volafox

Introduction

volafox a.k.a 'Memory Analyzer for Mac OS X' is developed on python 2.x

System Environment

Lang: Python 2.x
Arch: Intel x86/64(0.7 alpha1<=)
Requirement

• Kernel Symbol List
• overlay data (0.7 alpha1<=)

• Memory Image
• Linear File Format(Firewire or VMware memory image) (0.7 alpha1<=)

Information

1. Machine Information
   
2. Mounted Filesystem
   
3. Process List
   
4. KEXT information
   
5. System Call List
   
6. Detecting System Call Hooking
   
7. KEXT Dump(0.6 beta1 fixed1<=)
   
8. Process Dump (0.6 beta1<=)
   
9. Network Information (0.7 alpha1<=)

Example file

Hosted by DFRC (Korean Digital Forensic Research Center)

http://forensic.korea.ac.kr/volafox/files/SnowLeopard/MemoryImage.zip
Memory Image(512MB) - SHA1: D315D78979645C1C0CA7D8FAEF105EB1168320EA

volafunx(experiment)

Introduction

Memory Analyzer for FreeBSD
Tested OS: FreeBSD x86 7.x, 8.x
Requirement

• Kernel Image(kernel)
• Memory Image

1. KLD list
2. KLD dump
3. System call hooking detection
4. Process list(LIST, HASH) (0.2 beta2<=)
5. Process dump (HASH)
6. Network Information (IP, Port, flag) (0.2 beta2<=)
7. Module list in KLD (0.2 beta1<=)
   

Example file

(little challenge for testing: I write some message using 'vi' but, it doesn't save text file because of my mistake. you can find 'secret' message in this memory image.)

http://forensic.korea.ac.kr/volafox/files/FreeBSD8/kernel.gz
MD5 (kernel.gz) = 5f29c8b44ca5210ff96c3d8baf96658d

http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz
MD5 (FreeBSD.vmem.gz) = c0fffa1e6b7ad5f601b9f825468efa68 -> 64MB