4

(Take a Macbook Pro 2017 Sierra 10.12.5 for example.)

What I had done was I downloaded osxpmem-2.1.post4.zip (vouched by ponderthebits.com/.., itself by google.com/..), unzipped it with finder, created a folder Memory_Captures and:

sudo chown -R root:wheel osxpmem.app/

..and:

sudo osxpmem.app/osxpmem -o Memory_Captures/mem.aff4

I wonder if this is a good strategy in the future. Perhaps an alternative is to powerbutton-off the laptop and then bootup a USB Linux which does not "touch" the RAM, but does the very act of power disconnection affect the RAM contents?

What's a better strategy to recover RAM data of a running Macbook Pro?

Pacerier
  • 3,263
  • 6
  • 34
  • 61

1 Answers1

5

The best strategy depends on what your constraints and goals are. A quick answer...

Perhaps an alternative is to powerbutton-off the laptop and then bootup a USB Linux which does not "touch" the RAM

All bootable systems will touch memory. Lighter systems touch less, but still some. However, the memory will be scrambled with a (weak) LFSR algorithm, so the memory you read will need to be broken using cryptanalysis. It is possible, but it's not as simple as running strings on the dump.

does the very act of power disconnection affect the RAM contents?

The act of resetting the system will typically cause the LFSR scrambling seed to change. The BIOS may also wipe some (or all) memory. In that way, the act of turning on power changes memory contents, even if the act of cutting power does not. Additionally, every instant that power source is disconnected from the memory modules, more data is lost. The time without power must be minimal.

Software

This is a common technique where a privileged program is made to read all memory on the system. It is typically fast and does not risk hardware damage or loss of all data, but it can "taint" the memory with its own presence. Additionally, as it is capturing memory from a running system, there can be a bit of memory smear. This is an issue with two distant physical addresses that correspond to a contiguous region of memory. When accessing the memory is not atomic, you can have a snapshot of data from different points in time. The earlier addresses will be from an earlier point in time than the later addresses. There is an excellent paper explaining this issue and the various workarounds for different types of memory acquisition.

The Volatility framework has many plugins for live analysis of memory on a system. It can, for example, dump arbitrary process memory for subsequent analysis. Unlike most other "raw" memory acquisition techniques, Volatility works with the system to maximize the relevance of memory dumps. However it is also quite invasive and uses a lot of memory. This is only an issue if the memory you want to retrieve is present in unallocated memory.

Direct Memory Access

When a PCI/PCIe device has been configured by a driver to become bus master, it will be able to initiate DMA reads and writes to arbitrary locations in memory. The speed of data acquisition then depends entirely on the transfer rate of the device. Common devices used are Firewire, Thunderbolt, and CardBus, which all have DMA capabilities. Custom PCIe devices can be hotplugged which also read memory contents. PCIe natively supports hotplugging, whereas legacy PCI may be damaged by live hotplugging. This technique has the benefit of not tainting memory with any software, but it has the same downside as the above method where atomicity is not guaranteed.

While not technically considered DMA, another way to gather memory from a running system is the IEEE 1149.1 debugging protocol, called JTAG. This involves a hardware probe being attached to a specific header on the motherboard. A signal is sent to the CPU that puts it into probe mode, turning it into a puppet. The CPU can be halted and memory read, making this technique capable of obtaining an atomic snapshot of memory. The downsides are that not all motherboards support JTAG, probe hardware can be quite expensive on older systems, and reading memory over a debugging interface is very slow.

Cold boot attack (reboot into a live system)

For this kind of cold boot attack, the system is rebooted into a system with a small memory footprint that reads the memory. This works because a reboot does not actually power down memory, leaving the previous contents intact. The downside is that the software you boot into will still need to eat up a small amount of memory. The laziest technique with the biggest footprint would be a live Linux OS. A slightly more complex technique that has a smaller footprint would be a custom bootloader. Finally, you can even write a custom BIOS that reads the contents of memory and exports it to another system, e.g. over a serial bus.

Unlike the above two options, this provides atomicity. As soon as power to the DRAM is cut (whether due to the actual memory modules being removed, or the system being rebooted), the entire contents of memory are frozen in time, providing a perfect snapshot. This can provide legally effective evidence, as you do not have to prove that your acquisition technique did not modify memory. There is a downside to this technique though. As it involves hardware, there is a greater chance of the contents of memory being destroyed. If you make a mistake, you can't go back and try again. Another issue is with the behavior of the BIOS. During the POST test, memory may be wiped for automated pre-boot testing. ECC memory is actually required to be wiped by the BIOS and put in a consistent state. Some of this behavior is described here, specifically in the context of the behavior being abused to mitigate cold boot attacks.

Cold boot attack (memory transfer)

A cold boot attack of this type exploits the memory remanence property of modern DRAM. To store a single bit of data, DRAM charges a capacitor. Every 64ms, the memory controller will check the contents of the capacitor and refresh it if necessary. To read a bit, the voltage of the capacitor is read. While, for reliability, they need to be refreshed every 64ms due to heavy leakage (they are very small capacitors), they can still often be read even seconds from the last refresh. This allows a system to be turned off and still retain memory for a split second. Exploiting this requires physically removing memory from the system (ideally after blasting it with ice-cold coolant to slow the memory decay) and transferring it to a system you control. This has no memory footprint as no programs must be stored on the modules, but it does carry with it a greater risk of memory loss. Every instant the memory is powered off, the chances that the capacitors fully leak their charge increases.

Applicable to both cold boot attack techniques, modern memory (DDR3 and DDR4) uses a technique called memory scrambling to reduce electrical interference caused by successive bursts of 1s or 0s which could overload the controller. Memory scrambling utilizes an encryption algorithm called LFSR. However, this algorithm is highly vulnerable to a number of cryptoanalytic techniques. You must keep in mind that a cold boot attack will likely require that you break the LFSR.

I wrote more about cold boot attack techniques in another question.

forest
  • 65,613
  • 20
  • 208
  • 262
  • Re "time without power must be minimal"; Is this measured by seconds or at least minutes? **¶** Re "relevance of memory dumps"; Since a memory is either captured or not captured, what would "relevance" mean? **¶** Re "interface is very slow"; Is it finishable within a day or are we talking about weeks? **¶** Re "laziest technique with the biggest footprint"; Does "laziest" mean literally "laziest" (least effort) or do you mean something else? **¶** Re "POST test, memory may be wiped"; Typically do modern laptops still do that? **¶** Re "memory scrambling"; Btw this link is broken. – Pacerier Mar 02 '18 at 19:59
  • https://www.cert.org/digital-intelligence/tools/afterlife.cfm -- used to work on MacBook Pros in 2015 (to even grab the FVDE key material), but sometime in 2016 there have been some implementations that are resistant to it, I believe beyond LFSR. I know I found research that detailed this sometime last year but can't find those sources now and didn't bookmark it, but I do run across it, I'll update with another comment. Thank you for a detailed answer. – atdre Mar 02 '18 at 21:17
  • @Pacerier Measured in seconds or fractions of a second. Relevance means avoiding unnecessary memory (e.g. if you only care about browser process memory, not taking a snapshot of a video player). JTAG is slow, but it should finish in a day or two. Laziest meaning least effort. Modern laptops do indeed wipe memory on POST, or at least a small amount of memory. Link fixed. – forest Mar 02 '18 at 23:09