Mac Ram Analysis Introduction

INTROduction to mac ram analysis:

The newest project from the LCDI is going to be accomplishing a Mac Ram analysis. Last semester, the LCDI investigated forensic artifact locations produced by user activity in Apple’s newest version of OS X, El Capitan. Those findings were then compared to our previous report on El Capitan’s predecessor, OS X Yosemite (Mac Forensics Report). Macs have been constantly increasing in popularity for years, and have now become an undisputed part of the average consumer’s sought-after devices. To ensure that research progresses alongside the rapidly changing market, this semester’s Mac team will be responsible for recovering artifacts from RAM and reporting our results through this blog.

Random access memory is a valuable resource to forensic examiners as it contains volatile data that will not be stored on a hard drive. Crucial information from active processes can be found within a machine’s RAM. This can include messages from active instant messenger conversations, emails that were recently sent and received, other internet activity, and the active user’s password. It can even show secure messages before encryption that would render them unreadable upon being sent.


In 2012, the LCDI conducted a similar project analyzing Mac RAM dumps. The results of that project demonstrated a comparison of Mac Memory Reader by ATC-NY and Memoryze for Mac by FireEye as capture tools; the RAM dump was analyzed using WinHex. The conclusion was that neither utility had significant differences in terms of what artifacts they were able to find and read from captured memory. As a result, we will only be using one tool and will be focusing directly on how much actual content that can be pulled and analyzed from capturing the RAM of a Mac.

Since the aforementioned tools are outdated, we will first conduct research on what modern RAM capture and analysis tools exist that are compatible with OS X El Capitan. Once we choose a tool, we will be conducting scripted data generation, capturing the memory from an active session and then analyzing the capture and reporting what we find.  


We will be sharing our progress and findings in future blog posts throughout the coming months. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team