volafox project is most famous memory forensic toolkit for Mac OS X. This programs have been developed with the python language. volafox analyze physical memory image on Intel x86 and IA-32e. If you use this tool for digital investigation, you can find information related rootkit and malware. and dump it on your evidence(memory image). volafox project has two programs between volafox(Mac OS X) and volafunx(FreeBSD). For further information, please check a link

Lastest version : volafox-0.9 – README



volafunx, another tool in volafox project, is unique tool for analyzing FreeBSD memory image. It have been developed with the python language. volafunx support Intel x86 & IA-32e architecture. It is experimental project now.

GPT Parser

GPT is partition management method on EFI environment replaced BIOS. this tool can parse the Primary/backup GPT Header and each partition table entry. also, it can check CRC32 value for validation and provide partition type based on Partition GUID. For further information, please check a link

PE Viewer

Basic Tool for analyzing PE File Format. It is prototype tool and copy design with PeID ;p

Chain Breaker

Chain Breaker is tool that parse keychain structure called apple database and extract user’s confidential information. It show various information that application account/password, encrypted volume password(e.g. filevault), various communication protocol used authentication and so on. link


waliten, WAL for SQLite Analyzer, is write-ahead log analyzer for digital investigator. Write-Ahead Logging is journaling method for SQLite Database. Investigator can assume database action has happened recently though walitean. Please check a link

답글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다.