OS X RAM forensic analysis – Extracting encryption keys and other secrets

The memory is full of incredible artefacts. Some of them are secrets being used for security purpose, such as encryption keys. Acquiring memory and analysing it in order to find such secrets could help you get around some security measures. This talk is about a Bachelor thesis which has been written this summer, at HEIG-VD. It will expose the obtained results and the methodologies used to recover treasures from memory. It will then explain how to use the recovered artefacts to gain access to protected data. The research is focused on the Apple disk encryption solution, FileVault 2 and some common password managers you may be using. The work was performed on an OS X environment, but same methodologies could be applied on different systems.