When using Volatility with a memory image, what is the Kernel version?
3
The Volatility memory forensics framework github website lists these Mac profiles for OS 10.11:
Profiles
--------
MacElCapitan_10_11_15A284x64 - A Profile for Mac ElCapitan_10.11_15A284 x64
MacElCapitan_10_11_1_15B42x64 - A Profile for Mac ElCapitan_10.11.1_15B42 x64
MacElCapitan_10_11_2_15C50x64 - A Profile for Mac ElCapitan_10.11.2_15C50 x64
MacElCapitan_10_11_3_15D21_15D13bx64 - A Profile for Mac ElCapitan_10.11.3_15D21_15D13b x64
MacElCapitan_10_11_4_15E27ex64 - A Profile for Mac ElCapitan_10.11.4_15E27e x64
MacElCapitan_10_11_4_15E39dx64 - A Profile for Mac ElCapitan_10.11.4_15E39d x64
MacElCapitan_10_11_4_15E49ax64 - A Profile for Mac ElCapitan_10.11.4_15E49a x64
MacElCapitan_10_11_4_15E65x64 - A Profile for Mac ElCapitan_10.11.4_15E65 x64
MacElCapitan_10_11_5_15F18b_15F24bx64 - A Profile for Mac ElCapitan_10.11.5_15F18b_15F24b x64
MacElCapitan_10_11_5_15F34x64 - A Profile for Mac ElCapitan_10.11.5_15F34 x64
MacElCapitan_10_11_6_15G1004_15G1108x64 - A Profile for Mac ElCapitan_10.11.6_15G1004_15G1108 x64
MacElCapitan_10_11_6_15G1212x64 - A Profile for Mac ElCapitan_10.11.6_15G1212 x64
MacElCapitan_10_11_6_15G1217x64 - A Profile for Mac ElCapitan_10.11.6_15G1217 x64
MacElCapitan_10_11_6_15G12ax64 - A Profile for Mac ElCapitan_10.11.6_15G12a x64
MacElCapitan_10_11_6_15G1421x64 - A Profile for Mac ElCapitan_10.11.6_15G1421 x64
MacElCapitan_10_11_6_15G1510x64 - A Profile for Mac ElCapitan_10.11.6_15G1510 x64
MacElCapitan_10_11_6_15G1611x64 - A Profile for Mac ElCapitan_10.11.6_15G1611 x64
MacElCapitan_10_11_6_15G17023x64 - A Profile for Mac ElCapitan_10.11.6_15G17023 x64
MacElCapitan_10_11_6_15G18013x64 - A Profile for Mac ElCapitan_10.11.6_15G18013 x64
MacElCapitan_10_11_6_15G19009x64 - A Profile for Mac ElCapitan_10.11.6_15G19009 x64
MacElCapitan_10_11_6_15G19ax64 - A Profile for Mac ElCapitan_10.11.6_15G19a x64
MacElCapitan_10_11_6_15G20015x64 - A Profile for Mac ElCapitan_10.11.6_15G20015 x64
MacElCapitan_10_11_6_15G24b_15G31x64 - A Profile for Mac ElCapitan_10.11.6_15G24b_15G31 x64
MacElCapitan_10_11_6_15G7ax64 - A Profile for Mac ElCapitan_10.11.6_15G7a x64
The Mac I am trying to analyze has this About box:
Here is the uname output:
users-Mac:~ user$ uname -a
Darwin users-Mac.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
users-Mac:~ user$
I have tried all of the Volatility profiles and none of them work.
What does the string in the volatility profile after the 10_11_6_ mean, and how do I find it for my machine?
security memory volatility forensics
asked 5 hours ago
vy32vy32
1,25541633
add a comment |
3
The Volatility memory forensics framework github website lists these Mac profiles for OS 10.11:
Profiles
--------
MacElCapitan_10_11_15A284x64 - A Profile for Mac ElCapitan_10.11_15A284 x64
MacElCapitan_10_11_1_15B42x64 - A Profile for Mac ElCapitan_10.11.1_15B42 x64
MacElCapitan_10_11_2_15C50x64 - A Profile for Mac ElCapitan_10.11.2_15C50 x64
MacElCapitan_10_11_3_15D21_15D13bx64 - A Profile for Mac ElCapitan_10.11.3_15D21_15D13b x64
MacElCapitan_10_11_4_15E27ex64 - A Profile for Mac ElCapitan_10.11.4_15E27e x64
MacElCapitan_10_11_4_15E39dx64 - A Profile for Mac ElCapitan_10.11.4_15E39d x64
MacElCapitan_10_11_4_15E49ax64 - A Profile for Mac ElCapitan_10.11.4_15E49a x64
MacElCapitan_10_11_4_15E65x64 - A Profile for Mac ElCapitan_10.11.4_15E65 x64
MacElCapitan_10_11_5_15F18b_15F24bx64 - A Profile for Mac ElCapitan_10.11.5_15F18b_15F24b x64
MacElCapitan_10_11_5_15F34x64 - A Profile for Mac ElCapitan_10.11.5_15F34 x64
MacElCapitan_10_11_6_15G1004_15G1108x64 - A Profile for Mac ElCapitan_10.11.6_15G1004_15G1108 x64
MacElCapitan_10_11_6_15G1212x64 - A Profile for Mac ElCapitan_10.11.6_15G1212 x64
MacElCapitan_10_11_6_15G1217x64 - A Profile for Mac ElCapitan_10.11.6_15G1217 x64
MacElCapitan_10_11_6_15G12ax64 - A Profile for Mac ElCapitan_10.11.6_15G12a x64
MacElCapitan_10_11_6_15G1421x64 - A Profile for Mac ElCapitan_10.11.6_15G1421 x64
MacElCapitan_10_11_6_15G1510x64 - A Profile for Mac ElCapitan_10.11.6_15G1510 x64
MacElCapitan_10_11_6_15G1611x64 - A Profile for Mac ElCapitan_10.11.6_15G1611 x64
MacElCapitan_10_11_6_15G17023x64 - A Profile for Mac ElCapitan_10.11.6_15G17023 x64
MacElCapitan_10_11_6_15G18013x64 - A Profile for Mac ElCapitan_10.11.6_15G18013 x64
MacElCapitan_10_11_6_15G19009x64 - A Profile for Mac ElCapitan_10.11.6_15G19009 x64
MacElCapitan_10_11_6_15G19ax64 - A Profile for Mac ElCapitan_10.11.6_15G19a x64
MacElCapitan_10_11_6_15G20015x64 - A Profile for Mac ElCapitan_10.11.6_15G20015 x64
MacElCapitan_10_11_6_15G24b_15G31x64 - A Profile for Mac ElCapitan_10.11.6_15G24b_15G31 x64
MacElCapitan_10_11_6_15G7ax64 - A Profile for Mac ElCapitan_10.11.6_15G7a x64
The Mac I am trying to analyze has this About box:
Here is the uname output:
users-Mac:~ user$ uname -a
Darwin users-Mac.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
users-Mac:~ user$
I have tried all of the Volatility profiles and none of them work.
What does the string in the volatility profile after the 10_11_6_ mean, and how do I find it for my machine?
security memory volatility forensics
asked 5 hours ago
vy32vy32
1,25541633
Did you redact that serial number or is it made up / virtual?
– bmike♦
5 hours ago
add a comment |
3
3
3
The Volatility memory forensics framework github website lists these Mac profiles for OS 10.11:
Profiles
--------
MacElCapitan_10_11_15A284x64 - A Profile for Mac ElCapitan_10.11_15A284 x64
MacElCapitan_10_11_1_15B42x64 - A Profile for Mac ElCapitan_10.11.1_15B42 x64
MacElCapitan_10_11_2_15C50x64 - A Profile for Mac ElCapitan_10.11.2_15C50 x64
MacElCapitan_10_11_3_15D21_15D13bx64 - A Profile for Mac ElCapitan_10.11.3_15D21_15D13b x64
MacElCapitan_10_11_4_15E27ex64 - A Profile for Mac ElCapitan_10.11.4_15E27e x64
MacElCapitan_10_11_4_15E39dx64 - A Profile for Mac ElCapitan_10.11.4_15E39d x64
MacElCapitan_10_11_4_15E49ax64 - A Profile for Mac ElCapitan_10.11.4_15E49a x64
MacElCapitan_10_11_4_15E65x64 - A Profile for Mac ElCapitan_10.11.4_15E65 x64
MacElCapitan_10_11_5_15F18b_15F24bx64 - A Profile for Mac ElCapitan_10.11.5_15F18b_15F24b x64
MacElCapitan_10_11_5_15F34x64 - A Profile for Mac ElCapitan_10.11.5_15F34 x64
MacElCapitan_10_11_6_15G1004_15G1108x64 - A Profile for Mac ElCapitan_10.11.6_15G1004_15G1108 x64
MacElCapitan_10_11_6_15G1212x64 - A Profile for Mac ElCapitan_10.11.6_15G1212 x64
MacElCapitan_10_11_6_15G1217x64 - A Profile for Mac ElCapitan_10.11.6_15G1217 x64
MacElCapitan_10_11_6_15G12ax64 - A Profile for Mac ElCapitan_10.11.6_15G12a x64
MacElCapitan_10_11_6_15G1421x64 - A Profile for Mac ElCapitan_10.11.6_15G1421 x64
MacElCapitan_10_11_6_15G1510x64 - A Profile for Mac ElCapitan_10.11.6_15G1510 x64
MacElCapitan_10_11_6_15G1611x64 - A Profile for Mac ElCapitan_10.11.6_15G1611 x64
MacElCapitan_10_11_6_15G17023x64 - A Profile for Mac ElCapitan_10.11.6_15G17023 x64
MacElCapitan_10_11_6_15G18013x64 - A Profile for Mac ElCapitan_10.11.6_15G18013 x64
MacElCapitan_10_11_6_15G19009x64 - A Profile for Mac ElCapitan_10.11.6_15G19009 x64
MacElCapitan_10_11_6_15G19ax64 - A Profile for Mac ElCapitan_10.11.6_15G19a x64
MacElCapitan_10_11_6_15G20015x64 - A Profile for Mac ElCapitan_10.11.6_15G20015 x64
MacElCapitan_10_11_6_15G24b_15G31x64 - A Profile for Mac ElCapitan_10.11.6_15G24b_15G31 x64
MacElCapitan_10_11_6_15G7ax64 - A Profile for Mac ElCapitan_10.11.6_15G7a x64
The Mac I am trying to analyze has this About box:
Here is the uname output:
users-Mac:~ user$ uname -a
Darwin users-Mac.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
users-Mac:~ user$
I have tried all of the Volatility profiles and none of them work.
What does the string in the volatility profile after the 10_11_6_ mean, and how do I find it for my machine?
security memory volatility forensics
asked 5 hours ago
vy32vy32
1,25541633
The Volatility memory forensics framework github website lists these Mac profiles for OS 10.11:
Profiles
--------
MacElCapitan_10_11_15A284x64 - A Profile for Mac ElCapitan_10.11_15A284 x64
MacElCapitan_10_11_1_15B42x64 - A Profile for Mac ElCapitan_10.11.1_15B42 x64
MacElCapitan_10_11_2_15C50x64 - A Profile for Mac ElCapitan_10.11.2_15C50 x64
MacElCapitan_10_11_3_15D21_15D13bx64 - A Profile for Mac ElCapitan_10.11.3_15D21_15D13b x64
MacElCapitan_10_11_4_15E27ex64 - A Profile for Mac ElCapitan_10.11.4_15E27e x64
MacElCapitan_10_11_4_15E39dx64 - A Profile for Mac ElCapitan_10.11.4_15E39d x64
MacElCapitan_10_11_4_15E49ax64 - A Profile for Mac ElCapitan_10.11.4_15E49a x64
MacElCapitan_10_11_4_15E65x64 - A Profile for Mac ElCapitan_10.11.4_15E65 x64
MacElCapitan_10_11_5_15F18b_15F24bx64 - A Profile for Mac ElCapitan_10.11.5_15F18b_15F24b x64
MacElCapitan_10_11_5_15F34x64 - A Profile for Mac ElCapitan_10.11.5_15F34 x64
MacElCapitan_10_11_6_15G1004_15G1108x64 - A Profile for Mac ElCapitan_10.11.6_15G1004_15G1108 x64
MacElCapitan_10_11_6_15G1212x64 - A Profile for Mac ElCapitan_10.11.6_15G1212 x64
MacElCapitan_10_11_6_15G1217x64 - A Profile for Mac ElCapitan_10.11.6_15G1217 x64
MacElCapitan_10_11_6_15G12ax64 - A Profile for Mac ElCapitan_10.11.6_15G12a x64
MacElCapitan_10_11_6_15G1421x64 - A Profile for Mac ElCapitan_10.11.6_15G1421 x64
MacElCapitan_10_11_6_15G1510x64 - A Profile for Mac ElCapitan_10.11.6_15G1510 x64
MacElCapitan_10_11_6_15G1611x64 - A Profile for Mac ElCapitan_10.11.6_15G1611 x64
MacElCapitan_10_11_6_15G17023x64 - A Profile for Mac ElCapitan_10.11.6_15G17023 x64
MacElCapitan_10_11_6_15G18013x64 - A Profile for Mac ElCapitan_10.11.6_15G18013 x64
MacElCapitan_10_11_6_15G19009x64 - A Profile for Mac ElCapitan_10.11.6_15G19009 x64
MacElCapitan_10_11_6_15G19ax64 - A Profile for Mac ElCapitan_10.11.6_15G19a x64
MacElCapitan_10_11_6_15G20015x64 - A Profile for Mac ElCapitan_10.11.6_15G20015 x64
MacElCapitan_10_11_6_15G24b_15G31x64 - A Profile for Mac ElCapitan_10.11.6_15G24b_15G31 x64
MacElCapitan_10_11_6_15G7ax64 - A Profile for Mac ElCapitan_10.11.6_15G7a x64
The Mac I am trying to analyze has this About box:
Here is the uname output:
users-Mac:~ user$ uname -a
Darwin users-Mac.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
users-Mac:~ user$
I have tried all of the Volatility profiles and none of them work.
What does the string in the volatility profile after the 10_11_6_ mean, and how do I find it for my machine?
security memory volatility forensics
security memory volatility forensics
asked 5 hours ago
vy32vy32
1,25541633
asked 5 hours ago
vy32vy32
1,25541633
asked 5 hours ago
vy32vy32
1,25541633
asked 5 hours ago
vy32vy32
1,25541633
asked 5 hours ago
vy32vy32
1,25541633
1,25541633
Did you redact that serial number or is it made up / virtual?
– bmike♦
5 hours ago
add a comment |
Did you redact that serial number or is it made up / virtual?
– bmike♦
5 hours ago
Did you redact that serial number or is it made up / virtual?
– bmike♦
5 hours ago
Did you redact that serial number or is it made up / virtual?
– bmike♦
5 hours ago
add a comment |
1 Answer
1
active
oldest
votes
4
That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.
You can also run sw_vers to get easy build / version / marketing information from the command line.
edited 5 hours ago
bmike♦
159k46286620
answered 5 hours ago
jksoegaardjksoegaard
17.5k1745
Thanks! Now if I could just get a Volatility profile for 15G31.
– vy32
3 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "118"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f352348%2fwhen-using-volatility-with-a-memory-image-what-is-the-kernel-version%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
4
That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.
You can also run sw_vers to get easy build / version / marketing information from the command line.
edited 5 hours ago
bmike♦
159k46286620
answered 5 hours ago
jksoegaardjksoegaard
17.5k1745
Thanks! Now if I could just get a Volatility profile for 15G31.
– vy32
3 hours ago
add a comment |
4
That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.
You can also run sw_vers to get easy build / version / marketing information from the command line.
edited 5 hours ago
bmike♦
159k46286620
answered 5 hours ago
jksoegaardjksoegaard
17.5k1745
Thanks! Now if I could just get a Volatility profile for 15G31.
– vy32
3 hours ago
add a comment |
4
4
4
That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.
You can also run sw_vers to get easy build / version / marketing information from the command line.
edited 5 hours ago
bmike♦
159k46286620
answered 5 hours ago
jksoegaardjksoegaard
17.5k1745
That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.
You can also run sw_vers to get easy build / version / marketing information from the command line.
edited 5 hours ago
bmike♦
159k46286620
answered 5 hours ago
jksoegaardjksoegaard
17.5k1745
edited 5 hours ago
bmike♦
159k46286620
edited 5 hours ago
bmike♦
159k46286620
edited 5 hours ago
bmike♦
159k46286620
159k46286620
answered 5 hours ago
jksoegaardjksoegaard
17.5k1745
answered 5 hours ago
jksoegaardjksoegaard
17.5k1745
answered 5 hours ago
jksoegaardjksoegaard
17.5k1745
17.5k1745
Thanks! Now if I could just get a Volatility profile for 15G31.
– vy32
3 hours ago
add a comment |
Thanks! Now if I could just get a Volatility profile for 15G31.
– vy32
3 hours ago
Thanks! Now if I could just get a Volatility profile for 15G31.
– vy32
3 hours ago
Thanks! Now if I could just get a Volatility profile for 15G31.
– vy32
3 hours ago
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Ask Different!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f352348%2fwhen-using-volatility-with-a-memory-image-what-is-the-kernel-version%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Did you redact that serial number or is it made up / virtual?
– bmike♦
5 hours ago