Converting a memory image from raw to padded

Convert a Linux memory image from a raw (where the System RAM ranges have been concatenated together) to a padded image, provided the early boot messages were present in the kernel ring buffer at the time of imaging. Includes Python code to convert an image automatically. Update 2016-06-29: The code on Github has been updated… leer más

Extracting FileVault 2 Keys with Volatility

This is a volatility plugin which can recover FileVault 2 Volume Master Keys from memory, based on a certain pattern. It has been briefly tested on OS X 10.9 – 10.11. Plugin on GitHub here [https://github.com/tribalchicken/volatility-filevault2]. This is aVolatility Framework [http://volatilityfoundation.org] plugin which is capable of recovering the… leer más