Recovering the filesystem
The methods of dealing with the filesystem in macOS memory are also not unique. First of all, we can examine the open file descriptors of a process using the mac_lsof plugin. Its launch, as well as the output format, does not differ from the corresponding plugin for Linux:
Figure 11.10 – Volatility mac_lsof output
As you see, here we can also use the -p option to identify a specific process and see the files related to it. In addition, we can collect information about all the files stored in the file cache. The mac_list_files plugin will help us with this:
Figure 11.11 – Volatility mac_list_files output
You can use the mac_recover_filesystem plugin to export files. Of course, Volatility also has the mac_dump_file plugin, for exporting specific files, but at the moment, this plugin shows poor results with the latest versions of macOS. The process for starting the mac_recover_filesystem plugin...
