Thursday, October 31, 2013

How to get Volatility working with OS X Mavericks?

Update: The Volatility Team has included my code changes so just grab the latest code to work on a Mavericks or 10.8.5 sample. You will still need the profiles below.

Until Volatility officially supports OS X Mavericks and Mountain Lion 10.8.5, here are the steps to get it going:

  1. Check out the latest Volatility code from the repository (v2.3):
  2. svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
  3. Download the following files and place them in their respective folders:
  4. Mavericks_10.9_AMD.zipvolatility-read-only/volatility/plugins/overlays/mac/Mavericks_10.9_AMD.zip
    MountainLion_10.8.5_AMD.zipvolatility-read-only/volatility/plugins/overlays/mac/MountainLion_10.8.5_AMD.zip
    common.pyvolatility-read-only/volatility/plugins/mac/common.py
    lsof.pyvolatility-read-only/volatility/plugins/mac/lsof.py
    netstat.pyvolatility-read-only/volatility/plugins/mac/netstat.py
  5. And you should be done! It looks like only the check_trap_table plugin has issues, but that should be taken care of soon. Have fun!