Acquiring OS X File Handles through Forensic Memory Analysis

Authors

Andrew F. Hay, Center for Cyberspace Research, Air Force Institute of Technology
Gilbert L. Peterson, Air Force Institute of TechnologyFollow

Document Type

Conference Proceeding

Publication Date

2012

Abstract

Memory analysis has become a critical capability in digital forensics because it provides insight into system state that cannot be fully represented through traditional media analysis. The volafox open source project has begun the work of structured memory analysis for OS X with support for a limited set of kernel structures. This paper addresses one memory analysis deficiency on OS X with the introduction of a new volafox module for parsing file handles associated with running processes. The developed module outputs information comparable to the UNIX lsof (list open files) command, which is used to validate the results.

Comments

AFIT Scholar furnishes a draft of this presentation.

Code related to this research is available at an external repository.

License: GNU GPL v2. This link to the code repository will not be accessible from most DOD networks.

Recommended Citation

Hay, A., & Peterson, G. L. (2012). Acquiring OS X File Handles through Forensic Memory Analysis. UNESCO Systematic Approaches to Digital Forensics, 2012, 1–8.