macOS 메모리 포렌식을 위한 데이터 수집 및 분석 방법에 대한 연구

Vol. 34, No. 2, pp. 179-192, 4월. 2024
10.13089/JKIISC.2024.34.2.179, Full Text:
Keywords: macOS, Memory Forensics, OSXPmem, Volatility
Abstract

macOS presents challenges for memory data acquisition due to its proprietary system architecture, closed-source kernel, and security features such as System Integrity Protection (SIP), which are exclusive to Apple's product line. Consequently, conventional memory acquisition tools are often ineffective or require system rebooting. This paper analyzes the status and limitations of existing memory forensics research and tools related to macOS. We investigate methods for memory acquisition and analysis across various macOS versions. Our findings include the development of a practical memory acquisition and analysis process for digital forensic investigations utilizing OSXPmem and dd tools for memory acquisition without system rebooting, and Volatility 2, 3 for memory data analysis.

Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
이정우 and 김도현, "A Study on Data Acquisition and Analysis Methods for Mac Memory Forensics," Journal of The Korea Institute of Information Security and Cryptology, vol. 34, no. 2, pp. 179-192, 2024. DOI: 10.13089/JKIISC.2024.34.2.179.

[ACM Style]
이정우 and 김도현. 2024. A Study on Data Acquisition and Analysis Methods for Mac Memory Forensics. Journal of The Korea Institute of Information Security and Cryptology, 34, 2, (2024), 179-192. DOI: 10.13089/JKIISC.2024.34.2.179.