Mac OS X Internals
Visual Reverse Engineering of Binary and Data Files
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
Lest we remember: cold-boot attacks on encryption keys
Communications of the ACM - Security in the Browser
If error rate is such a simple concept, why don't I have one for my forensic tool yet?
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Pypette: A Platform for the Evaluation of Live Digital Forensics
International Journal of Digital Crime and Forensics
The impact of the antivirus on the digital evidence
International Journal of Electronic Security and Digital Forensics
Hi-index | 0.00 |
We have developed a tool to extract the contents of volatile memory of Apple Macs running recent versions of OS X, which has not been possible since OS X 10.4. This paper recounts our efforts to test the tool and introduces two visualization techniques for that purpose. We also introduce four metrics for evaluating physical memory imagers: correctness, completeness, speed, and the amount of ''interference'' an imager makes to the state of the machine. We evaluate our tool by these metrics and then show visualization using dotplots, a technique borrowed from bioinformatics, can be used to reveal bugs in the implementation and to evaluate correctness, completeness, and the amount of interference an imager has. We also introduce a visualization we call the density plot which shows the density of repeated pages at various addresses within an image. We use these techniques to evaluate our own tool, Apple's earlier tools, and compare physical memory images to the hibernation file.