dump RAM from El Capitan
How can I acquire the RAM in raw form with El Capitan installed?
Thank you
MacBook Air, Mac OS X (10.7.5)
please detail what you are specifically trying to do.
20 replies
a case study for the university, I should acquire the RAM in raw format of my Mac, and then analyze it with an editor
Sorry, i'm not solved
Helpme
Your question is not clear, RAM (without power) is empty.
colinoweb wrote:
Sorry, i'm not solved
Helpme
You marked it solved, so if it wasn't, you shouldn't have done that. More to the point, your question is incredibly confusing. I have no idea what it is you want our help with.
Of course, I'm talking about a PC turned on ...
with older OS versions I used memoryze terminal, but with El Capitan does not work
A tool called OSXPmem worked up through Yosemite. It most likely doesn't work in El Capitan because of SIP. I suppose you could see if disabling SIP and then try it may work.
I tried OSXpmem but returns error on loading pmem.kext
Cannot load kext ./pmem.kext
dump_memory(833): Failed to load kext (Undefined error: 0)
Interesting university....
Nothing works, because Ram is managed completely different in the last OSXs, a sort of "time compression", which means you cannot distinguish between internal buffering/allocation/prioritizing.
There is a lot of information in Activity Monitor about the Ram but not what you are looking for. Borrow a mac with SnowLeopard or Lion for this study.
Of course the Apple hardware/OS development department perhaps can help you to make a Ram dump...
Lex
Did you try it with SIP disabled? It still may not work.
Lexiepex wrote:
Nothing works, because Ram is managed completely different in the last OSXs
That would be incorrect. As I already pointing out, OSXpmem worked in Yosemite which is I believe one of the "last OSXs"
colinoweb wrote:
I tried OSXpmem but returns error on loading pmem.kext
Cannot load kext ./pmem.kext
dump_memory(833): Failed to load kext (Undefined error: 0)
I don't know if you have the latest version. See this page if you haven't already.
http://www.rekall-forensic.com/docs/Tools/
You would still need to disable SIP to install and run I would think. If it works at all anymore.
Too bad I'm using my Mac
I own only this and I do not think the case that for testing should to downgrade
through virtualization or bootcamp you could install a variety of other OS's, many of which are free (Not the pre Win 10 Windows ones obviously)
dump RAM from El Capitan