Passwords in Mac Memory

Folks who have been doing Mac forensics for a while may remember that the keyword "longname" could be used to find a user's login password in a memory image.  This changed with OS X Lion (I believe).  All is not lost, I have had luck finding the login password (usually my own) by searching for the following  keyword in a memory capture:

 "XpasswordZrecordtypeXfuncnameZrecordnameX"

I have reliably found the above on a few machines but I can't say for sure if it is the norm.

There is a bit of chicken and egg with this though, without the user's password you will most likely not be able to collect a memory image in the first place.  I've not been able to dig into this much deeper but my attempts to find this keyword in memory collected via Firewire or on boot have come up short. Given the difficultly collecting a live memory image (not a bad thing from a security perspective) its hard to think of many use cases for this keyword except:

 1) In cases where the user has allowed you to collect memory (knowingly or unknowingly) but has not overtly given you their password. 

2) Using an exploit to allow a memory image without user authorization (a questionable tactic at best).

3)  The password is found in a Firewire memory image (locked the heck down now) or RAM image collected at boot. (I've not had luck in either case).

If you have had luck with any of the above or have a more reliable keyword please let me know...



Popular posts from this blog

OS X Location Information: Where Has That MacBook Been?

Malware Fingerprinting

Apple Location Service Seed Database