macOS Memory Dump (RAM Capture)

macosMemory & Live StateMemory Dump

Location

Acquired via osxpmem, MacQuisition, or RECON ITR (live capture from RAM)

Description

Complete physical memory capture of a running macOS system including all active process address spaces, kernel structures, Mach port tables, network connection state, loaded kernel extensions (kexts), and cached filesystem data. macOS memory acquisition requires bypassing SIP or using specialized tools that work within SIP constraints.

Forensic Value

Memory analysis is essential for detecting macOS-specific fileless threats, injected dylibs, and kernel extensions that leave minimal disk footprint. Volatility macOS profiles can enumerate processes including those hidden from ps, recover decrypted Keychain entries from memory, extract active network connections with owning process attribution, and identify suspicious loaded kexts. On Apple Silicon Macs, memory acquisition is more constrained, making live triage with memory-aware tools increasingly important. In-memory-only implants used by advanced threat actors are only detectable through memory analysis.

Tools Required

osxpmemVolatility 3MacQuisition (BlackBag)RECON ITRRekall

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical