Obtaining the volatile data stored in RAM through the process of RAM imaging has always been an essential part of Digital Forensics. RAM imaging provides examiners a means of obtaining invaluable information to assist with investigations; for example:
Imaging RAM in the Mac environment has always been difficult as Mac RAM is protected by default. Additionally, Kernel Extensions (more commonly known as KEXTs) are required to image the RAM. KEXT files are bundles that interact with the operating system’s kernel, granting them elevated privileges that are required to image RAM on a Mac.
Unfortunately, due to the ever-changing world that is macOS, RAM imaging may become impossible in the near future on live systems due to Apple’s notarization process.
Apple requires software to be notarized to run on newer versions of macOS. Software that is not notarized by Apple will be labeled as malicious and prevented from being run permanently in future versions of macOS. Their security restrictions prohibit the use of most KEXTs–including those utilized in RAM imagers.
Apple did this to further increase security by limiting the number of applications that use the kernel and have elevated permissions. Unless Apple were to revert these security restrictions, acquiring volatile data on a live system will be impossible since the KEXTs required cannot be utilized.
SUMURI has been proactive and has completed notarization well ahead of the release of macOS 11. RAM imaging, which utilizes KEXTs, does not pass Apple’s notarization process and, therefore, had to be removed.
Until Apple fully bans RAM imaging (or until a workaround is found), there are some tips that we can offer in an attempt to image Mac RAM.
Remember, Mac RAM is protected so imaging may or may not be successful.
In the best-case scenario, the Mac would be up and running, and the desktop would be accessible.
In the worst-case scenario, the Mac is powered off, it is not currently plugged in, and the password is unknown.
IMAGING MAC RAM FROM A SOFT RESTART
Below is a step by step guide on how to acquire RAM using RECON IMAGER.
Please ensure your RECON IMAGER is fully updated before proceeding. We have instructions on updating your RECON IMAGER in our Manual Section 15.
1. Connect your RECON IMAGER to the machine you’re trying to acquire.
2. Perform a Soft Restart (Apple Menu > Restart > Immediately holding the Option Key). This will allow you to enter the boot menu without fully turning off the computer.
3. Boot to your RECON IMAGER USB by selecting either Mode A, B, or C, depending on the Mac.
4. Select the RAM Imager Tab on the top of the window.
5. Click ‘Refresh’ to poll any attached devices.
6. Choose your ‘Destination’ drive.
7. Provide your image with a name in the “Label” field.
8. Optional – Fill out the case information.
9. Click ‘Start.’
More information about RAM Imaging with RECON IMAGER can be found in Section 12 of our RECON IMAGER Manual.
IMAGING MAC RAM FROM THE DESKTOP
The last version of RECON ITR that included a RAM Imager to capture from the Desktop was version 1.0.0. This version is still accessible by clicking the button below:
Please follow these instructions to image RAM using version 1.0.0 of RECON ITR:
Connect your RECON ITR live SSD to the system you wish to acquire
2. Start the Application
3. Select the RAM Imager button on the left side of the window
4. Choose your output directory
5. Enter the Administrator Password and select what hashes you wish to use
6. Select ‘Start’
More instructions on how to image RAM using RECON ITR can be found in Section 22 of the RECON ITR Manual.
RECON ITR contains two versions of RECON IMAGER–a live version and a bootable version. Combining the two versions helps to cover as many situations as possible.
RECON ITR joins RECON IMAGER PRO and RECON TRIAGE. Giving examiners all the tools they need to acquire and preserve Intel-based Macs, including the ability to triage live running systems and generate comprehensive reports on their findings.
For more information about RECON ITR, click on the button below: