When using Volatility with a memory image, what is the Kernel version?












3















The Volatility memory forensics framework github website lists these Mac profiles for OS 10.11:



Profiles
--------
MacElCapitan_10_11_15A284x64 - A Profile for Mac ElCapitan_10.11_15A284 x64
MacElCapitan_10_11_1_15B42x64 - A Profile for Mac ElCapitan_10.11.1_15B42 x64
MacElCapitan_10_11_2_15C50x64 - A Profile for Mac ElCapitan_10.11.2_15C50 x64
MacElCapitan_10_11_3_15D21_15D13bx64 - A Profile for Mac ElCapitan_10.11.3_15D21_15D13b x64
MacElCapitan_10_11_4_15E27ex64 - A Profile for Mac ElCapitan_10.11.4_15E27e x64
MacElCapitan_10_11_4_15E39dx64 - A Profile for Mac ElCapitan_10.11.4_15E39d x64
MacElCapitan_10_11_4_15E49ax64 - A Profile for Mac ElCapitan_10.11.4_15E49a x64
MacElCapitan_10_11_4_15E65x64 - A Profile for Mac ElCapitan_10.11.4_15E65 x64
MacElCapitan_10_11_5_15F18b_15F24bx64 - A Profile for Mac ElCapitan_10.11.5_15F18b_15F24b x64
MacElCapitan_10_11_5_15F34x64 - A Profile for Mac ElCapitan_10.11.5_15F34 x64
MacElCapitan_10_11_6_15G1004_15G1108x64 - A Profile for Mac ElCapitan_10.11.6_15G1004_15G1108 x64
MacElCapitan_10_11_6_15G1212x64 - A Profile for Mac ElCapitan_10.11.6_15G1212 x64
MacElCapitan_10_11_6_15G1217x64 - A Profile for Mac ElCapitan_10.11.6_15G1217 x64
MacElCapitan_10_11_6_15G12ax64 - A Profile for Mac ElCapitan_10.11.6_15G12a x64
MacElCapitan_10_11_6_15G1421x64 - A Profile for Mac ElCapitan_10.11.6_15G1421 x64
MacElCapitan_10_11_6_15G1510x64 - A Profile for Mac ElCapitan_10.11.6_15G1510 x64
MacElCapitan_10_11_6_15G1611x64 - A Profile for Mac ElCapitan_10.11.6_15G1611 x64
MacElCapitan_10_11_6_15G17023x64 - A Profile for Mac ElCapitan_10.11.6_15G17023 x64
MacElCapitan_10_11_6_15G18013x64 - A Profile for Mac ElCapitan_10.11.6_15G18013 x64
MacElCapitan_10_11_6_15G19009x64 - A Profile for Mac ElCapitan_10.11.6_15G19009 x64
MacElCapitan_10_11_6_15G19ax64 - A Profile for Mac ElCapitan_10.11.6_15G19a x64
MacElCapitan_10_11_6_15G20015x64 - A Profile for Mac ElCapitan_10.11.6_15G20015 x64
MacElCapitan_10_11_6_15G24b_15G31x64 - A Profile for Mac ElCapitan_10.11.6_15G24b_15G31 x64
MacElCapitan_10_11_6_15G7ax64 - A Profile for Mac ElCapitan_10.11.6_15G7a x64


The Mac I am trying to analyze has this About box:
System 10.11.6 about box



Here is the uname output:



users-Mac:~ user$ uname -a
Darwin users-Mac.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
users-Mac:~ user$


I have tried all of the Volatility profiles and none of them work.



What does the string in the volatility profile after the 10_11_6_ mean, and how do I find it for my machine?










share|improve this question























  • Did you redact that serial number or is it made up / virtual?

    – bmike
    4 hours ago
















3















The Volatility memory forensics framework github website lists these Mac profiles for OS 10.11:



Profiles
--------
MacElCapitan_10_11_15A284x64 - A Profile for Mac ElCapitan_10.11_15A284 x64
MacElCapitan_10_11_1_15B42x64 - A Profile for Mac ElCapitan_10.11.1_15B42 x64
MacElCapitan_10_11_2_15C50x64 - A Profile for Mac ElCapitan_10.11.2_15C50 x64
MacElCapitan_10_11_3_15D21_15D13bx64 - A Profile for Mac ElCapitan_10.11.3_15D21_15D13b x64
MacElCapitan_10_11_4_15E27ex64 - A Profile for Mac ElCapitan_10.11.4_15E27e x64
MacElCapitan_10_11_4_15E39dx64 - A Profile for Mac ElCapitan_10.11.4_15E39d x64
MacElCapitan_10_11_4_15E49ax64 - A Profile for Mac ElCapitan_10.11.4_15E49a x64
MacElCapitan_10_11_4_15E65x64 - A Profile for Mac ElCapitan_10.11.4_15E65 x64
MacElCapitan_10_11_5_15F18b_15F24bx64 - A Profile for Mac ElCapitan_10.11.5_15F18b_15F24b x64
MacElCapitan_10_11_5_15F34x64 - A Profile for Mac ElCapitan_10.11.5_15F34 x64
MacElCapitan_10_11_6_15G1004_15G1108x64 - A Profile for Mac ElCapitan_10.11.6_15G1004_15G1108 x64
MacElCapitan_10_11_6_15G1212x64 - A Profile for Mac ElCapitan_10.11.6_15G1212 x64
MacElCapitan_10_11_6_15G1217x64 - A Profile for Mac ElCapitan_10.11.6_15G1217 x64
MacElCapitan_10_11_6_15G12ax64 - A Profile for Mac ElCapitan_10.11.6_15G12a x64
MacElCapitan_10_11_6_15G1421x64 - A Profile for Mac ElCapitan_10.11.6_15G1421 x64
MacElCapitan_10_11_6_15G1510x64 - A Profile for Mac ElCapitan_10.11.6_15G1510 x64
MacElCapitan_10_11_6_15G1611x64 - A Profile for Mac ElCapitan_10.11.6_15G1611 x64
MacElCapitan_10_11_6_15G17023x64 - A Profile for Mac ElCapitan_10.11.6_15G17023 x64
MacElCapitan_10_11_6_15G18013x64 - A Profile for Mac ElCapitan_10.11.6_15G18013 x64
MacElCapitan_10_11_6_15G19009x64 - A Profile for Mac ElCapitan_10.11.6_15G19009 x64
MacElCapitan_10_11_6_15G19ax64 - A Profile for Mac ElCapitan_10.11.6_15G19a x64
MacElCapitan_10_11_6_15G20015x64 - A Profile for Mac ElCapitan_10.11.6_15G20015 x64
MacElCapitan_10_11_6_15G24b_15G31x64 - A Profile for Mac ElCapitan_10.11.6_15G24b_15G31 x64
MacElCapitan_10_11_6_15G7ax64 - A Profile for Mac ElCapitan_10.11.6_15G7a x64


The Mac I am trying to analyze has this About box:
System 10.11.6 about box



Here is the uname output:



users-Mac:~ user$ uname -a
Darwin users-Mac.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
users-Mac:~ user$


I have tried all of the Volatility profiles and none of them work.



What does the string in the volatility profile after the 10_11_6_ mean, and how do I find it for my machine?










share|improve this question























  • Did you redact that serial number or is it made up / virtual?

    – bmike
    4 hours ago














3












3








3








The Volatility memory forensics framework github website lists these Mac profiles for OS 10.11:



Profiles
--------
MacElCapitan_10_11_15A284x64 - A Profile for Mac ElCapitan_10.11_15A284 x64
MacElCapitan_10_11_1_15B42x64 - A Profile for Mac ElCapitan_10.11.1_15B42 x64
MacElCapitan_10_11_2_15C50x64 - A Profile for Mac ElCapitan_10.11.2_15C50 x64
MacElCapitan_10_11_3_15D21_15D13bx64 - A Profile for Mac ElCapitan_10.11.3_15D21_15D13b x64
MacElCapitan_10_11_4_15E27ex64 - A Profile for Mac ElCapitan_10.11.4_15E27e x64
MacElCapitan_10_11_4_15E39dx64 - A Profile for Mac ElCapitan_10.11.4_15E39d x64
MacElCapitan_10_11_4_15E49ax64 - A Profile for Mac ElCapitan_10.11.4_15E49a x64
MacElCapitan_10_11_4_15E65x64 - A Profile for Mac ElCapitan_10.11.4_15E65 x64
MacElCapitan_10_11_5_15F18b_15F24bx64 - A Profile for Mac ElCapitan_10.11.5_15F18b_15F24b x64
MacElCapitan_10_11_5_15F34x64 - A Profile for Mac ElCapitan_10.11.5_15F34 x64
MacElCapitan_10_11_6_15G1004_15G1108x64 - A Profile for Mac ElCapitan_10.11.6_15G1004_15G1108 x64
MacElCapitan_10_11_6_15G1212x64 - A Profile for Mac ElCapitan_10.11.6_15G1212 x64
MacElCapitan_10_11_6_15G1217x64 - A Profile for Mac ElCapitan_10.11.6_15G1217 x64
MacElCapitan_10_11_6_15G12ax64 - A Profile for Mac ElCapitan_10.11.6_15G12a x64
MacElCapitan_10_11_6_15G1421x64 - A Profile for Mac ElCapitan_10.11.6_15G1421 x64
MacElCapitan_10_11_6_15G1510x64 - A Profile for Mac ElCapitan_10.11.6_15G1510 x64
MacElCapitan_10_11_6_15G1611x64 - A Profile for Mac ElCapitan_10.11.6_15G1611 x64
MacElCapitan_10_11_6_15G17023x64 - A Profile for Mac ElCapitan_10.11.6_15G17023 x64
MacElCapitan_10_11_6_15G18013x64 - A Profile for Mac ElCapitan_10.11.6_15G18013 x64
MacElCapitan_10_11_6_15G19009x64 - A Profile for Mac ElCapitan_10.11.6_15G19009 x64
MacElCapitan_10_11_6_15G19ax64 - A Profile for Mac ElCapitan_10.11.6_15G19a x64
MacElCapitan_10_11_6_15G20015x64 - A Profile for Mac ElCapitan_10.11.6_15G20015 x64
MacElCapitan_10_11_6_15G24b_15G31x64 - A Profile for Mac ElCapitan_10.11.6_15G24b_15G31 x64
MacElCapitan_10_11_6_15G7ax64 - A Profile for Mac ElCapitan_10.11.6_15G7a x64


The Mac I am trying to analyze has this About box:
System 10.11.6 about box



Here is the uname output:



users-Mac:~ user$ uname -a
Darwin users-Mac.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
users-Mac:~ user$


I have tried all of the Volatility profiles and none of them work.



What does the string in the volatility profile after the 10_11_6_ mean, and how do I find it for my machine?










share|improve this question














The Volatility memory forensics framework github website lists these Mac profiles for OS 10.11:



Profiles
--------
MacElCapitan_10_11_15A284x64 - A Profile for Mac ElCapitan_10.11_15A284 x64
MacElCapitan_10_11_1_15B42x64 - A Profile for Mac ElCapitan_10.11.1_15B42 x64
MacElCapitan_10_11_2_15C50x64 - A Profile for Mac ElCapitan_10.11.2_15C50 x64
MacElCapitan_10_11_3_15D21_15D13bx64 - A Profile for Mac ElCapitan_10.11.3_15D21_15D13b x64
MacElCapitan_10_11_4_15E27ex64 - A Profile for Mac ElCapitan_10.11.4_15E27e x64
MacElCapitan_10_11_4_15E39dx64 - A Profile for Mac ElCapitan_10.11.4_15E39d x64
MacElCapitan_10_11_4_15E49ax64 - A Profile for Mac ElCapitan_10.11.4_15E49a x64
MacElCapitan_10_11_4_15E65x64 - A Profile for Mac ElCapitan_10.11.4_15E65 x64
MacElCapitan_10_11_5_15F18b_15F24bx64 - A Profile for Mac ElCapitan_10.11.5_15F18b_15F24b x64
MacElCapitan_10_11_5_15F34x64 - A Profile for Mac ElCapitan_10.11.5_15F34 x64
MacElCapitan_10_11_6_15G1004_15G1108x64 - A Profile for Mac ElCapitan_10.11.6_15G1004_15G1108 x64
MacElCapitan_10_11_6_15G1212x64 - A Profile for Mac ElCapitan_10.11.6_15G1212 x64
MacElCapitan_10_11_6_15G1217x64 - A Profile for Mac ElCapitan_10.11.6_15G1217 x64
MacElCapitan_10_11_6_15G12ax64 - A Profile for Mac ElCapitan_10.11.6_15G12a x64
MacElCapitan_10_11_6_15G1421x64 - A Profile for Mac ElCapitan_10.11.6_15G1421 x64
MacElCapitan_10_11_6_15G1510x64 - A Profile for Mac ElCapitan_10.11.6_15G1510 x64
MacElCapitan_10_11_6_15G1611x64 - A Profile for Mac ElCapitan_10.11.6_15G1611 x64
MacElCapitan_10_11_6_15G17023x64 - A Profile for Mac ElCapitan_10.11.6_15G17023 x64
MacElCapitan_10_11_6_15G18013x64 - A Profile for Mac ElCapitan_10.11.6_15G18013 x64
MacElCapitan_10_11_6_15G19009x64 - A Profile for Mac ElCapitan_10.11.6_15G19009 x64
MacElCapitan_10_11_6_15G19ax64 - A Profile for Mac ElCapitan_10.11.6_15G19a x64
MacElCapitan_10_11_6_15G20015x64 - A Profile for Mac ElCapitan_10.11.6_15G20015 x64
MacElCapitan_10_11_6_15G24b_15G31x64 - A Profile for Mac ElCapitan_10.11.6_15G24b_15G31 x64
MacElCapitan_10_11_6_15G7ax64 - A Profile for Mac ElCapitan_10.11.6_15G7a x64


The Mac I am trying to analyze has this About box:
System 10.11.6 about box



Here is the uname output:



users-Mac:~ user$ uname -a
Darwin users-Mac.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
users-Mac:~ user$


I have tried all of the Volatility profiles and none of them work.



What does the string in the volatility profile after the 10_11_6_ mean, and how do I find it for my machine?







security memory volatility forensics






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 5 hours ago









vy32vy32

1,25541633




1,25541633













  • Did you redact that serial number or is it made up / virtual?

    – bmike
    4 hours ago



















  • Did you redact that serial number or is it made up / virtual?

    – bmike
    4 hours ago

















Did you redact that serial number or is it made up / virtual?

– bmike
4 hours ago





Did you redact that serial number or is it made up / virtual?

– bmike
4 hours ago










1 Answer
1






active

oldest

votes


















4














That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.



You can also run sw_vers to get easy build / version / marketing information from the command line.






share|improve this answer


























  • Thanks! Now if I could just get a Volatility profile for 15G31.

    – vy32
    3 hours ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "118"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f352348%2fwhen-using-volatility-with-a-memory-image-what-is-the-kernel-version%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









4














That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.



You can also run sw_vers to get easy build / version / marketing information from the command line.






share|improve this answer


























  • Thanks! Now if I could just get a Volatility profile for 15G31.

    – vy32
    3 hours ago
















4














That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.



You can also run sw_vers to get easy build / version / marketing information from the command line.






share|improve this answer


























  • Thanks! Now if I could just get a Volatility profile for 15G31.

    – vy32
    3 hours ago














4












4








4







That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.



You can also run sw_vers to get easy build / version / marketing information from the command line.






share|improve this answer















That string is the macOS build number. If you click on "10.11.6" in the About-box in your screenshot, it will be revealed right next to the version number.



You can also run sw_vers to get easy build / version / marketing information from the command line.







share|improve this answer














share|improve this answer



share|improve this answer








edited 4 hours ago









bmike

159k46286620




159k46286620










answered 5 hours ago









jksoegaardjksoegaard

17.5k1745




17.5k1745













  • Thanks! Now if I could just get a Volatility profile for 15G31.

    – vy32
    3 hours ago



















  • Thanks! Now if I could just get a Volatility profile for 15G31.

    – vy32
    3 hours ago

















Thanks! Now if I could just get a Volatility profile for 15G31.

– vy32
3 hours ago





Thanks! Now if I could just get a Volatility profile for 15G31.

– vy32
3 hours ago


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Different!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fapple.stackexchange.com%2fquestions%2f352348%2fwhen-using-volatility-with-a-memory-image-what-is-the-kernel-version%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?