• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
A false digital alibi on mac os x

A false digital alibi on mac os x



Issues and implementation of a process for creating a false digital alibi. ...

Issues and implementation of a process for creating a false digital alibi.
The aim is to produce a state of the personal computer that confirming a false digital alibi, following the execution of an automated procedure, without leaving any traces of automation. The aim is to answer to the questions:
1) How reliable is a digital alibi?
2) May have been artificially created?
Within the project, are discussed the issues to consider while creating a false alibi on a machine running Mac OS X and is demonstrated that it is possible to produce artificially "human" traces of machine use.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NoDerivs LicenseCC Attribution-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    A false digital alibi on mac os x A false digital alibi on mac os x Presentation Transcript

    • A false digital alibi on Mac OS XDario Di NucciFabio PalombaStefano RicchiutiUniversity of SalernoChallange and solutionsdomenica 15 luglio 12
    • Focusing on Mac OS XMac OS X & Forensic:how and what?Evaluation of the workA case study- Developing the false digital alibi- A post-mortem digital forensicIs realistic a false digital alibi on a Mac OS X?domenica 15 luglio 12
    • Focusing on Mac OS XChapter 3in the thesisdomenica 15 luglio 12
    • Use of BTreeJournalingMax File Dim 263Max Folder Dim 231Hierarchical File System+domenica 15 luglio 12
    • Disk utilityManager of all file systems inyour MacComplete informationretrieving on all disksImprove stability andperformanceRunnable from livebootFix the file system errorsPrevent errorsFirst AIDDisk Utilitydomenica 15 luglio 12
    • ....What is right,what is wrong...Mac appsdomenica 15 luglio 12
    • File VaultUser Password: Crypt and DecryptDiskMaster Password: For SystemrecoveringXTS - AES 128 bit Cryptographydomenica 15 luglio 12
    • Time MachineAll action on files (deleted,modified, moved) are recorded onexternal diskThe actions are revertable!Huge impact on DigitalForensicdomenica 15 luglio 12
    • Why analyze these?Create false digital evidences is possible!How?Construct a false digital alibi usingbuilt-in softwaredomenica 15 luglio 12
    • A false digital alibi: how to...domenica 15 luglio 12
    • “AppleScript is a scripting language thatmakes possible direct control of scriptableapplications and of many parts of the MacOS. With scriptable applications, users canwrite scripts to automate operations.”[https://developer.apple.com]A false digital alibi: how to...AppleScriptdomenica 15 luglio 12
    • tell application "Finder" to quitdisplay dialog "Mostra Files nascosti..." buttons {"Si", "No", "Annulla"}default button 3copy the result as list to {buttonpressed}tryif the buttonpressed is "No" then do shell script ¬"defaults write com.apple.finder AppleShowAllFiles OFF"if the buttonpressed is "Si" then do shell script ¬"defaults write com.apple.finder AppleShowAllFiles ON"end trytell application "Finder" to launchExample...A false digital alibi: how to...domenica 15 luglio 12
    • “Automator is your personal automationassistant, making it easy for you to do more,and with less hassle.With Automator, you usea simple drag-and-drop process to create andrun “automation recipes” that perform simpleor complex tasks for you, when and where youneed them.”[http://support.apple.com]AutomatorA false digital alibi: how to...domenica 15 luglio 12
    • A false digital alibi: how to...domenica 15 luglio 12
    • VSAutomator or AppleScript?Actions via Drag & DropSimple to learn and useWhat about translation?Direct control on Mac OS XREJECTACCEPTdomenica 15 luglio 12
    • A case studyChapter 4in the thesisdomenica 15 luglio 12
    • Developing thefalse digital alibiParagraph 4.A - 4.Bin the thesisdomenica 15 luglio 12
    • Automatism setupBest practicesSoftware built-in is better!Automatism habits-basedNeeds to clean all traces!No stupid error!domenica 15 luglio 12
    • The false digital alibi makerAutomatism setup - Structural DecompositionThe automatism activatorManager of the actions ofdelection of traces andschedulingdomenica 15 luglio 12
    • Automatism setup - Structural DecompositionHow to develop these modules?Bottom-upDevelop the Simulator beforethe others modules allows us tounderstand which are the tracesto coverdomenica 15 luglio 12
    • The Simulator moduledomenica 15 luglio 12
    • AppleScript at workat9.00amat10.00amat 12.00 amat 15.00 pmdomenica 15 luglio 12
    • AppleScript at workdomenica 15 luglio 12
    • AppleScript as appthis is the simulatormodule!domenica 15 luglio 12
    • The Wiper/Scheduler moduledomenica 15 luglio 12
    • How retrieve traces of the automation?domenica 15 luglio 12
    • Double executionManual execution -> State t1Launch automatism -> State t2Find of the accessed and modified files in t1 e t2Retrieve differences between t1 and t2domenica 15 luglio 12
    • /System/Library/Components/AppleScript.component/System/Library/Components/AppleScript.component/Contents/System/Library/Components/AppleScript.component/Contents/Resources/System/Library/Components/AppleScript.component/Contents/Resources/Italian.lproj/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit/Applications/Utilities/AppleScript Editor.app/Contents/Resources/ScriptEditor.help/Contents/Resources/Applications/Utilities/AppleScript Editor.app/Contents/Resources/ScriptEditor.help/Contents/Resources/Italian.lprojAnomalies in accessed filesfind / -amin -3 > accessedFiles.txtdomenica 15 luglio 12
    • Anomalies in modified files/private/var/log/asl/AUX.2012.06.04/private/var/log/asl/AUX.2012.06.04/3793/private/var/log/asl/AUX.2012.06.04/3795/private/var/log/asl/AUX.2012.06.04/3803/private/var/log/DiagnosticMessages/2012.06.04.asl/private/var/log/DiagnosticMessages/StoreData/private/var/log/opendirectoryd.log/private/var/log/secure.log/private/var/log/system.logfind / -mmin -3 > modifiedFiles.txtdomenica 15 luglio 12
    • How remove this traces?domenica 15 luglio 12
    • Via softwareRemoving tracesThe software must delete itself!Interpreted language!domenica 15 luglio 12
    • Removing tracesPythonInterpreted language!Very simple for complex jobs!domenica 15 luglio 12
    • Removing tracesRetrieve the last access dates of aresource before running the automationos.path.getatime(%PATH)touch -c -t -%TIME -%PATHRoll-back last access time after theexecution of the scriptRun automation (Simulator module)domenica 15 luglio 12
    • Removing tracesCompiling Python files...why?Introduction of indirect traces!Cannot clean its own traces!A stand-alone app doesn’t leave traces,AT ALL!domenica 15 luglio 12
    • Removing tracesCompiling Python files...how?curl -O http://peak.telecommunity.com/dist/ez_setup.pysudo python ez_setup.py -U setuptoolssudo easy_install -U py2apppy2applet --make-setup MyApplication.pypython setup.py py2app -Athis is the WIPER/SCHEDULER module!domenica 15 luglio 12
    • And what about the direct traces?domenica 15 luglio 12
    • Names of legal apps for the modulese.g.Wiper/Scheduler = Caffeine.appSecure deletion of modules andrename legal appsObfuscating direct tracesdomenica 15 luglio 12
    • Names of the apps are not suspectThe apps used in the process are apps really installedon the laptop!All references to these apps are legal!Obfuscating direct tracesdomenica 15 luglio 12
    • The Launcher moduledomenica 15 luglio 12
    • Problem: How launch the procedure?SolutionA launcher module is neededWiper/Scheduler module needsadministrator privilegesdomenica 15 luglio 12
    • Terminal???Launcher moduleIt’s not a good idea becausesome resources would be touch!Bash HistoryShell resourcesOther resourcesdomenica 15 luglio 12
    • Launcher moduleAppleScript can leave traces!AppleScript???Who cleans these traces???domenica 15 luglio 12
    • Python, again!Launcher moduleCompiled Python app, again!os.system("echo password|sudo -S /Volumes/MYPEN/Anonimus_e-Mail.app/Contents/MacOS/Anonimus_e-Mail")this is the launchermodule!domenica 15 luglio 12
    • ProblemLauncher can’t be deleted whilerunning!LaunchercallWiperScheduler()callSimulator()Wiper/Scheduler SimulatorWhen the Simulator ends its execution,Wiper/Scheduler does not delete the Launchermodule because is the Launcher that keep alivethe Wiper/Scheduler!domenica 15 luglio 12
    • SolutionUse of threadsppid=os.getppid()pid=os.fork()if pid==0 :os.kill(pid, signal.SIGKILL)LaunchercallWiperScheduler()callSimulator()Wiper/Scheduler Simulatoros.fork()Wiper/Schedulerkill()Using a thread we create a “good brother” ofWiper/Scheduler.This allows the “bad brother”to kill the Launcher module, keeping alive thegood brother and the whole work of theWiper/Scheduler moduledomenica 15 luglio 12
    • But this operation leaveundesiderable traces in the log fileswifipers3128 sudo[1357]:password : TTY=unknown ; PWD=/Volumes/MYPEN/Caffeine.app/Contents/Resources ; USER=root ; COMMAND=/Volumes/MYPEN/Anonimus_e-Mail.app/Contents/MacOS/Anonimus_e-Mailhost-001 [0x0-0x71071].org.pythonmac.unspecified.Caffeine[1406]:1410 Killed: 9 | sudo -S /Volumes/MYPEN/Anonimus_e-Mail.app/Contents/MacOS/Anonimus_e-Mail.logdomenica 15 luglio 12
    • Copy the log files before the automatismReplace the log files containingtraces, with the previous oneSolving the problem...AUTOMATIONdomenica 15 luglio 12
    • How bring the files on a laptop?domenica 15 luglio 12
    • curl -O http://remote_resourcesMore possibilitiesGet a remote resource - curl commandUse a resource of Dropboxdomenica 15 luglio 12
    • Occam’s razor“When things being equivalent,a simpler explanationis better than a more complex one”Put files on a pendrive withnon-journaled file systemdomenica 15 luglio 12
    • Summarizing...domenica 15 luglio 12
    • ...The structure of the processWiper/SchedulerSimulatorSniffomucca.appCaffeine.appanonimous_e-mail.appLauncherdomenica 15 luglio 12
    • MYPEN Contents - BeforeCaffeine_p.appSniffoMucca_p.appAnonimous_e-mail_p.appCaffeine.app + Caffeine.pySniffoMucca.appAnonimous_e-mail.app + Anonimous_e-mail.pyAutomatism apps Legal appsdomenica 15 luglio 12
    • MYPEN Contents - AfterCaffeine.appSniffoMucca.appAnonimous_e-mail.appLegal appsdomenica 15 luglio 12
    • Where can we test the procedure?Where can we test the whole process?domenica 15 luglio 12
    • Enviroment setupVirtual Machine:Why?Come back to another state of disk issimpleNeeded to build and test the falsealibi proceduredomenica 15 luglio 12
    • Virtual Machine:The choiseVIRTUALBOXPARALLELSDESKTOPVMWAREFUSIONCreationManagementLicensedomenica 15 luglio 12
    • Virtual Machine:The choiseVIRTUALBOXPARALLELSDESKTOPVMWAREFUSIONCreationManagementLicensedomenica 15 luglio 12
    • Virtual Machine:The choiseVIRTUALBOXPARALLELSDESKTOPVMWAREFUSIONCreationManagementLicensedomenica 15 luglio 12
    • Virtual Machine:The choiseVIRTUALBOXPARALLELSDESKTOPVMWAREFUSIONCreationManagementLicenseACCEPTdomenica 15 luglio 12
    • Enviroment setupgoalGenerate an exact duplicate of thesource media under investigationThe destination media MUST BEerased!Some tools could be used: dd,dcfldd, dc3dddomenica 15 luglio 12
    • Enviroment setupFirst stepHD 1 HD 2dd if=/dev/zero of=dev/disk bs=512 conv=notruncdomenica 15 luglio 12
    • Second stepEnviroment setupHD 1domenica 15 luglio 12
    • Enviroment setupThird stepHD 1HD 2dd if=/dev/sda of=dev/sdb bs=512 conv=notruncdomenica 15 luglio 12
    • A post-mortemdigital forensicParagraph 4.Cin the thesisdomenica 15 luglio 12
    • The only way for being sure aboutthe construction on the falsedigital alibi is to do a digitalforensic analysis on the hard disk,on the pendrive and in the logfiles!Digital forensic“The use of scientifically derived and proven methods toward thepreservation, collection, validation, identification, analysis,interpretation, documentation and presentation of digital evidencederived from digital sources for the purpose of facilitating offurthering the reconstruction of events found to be criminal, orhelping to anticipate unauthorized action shown to be disruptive toplanned operations.”[Digital Forensics ResearchWorkshop I - 2001]domenica 15 luglio 12
    • Digital forensic - Howsecure.logsystem.log.bash_historySafari resourcesWe have to search in the log files of Mac OS X“Mac OS X, iPod, and iPhone Forensic Analysis Toolkit”domenica 15 luglio 12
    • About log filesWe have already talk about the log filesThe copy on the pendrive before theautomatism does not allow to have surprises!Anyways, we used a grep command on thelog filedgrep iAmTheAutomatism7777 /private/var/log/secure.loggrep iAmTheAutomatism7777 /private/var/log/system.logdomenica 15 luglio 12
    • Bash History.bash_history is an hidden file located in the user homedomenica 15 luglio 12
    • About Bash HistoryThe bash history file is neverdirectly open in the processAll the comands are runnedby Python!.bash_history is empty!domenica 15 luglio 12
    • Safari Resources - Cache.dbdomenica 15 luglio 12
    • About Cache.db"#“! __CFURLStringType_CFURLString_http://www.google.it/s?hl=it&gs_nf=1&cp=20&gs_id=14&xhr=t&q=Extract%20class%20Fowler&pf=p&output=search&sclient=psy-ab&oq=&aq=&aqi=&aql=&gs_l=&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.,cf.osb&fp=b58bcc71a4fb82fa&biw=1024&bih=674&tch=1&ech=2&psi=hCjgT6eFAs3usgb5oOTACA.1340090487838.1#Aµê`a¡◊⁄!VServerContent-Type_Transfer-EncodingTDate_X-Frame-Options_Content-Encoding_X-XSS-Protection_Content-Disposition]Cache-ControlWExpiresSgws_application/json; charset=UTF-8XIdentity_Tue, 19 Jun 2012 07:21:52 GMTZSAMEORIGINTgzip]1; mode=blockZattachment_private, max-age=0R-1n___CFURLResponseNullTokenString__≠≤ƒ◊ÍSafari stores in the cache.dball sites visited by usersWe cannot use Safari fordangerous operationsCache.db does not contains relevant infosdomenica 15 luglio 12
    • Safari Resources - HistorySafari History contains only the sites visited byAppleScriptdomenica 15 luglio 12
    • Are there traces in the hard disk oron the pendrive?domenica 15 luglio 12
    • How search traces of the automatism?In the automatism files we have insert a “signature” ofthe automatism...domenica 15 luglio 12
    • grep -ros iAmTheAutomatism7777 ./How search traces of the automatism?...and we used a grep command on the hard disk and onthe pendrivegrep command does not retrieve any file with thisstringdomenica 15 luglio 12
    • ProblemLauncher,Wiper/Scheduler andSimulator modules could create sometemporary files!SolutionWe have to analyze deleted files!domenica 15 luglio 12
    • Deleted files analysis - HowPhotorec is a data recovery software designed to recoverlost files from hard disks, pendrive and so ondomenica 15 luglio 12
    • Deleted files analysisWe launched Photorec on the hard disk and on thependrive and we used the grep commandgrep -ros iAmTheAutomatism7777 ./grep command does not retrieve any file with thisstring, again!domenica 15 luglio 12
    • conclusionsfuture worksChapter 5in the thesisdomenica 15 luglio 12
    • Is realistic a false digital alibi on Mac OS X 10.7.3?Create a false digital alibi is possible!Remove the traces is possible if you use properfeatures of Mac OS X!Conclusions...domenica 15 luglio 12
    • ...and future works...Can we create a false digital alibi usingAutomator?Test the automatism on a real enviroment!Test the automatism on a differentversions of Mac OS Xdomenica 15 luglio 12
    • Thank you!Questions and/or commentsDario Di Nucci d.dinucci@studenti.unisa.itFabio Palomba f.palomba3@studenti.unisa.itStefano Ricchiuti s.ricchiuti@studenti.unisa.itRemind the link:https:// www.dropbox.com/sh/8cfw9b0aembhzd5/mbVMwXBCBRdomenica 15 luglio 12