Instructions unclear on how to properly create overlays

[RealSourceOfficial]

Good morning,
I've been recently trying to use volafox to recover a keychain on my deceased relative's laptop, however I've been struggling to properly read the Physical Memory dump I've created.

I used MacPmem to dump the mem.aff4 file, moved it to a external hard drive and converted it to a Physical Memory file using rekall on an old(-ish) windows machine, however now that I have the file vol.py seems to have no use for it - every time I call it it asks me to generate an overlay.

Generating an overlay with the kernel file I extracted from the old Mac (running MacOS X 10.11 El Capitan) with the command python overlay_generator.py ./kernel ./macos10.11overlay (or realistically any variation of the file vol.py asks for) 32 (as it is a 32-bit mac from what I can tell)

When I run this I either get

• an invalid overlay file (when using 64)
• Invalid mach header (when using 32)

I'm doing this all on a MacBook Air 13-inch running macOS 12.1 Monterey with python 2.7 (built-in) + pip 20.3.4 python 3.6 + pip 21.3.1 (hand installed to try and install rekall, which I failed to get running - something to do with GCC missing libraries, I gave up trying to figure it out and moved to a windows machine)

Currently obtained files:

• [x] mem.aff4 from MacPmem
• [x] Physical Memory from Rekall on Windows
• [x] information.turtle from Rekall on Windows
• [x] dev_pmem_information.yaml from Rekall on Windows
• [x] kernel from MacOS X 10.11 El Capitan Boot Drive
• [ ] keychaindump from volafox
• [ ] Keychain from MacOS X 10.11 El Capitan