Showing posts from January, 2014

Passwords in Mac Memory

Folks who have been doing Mac forensics for a while may remember that the keyword "longname" could be used to find a user's login password in a memory image.  This changed with OS X Lion (I believe).  All is not lost, I have had luck finding the login password (usually my own) by searching for the following  keyword in a memory capture:  "XpasswordZrecordtypeXfuncnameZrecordnameX" I have reliably found the above on a few machines but I can't say for sure if it is the norm. There is a bit of chicken and egg with this though, without the user's password you will most likely not be able to collect a memory image in the first place.  I've not been able to dig into this much deeper but my attempts to find this keyword in memory collected via Firewire or on boot have come up short. Given the difficultly collecting a live memory image (not a bad thing from a security perspective) its hard to think of many use cases for this keyword except:  1) In c