This video shows how to analyze physical memory of a Mac OS X 10.9 (Mavericks) system to recover OTR chats; PGP Mail messages; Calendar, Contact, and Notes entries; and how to decrypt the Keychain Access database.
For more information on Volatility or memory forensics in general, see:
Text to speech narration:
This demo shows how to track Mac OS X user activity by examining artifacts in physical memory with Volatility.
First, you’ll see the suspect, Robin, chatting with Sarah using OTR (off the record) encryption enabled. When Sarah sends Robin her address, he marks the meeting in his calendar and saves the address in his contacts.
Robin then logs into his email to receive a PGP encrypted message from Sarah. His secret key passphrase is retrieved from Apple Keychain. You see that this reveals a picture of a fancy bomb, which Robin saves to his desktop.
He then replies to the email with a list of URLs he’s been researching on home made bomb construction.
The list was kept in the Notes application, along with several other notes that he doesn’t view during this session. We then suspend the virtual machine to simulate capturing the suspect’s physical memory.
We set the Volatility location and profile and then list the processes. You can see the process IDs for the applications involved in most of the user’s activity.
Now we’ll investigate the user’s contacts. The mac contacts plugin scans for fragments of SQL lite database files and reports the contact names. You can then use the yarascan plugin to inspect memory around those names. For example, in this case, the agent cooper string is found next to the telephone numbers, and emails of all other contacts, including sarah.
The mac volshell plugin allows you to interactively explore the memory regions, where you see Sarah’s address.
The next command helps us locate memory resident cached files, in particular the user’s primary keychain database. Then the mac dump file plugin can be used to retrieve it from memory.
The file is encrypted, so we must use mac keychain dump, a port from the volafox project, to extract a list of possible keys from the memory dump.
We download the chain breaker utility and try to crack the database with each of the potential keys. You can see the results include the user’s mail password and GPG private key passphrase.
Don’t forget about the user’s chats. Although they were encrypted on the wire due to OTR, they’re plain text in memory. The mac adium plugin extracts the messages to individual text files, which also include date and timestamps.
Lastly, let’s get the process ID of the Mail application. This is where the unencrypted PGP mail contents can be located. We use mac yarascan to locate instances of the CSS class that encapsulates email bodies for display in the user interface.
Then we use mac volshell to interpret the data as a unicode string and print it to the screen. Finally, we search the cached file list for items in the mail downloads folder. This is where we find the attachment, which can be extracted and analyzed.