OSX MacPmem Kernel Extension installation issue in High Sierra

78 views
Skip to first unread message

Jim Nangany

unread,
Nov 14, 2018, 10:26:30 PM11/14/18
to rekall-...@googlegroups.com, scud...@gmail.com, adam.s...@gmail.com

Hi Experts,

I think from High Sierra onward, Security & Privacy System Preferences have only Apps from "App Store" or "App Store and identified developers" option because of which the OSX MacPmem kernel extension installation gets rejected.  The developer of OSX MacPmem is identified as "Adam Sindelar", which isn't an identified developer.

The work-around is to either crsutil disable or open up System Preferences to mark "allow" after the first kernel extension installation failure.

But isn't the project supported by Google, so isn't there a way to get the OSXMacPMem built by an Apple Identified developer, so that we have a cleaner way to get the kernel extension installed?

Please do write back with suggestions.
Thanks in advance.

--
Jim Nangany

Michael Cohen

unread,
Nov 15, 2018, 5:28:27 AM11/15/18
to Jim Nangany, rekall-...@googlegroups.com, Adam Sindelar
Hi Jim,
I will leave the Google guys to comment on macpmem specifically but we have had much success engaging the community in getting the winpmem driver signed. Maybe cross posting to the sans dfir list would help find someone with a code signing cert?

Thanks
Michael.

Adam Šindelář

unread,
Nov 15, 2018, 6:15:32 AM11/15/18
to mi...@velocidex.com, Jim Nangany, rekall-...@googlegroups.com
Hi, I’m the original author of MacPmem. AFAIK the signature was valid insofar as it has the right kext-loading flag enabled, but I think possibly my developer ID subscription has lapsed.

I do not believe Apple are issuing this type of certificate any longer. I’ll try to renew my subscription and see if that enables the kext to be loaded again, but if not, then I am sorry to say you may be out of options.

I’ll update this thread if I have any success.

Best,
Adam

Jim Nangany

unread,
Nov 15, 2018, 6:22:52 AM11/15/18
to Adam Sindelar, mi...@velocidex.com, rekall-...@googlegroups.com
Ok, cool, thanks a lot for the update.
--
Jim Nangany

rainer...@gmail.com

unread,
Feb 1, 2019, 1:35:30 AM2/1/19
to rekall-discuss
Does Rekall not work on Mac OS, or...? I’m looking at absolutely nothing changed.

Adam Šindelář

unread,
Nov 25, 2019, 6:29:19 AM11/25/19
to rainer...@gmail.com, rekall-discuss
I have not been working on Rekall/PMEM for a while now, and I don't think anyone has taken over. The likely answer is that it doesn't work anymore.

On Fri, Feb 1, 2019 at 7:35 AM <rainer...@gmail.com> wrote:
Does Rekall not work on Mac OS, or...?  I’m looking at absolutely nothing changed.

--
You received this message because you are subscribed to the Google Groups "rekall-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rekall-discus...@googlegroups.com.
To post to this group, send email to rekall-...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages