Which tools can I use to analyze memory dumps in macOS?
I am trying to analyze memory dumps from specific processes on the MacOS. I am using commands:
lldb --attach-pid 1041
process save-core "core"
And the size of the file core
is 3.3GB. With the same application process on Windows I've go 150 MB and on linux 600 MB. Makes it hard to analyze it at that size.
What are reliable tools for the analyzing mem-dumps on MacOS, regarding looking for the sensitive data?
Solution 1:
The reason for the memory dump being so big is that the application has mapped that much memory. It might not actually be "using" it, but it could mapped in the way of memory mapped files, or just "blank" (unused) space.
In terms of tools for analysing memory dumps, it depends entirely on what you're looking for and whether or not you know the internal data structures of the application you're analysing.
If this is a third party application, you do not have the source code for, and you're looking for sensitive data in the form of text - I would run the memory dump through the strings
program:
strings core
An idea could be to save this intermediate result, and use that for later searching:
strings core > text
grep searchstring text
If you want to have a tool that actually understands the contents of the memory dump (for example to differentiate between different types of memory mappings), you can use Rekall. Note that it is unfortunately no longer maintained for macOS.