox version.

Some information can be extracted from the mach-O dump format using the command “string” and grepping for interesting sequences like – as example – “Plongname”: around this string the current logged username/password can be found.

But this is a trial & error method; just dumping strings and looking around may be useful but is prone to errors and very time consuming.

Memory Test For Mac Os X 10.10

  • Mac Memory Reader: Mac Memory Reader is an easy to use command-line utility to capture the contents of physical RAM on a suspect computer, letting an investigator gather volatile state information prior to shutting the machine down. Results are stored in a Mach-O binary or raw-format file for later off-line analysis by the investigator. The “MacMemoryReader” can be downloaded from here.
  • volafox: Kyeong-Sik Lee and the Korean Digital Forensic Research Center have released Volafox, a free and open-source tool to analyze Mac OS X memory images. Volafox is based on work by Matthieu Suiche and the Volatility memory analysis framework. Volafox is the only open source tool that can extract some memory information automagically; running volafox against a linear memory dump may extract following information: os_version, machine_info, mount_info, kern_kext_info, kext_info, proc_info, syscall_info, net_info. “volafox” can be downloaded from here or checked out from http://volafox.googlecode.com/svn/trunk/. The svn checkout has the ability to read the MacMemoryReader format.
  • system tools: The string functions manipulate strings that are terminated by a null byte; can be used to extract ASCII strings from the image. Object file displaying tool command displays specified parts of object files or libraries; can be used to look at the mach-O export made with MacMemoryReader.
  • Goldfish: Goldfish is a free MAC OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump system RAM of a target machine via a firewire connection. It then automatically extracts the current user login password and any open AIM conversation fragments that may be available. A short presentation about Goldfish is available

The methods and tools to analyze a Mac OSX memory dump are still a work in progress; currently the only tool that can extract useful information from a memory image is “volafox”; the usage of filecarvers, string and grep for known signatures is ineffiecient and may lead to false positive.

Basically it’s possible to use following patterns:

  1. MacMemoryReader -> mach-O dump -> string/grep/otool -> some unorganized and informal results
  2. DMA memory dump -> volafox -> predefined set of information
  3. MacMemoryReader -> volafox -> predefined set of information
  • [Singh2006] A.Singh, Mac OSX Internals: A Systems Approach, Addison Wesley Professional 2006, Chapter 8
  • [Suiche2010] M.Suiche, Advanced Mac OSX Physical Memory Analysis, Blackhat 2010
  • [Haldermann2008] Haldermann et al, Lest we remember: Cold Boot Attacks on Encryptions Keys
  • [Ligh2011] S.Adair; B.Hartstein; M.Richard, Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, Wiley 2011
  • [Boileau2006] A.Boileau, Hit by a Bus: Physical Access Attacks with FireWire
  • [Carrier2003] B.Carrier; J.Grand, A Hardware-Based Memory Acquisition Procedure for Digital Investigations

{$t:Mac OS X Memory Analysis, an overview,$a:rcc,$v:1}

Os X Version Mac

About the Author

Memory Test For Mac Os X 10.8

Memory test for mac os x 10

Links