You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Good morning,
I've been recently trying to use volafox to recover a keychain on my deceased relative's laptop, however I've been struggling to properly read the Physical Memory dump I've created.
I used MacPmem to dump the mem.aff4 file, moved it to a external hard drive and converted it to a Physical Memory file using rekall on an old(-ish) windows machine, however now that I have the file vol.py seems to have no use for it - every time I call it it asks me to generate an overlay.
Generating an overlay with the kernel file I extracted from the old Mac (running MacOS X 10.11 El Capitan) with the command python overlay_generator.py ./kernel ./macos10.11overlay (or realistically any variation of the file vol.py asks for) 32 (as it is a 32-bit mac from what I can tell)
When I run this I either get
an invalid overlay file (when using 64)
Invalid mach header (when using 32)
I'm doing this all on a MacBook Air 13-inch running macOS 12.1 Monterey with
python 2.7 (built-in) + pip 20.3.4
python 3.6 + pip 21.3.1 (hand installed to try and install rekall, which I failed to get running - something to do with GCC missing libraries, I gave up trying to figure it out and moved to a windows machine)
Currently obtained files:
mem.aff4 from MacPmem
Physical Memory from Rekall on Windows
information.turtle from Rekall on Windows
dev_pmem_information.yaml from Rekall on Windows
kernel from MacOS X 10.11 El Capitan Boot Drive
keychaindump from volafox
Keychain from MacOS X 10.11 El Capitan
The text was updated successfully, but these errors were encountered:
Good morning,
I've been recently trying to use volafox to recover a keychain on my deceased relative's laptop, however I've been struggling to properly read the
Physical Memorydump I've created.I used MacPmem to dump the
mem.aff4file, moved it to a external hard drive and converted it to aPhysical Memoryfile using rekall on an old(-ish) windows machine, however now that I have the filevol.pyseems to have no use for it - every time I call it it asks me to generate an overlay.Generating an overlay with the
kernelfile I extracted from the old Mac (running MacOS X 10.11 El Capitan) with the commandpython overlay_generator.py ./kernel ./macos10.11overlay(or realistically any variation of the filevol.pyasks for)32(as it is a 32-bit mac from what I can tell)When I run this I either get
64)Invalid mach header(when using32)I'm doing this all on a MacBook Air 13-inch running macOS 12.1 Monterey with
python 2.7 (built-in) + pip 20.3.4
python 3.6 + pip 21.3.1 (hand installed to try and install rekall, which I failed to get running - something to do with GCC missing libraries, I gave up trying to figure it out and moved to a windows machine)
Currently obtained files:
mem.aff4from MacPmemPhysical Memoryfrom Rekall on Windowsinformation.turtlefrom Rekall on Windowsdev_pmem_information.yamlfrom Rekall on Windowskernelfrom MacOS X 10.11 El Capitan Boot Drivekeychaindumpfrom volafoxThe text was updated successfully, but these errors were encountered: