The Volatility Framework
Quoting from the volatility home page: "The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples."
Or put more simply, you collect a memory dump from a system and Volatility helps you investigate what was running on the machine at the time of the memory dump.
You can get a list of processes or a list of open files that is computed on a clean system so it's not subject to a potentially-rootkit-replaced /bin/ps or /usr/sbin/lsof.
There are many other useful built in commands and the framework works on Mac, Linux and Windows.
Very basic usage
I used OSXPmem to get a memory dump:
$ sudo ./osxpmem -f raw /tmp/memory.dump
Once you get the dump (which is fairly slow as you're dumping your entire physical memory to disk) you can get a list of running processes:
$ sudo python vol.py -i /tmp/memory.dump -o ps Password: [+] Process List OFFSET(P) PID PPID PRIORITY NICE PROCESS_NAME USERNAME(UID,GID) CRED(UID,GID) CREATE_TIME (UTC+0) 0x150FBCC0 0 0 0 0 kernel_task (0,0) (0,0) Tue Dec 17 11:36:22 2013 0x15593A80 1 0 128 0 launchd _securityagent(0,0) (0,0) Tue Dec 17 11:36:22 2013 0x155947E0 11 1 255 0 UserEventAgent root(0,0) (0,0) Tue Dec 17 11:37:20 2013
or look up the kernel syscall table:
$ sudo python vol.py -i /tmp/memory.dump -o systab [+] Syscall List NUM ARG_COUNT NAME CALL_PTR ARG_MUNGE32_PTR ARG_MUNGE64_PTR RET_TYPE ARG_BYTES HOOK_FINDER 0 0 _nosys 0xFFFFFF8014DEF270 0x00000000 0x00000000 1 0 True 1 1 _exit 0xFFFFFF8014DCBE50 0xFFFFFF8014BBBD30 0x00000000 0 4 True 2 0 _fork 0xFFFFFF8014DD07E0 0x00000000 0x00000000 1 0 True 3 3 _read 0xFFFFFF8014DEF2D0 0xFFFFFF8014BBBD60 0x00000000 6 12 True 4 3 _write 0xFFFFFF8014DEF980 0xFFFFFF8014BBBD60 0x00000000 6 12 True