macOS Memory Dump (RAM Capture)
Location
Acquired via osxpmem, MacQuisition, or RECON ITR (live capture from RAM)Description
Complete physical memory capture of a running macOS system including all active process address spaces, kernel structures, Mach port tables, network connection state, loaded kernel extensions (kexts), and cached filesystem data. macOS memory acquisition requires bypassing SIP or using specialized tools that work within SIP constraints.
Forensic Value
Memory analysis is essential for detecting macOS-specific fileless threats, injected dylibs, and kernel extensions that leave minimal disk footprint. Volatility macOS profiles can enumerate processes including those hidden from ps, recover decrypted Keychain entries from memory, extract active network connections with owning process attribution, and identify suspicious loaded kexts. On Apple Silicon Macs, memory acquisition is more constrained, making live triage with memory-aware tools increasingly important. In-memory-only implants used by advanced threat actors are only detectable through memory analysis.
Tools Required
Collection Commands
osxpmem
sudo osxpmem -o /forensics/memory_dump.aff4
osxpmem
sudo osxpmem --format raw -o /forensics/memory_dump.raw
Volatility 3
vol3 -f /forensics/memory_dump.raw mac.pslist.PsList > /forensics/process_list.txt
Volatility 3
vol3 -f /forensics/memory_dump.raw mac.netstat.Netstat > /forensics/network_connections.txt
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.