You didn't answer the question regarding MDM that's the crucial step in this (for lowering the administration burden). I might simply just misunderstand you u/edibleclovers223, if that's the case, sorry! I understand this is a rather large topic, but really any help or pointers in the right direction would be appreciated. I'd prefer to at least take a dump of memory prior to running through AutoMac\ additional tools for forensics data.ĭoes CrowdStrike provide any how to's or best practices for collecting MAC OS Volatile memory via RTR or similar methods? I really like the AutoMac python script but this runs into the same issue, volatile memory is written over when we start to run lives commands on the machine to install the tool and gather data, Since we're all remote, there's really no good way for us to implement a policy where a physical device is delivered to our team, which is going to limit the collection of forensics.įortunately, with RTR, there are many options however, I'm caught in the catch 22 of trying to dump memory without running it over first by downloading\ installing 3rd party tools to attempt to get the job done.
#DUMP MAC OSX MEMORY FOR ANALYSIS HOW TO#
I'm having a hard time putting together a definitive how to guide on best practices for collecting and analyzing Mac OS memory via CrowdStrike. Live chat available 6-6PT M-F via the Support Portal