File000128

394 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
394
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

File000128

  1. 1. Module XV – Mac Forensics
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: ProteMac Announces ProteMac Meter 1.1 for Mac OS X Source: http://prmac.com/release-id-3023.htm
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Mac OS and File System • Partitioning Schemes • Mac OS X Directory Structure • Pre-requisites for Mac Forensics • POSIX Permissions • Mac OS X Log Files • Vulnerable Features of Mac • Imaging a Target Macintosh • .Mac and Related Evidence • Mac Forensics Tools This module will familiarize you with:
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Mac OS and File System Partitioning Schemes Mac OS X Directory StructurePre-requisites for Mac Forensics POSIX Permissions Mac OS X Log Files Vulnerable Features of MacImaging a Target Macintosh .Mac and Related Evidence Mac Forensics Tools
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS and File Systems
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Mac OS X is a Unix-based operating system built on object-oriented NeXTSTEP operating system and development environment It is a memory management and multitasking Mac platform The following are some of the Mac OS X versions: • Mac OS X 10.0- “Cheetah”, was the first major release of Mac OS X • Mac OS X 10.1- “Puma”, was released on September 25, 2001 • Mac OS X 10.2- “Jaguar” was the third major release of Mac OS X • Mac OS X 10.3- “Panther” • Mac OS X 10.4- “Tiger” • Mac OS X 10.5- “Leopard”
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Partitioning Schemes The partitioning scheme is the basic definition of how a hard drive or other media is laid out for a file system to be applied There are two types of Mac partitioning schemes: • Apple partition map (PowerPC based Macintosh) • GUID partition scheme (Intel based Macintosh)
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Apple Partition Map (APM) Apple Partition Map is used to define the low-level organization of data on Mac formatted disks Apple disks are divided into blocks, with 512 bytes belonging to each block First block of APM contains driver information The number of entries in the partition map is not restricted, however, because the partition map must begin at block 1 and must be contiguous, it cannot easily be expanded once other partitions are created APM defines itself as one of the partitions on the disk fdisk and pdisk tool can be used to manipulate an APM
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Apple Partition Map Entry Record The partition map entry record is defined by the Partition data type
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GUID Partition Table GUID Partition Table (GPT) is a partitioning scheme introduced by Intel and adopted by Apple Block layout used by GPT is as follows: Block Description 0 Protective MBR 1 Partition Table Header (primary) 2 through 2+b-1 Partition Entry Array (primary) 2+b through n-2-b Partition Data n-2-b+1 through n-2 Partition Entry Array (backup) n-1 Partition Table Header (backup) Where, n is the number of blocks on the disk b is the number of blocks used to describe the partition entry
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GUID Partition Table (cont’d) Figure: GUID Partition Table
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X File System Mac OS X supports a variety of file systems and volume formats such as: File System Description HFS Mac OS Standard file system. Standard Macintosh file system for older versions of Mac OS HFS Plus Mac OS Extended file system. Standard Macintosh file system for Mac OS X UFS Unix File System. A variant of the BSD “Fast File System” WebDAV Used for directly accessing files on the web UDF Universal Disk Format. The standard file system for all forms of DVD media and some writable CD formats FAT The MS-DOS file system, with 16- and 32-bit variants SMB/CIFS Used for sharing files with Microsoft Windows SMB file servers AFP AppleTalk Filing Protocol. The primary network file system for all versions of Mac OS NFS Network File System. A commonly-used BSD file sharing standard. Mac OS X supports NFSv2 and NFSv3 over TCP and UDP FTP A file system wrapper for the standard Internet File Transfer Protocol
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HFS+ File System • Volume header – contains file system attributes, such as the version and the allocation block size, and information to locate the metadata files • Allocation file – tracks the usage status of the allocation blocks • Catalog file – contains the majority of file and folder metadata • Extents overflow file – contains additional extents records for files composed of more fragments than can be recorded in the catalog file • Attributes file – extensible metadata; it is used for features such as access control lists and Time Machine • Journal file- is allocated as a contiguous set of blocks on the file system The major components of the HFS+ file system are:
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HFS+ File System (Cont’d) Figure: HFS+ File System Reserved (1024 bytes) Volume Header Allocation File Extents Overflow File Catalog File Attribute s File Startup File Alternate Volume Header Reserved (512 bytes) File Data or Free Space
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Directory Structure The command /ls is used to see the directories Following are the directories in the Mac OS X: Directory Description /Applications This is where your Mac’s applications are kept /System System related files, libraries, preferences, critical for the proper function of Mac OS X /Library Shared libraries, files necessary for the operating system to function properly, including settings, preferences, and other necessities /Network Contains information about network related devices, servers, libraries, etc /Users All user accounts on the machine and their accompanying unique files, settings /Volumes Mounted devices and volumes, either virtual or real, such as hard disks, CDs, DVDs, DMG mounts
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Directory Structure (cont’d) Directory Description /bin Essential common binaries, holds files, and programs needed to boot the operating system /etc Machine local system configuration, holds administrative, configuration, and other system files /usr Second major hierarchy, includes subdirectories that contain information, configuration files, and other essentials used by the operating system /sbin Essential system binaries, contains utilities for system administration /tmp Temporary files, caches, etc. /var Variable data, contains files whose contents change as the operating system runs
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Security Architecture Overview • Berkeley Software Distribution (BSD) • It provides fundamental services, such as the basis for the Mac OS X file system, including file access permissions • Common Data Security Architecture (CDSA) • It provides a wider array of security services, including finer-grained access permissions, authentication of users’ identities, encryption, and secured data storage Mac OS X security is built on the following two standards:
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Mac Security Architecture Figure: Mac Security Architecture BSD: Berkeley Software Distribution CDSA: Common Data Security Architecture API: application programming interface
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensics: Collecting Evidence
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pre-requisites for Mac Forensics • Macintosh OS X based laptop for mobile forensics • Macintosh OS X based desktop for laboratory forensics • MacOS X with the XCode tools installed • Firewire cable with the appropriate adapters • USB Flash Drive, minimum of 1GB in size • Examination Notes information sheet Pre-requisites for Mac forensics are:
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Obtaining System Date and Time Steps to obtain date and time if system is on and has no Open Firmware Password or has disabled single-user mode: • Press the power button to start the computer • Immediately press and hold the Command (Apple) key and the "s" key to go to single-user mode • Type "date" at the prompt near bottom of the screen and press Return Steps to obtain date and time if system is running: • Open Date & Time preferences • Take a screenshot of time and date setting • Check the “time zone” selected and take a screenshot
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Date and Time Preferences
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Single User Mode Single User Mode provides “root” user priviledge The following commands can be used for safe information gathering in Single User Mode: •date: Returns the date with the current time zone applied •date -u: Returns the date in UTC •hdiutil partition /dev/disk0: Returns the partition table of the boot drive •hdiutil pmap2 /dev/disk0: Returns additional partition table information for the boot drive •ls /dev/disk?: Lists the current device files in use for installed disks •system_profiler SPHardwareDataType: Returns Macintosh hardware info •system_profiler SPSoftwareDataType: Returns operating system info •system_profiler SPParallelATADataType: Returns info on ATA devices •system_profiler SPHardwareRAIDDataType: Returns info on hardware RAID •system_profiler SPMemoryDataType: Returns info on installed memory •system_profiler ParallelSCSIDataType: Returns info on SCSI devices •system_profiler SPSASDataType: Returns info on SAS devices •system_profiler SPSerialATADataType: Returns info on SATA devices
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining and Resetting the Open Firmware Password • Press the Power button and immediately hold down the Option key • A password dialog confirms the use of Open Firmware Password First determine if Open Firmware Password is used • The Open Firmware Password will be reset if a user changes the amount of the physical memory in the machine and reboots Resetting the password: Note - Resetting the password will reset the system clock
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checking Plist Files File Uses /System/Library/CoreServices/Syste mVersion.plist Contains the current version of the installed operating system /private/var/log/OSInstall.custom Contains the date and time the operating system was first installed (completion time, not start time) /private/etc/hosts Contains defined IP addresses and the associated name User settings are stored in plist (Property List Format) files Property List Editor utility reveals the data contained within plist files The following are the miscellaneous plist files:
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering Network Setting Information from Plist files Plist Files Network Information /Library/Preferences/com.apple.alf.plist Firewall Settings /Library/Preferences/SystemConfiguration/com.apple .airport.preferences.plist Airport (Wireless) Settings /Library/Preferences/SystemConfiguration/com.apple .nat.plist Internet Sharing Settings /Library/Preferences/SystemConfiguration/com.apple .network.identification.plist Historical Network TCP/IP Assignments with Timestamps /Library/Preferences/SystemConfiguration/com.apple .NetworkInterfaces.plist Onboard Interfaces /Library/Preferences/SystemConfiguration/com.apple .preferences.plist Network Configuration for each interface
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect User Home Directory Information Each time a user is added to the computer, Mac OS X creates a new folder named after that user called as "Home directory" The Users folder in the Mac OS X disk stores the Home directories for all of the computer's users • Desktop - Contains all of the items that are seen on the user's desktop • Documents - Typically contains user data files such as Pages, Keynote, MS Word, and other types of files • Limewire - This is created by the Limewire application; by default, it stores shared files and downloaded files • Incomplete - Created by Limewire and contains files that have not yet been successfully downloaded to this user's account • Library - It contain logs, preferences, browser history, recent files, etc. Major folders in users’ Home directories:
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect User Home Directory Information (cont’d) • Magazines - Used by the Zinio Reader application for electronic magazines • Movies - Contain iDVD movie data, Quicktime files, and other digital video material • Music - Contain a user's iTunes library and other digital music material such as MP3files • Pictures - Contains a user's digital photo collection such as the iPhoto library • Public - This is a "drop box" where other users have permissions to place files, read files, but not delete files • Sites - If a WWW server is active such as the built in Apache web server, users can host their website from this directory Major folders in users’ Home directories: Figure: User Home Directory
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Information in the User’s Library Folder User Library folder contains information such as user specific drivers, fonts, settings, and system add-ons It also gives information about Browser’s history, webpage cache, email remnants, email attachments, and indexes The following are some of the folders in User Library folder: • Application Support • Automator • Caches • Cookies • Favorites • Logs • Mail and Mail Downloads • Phones • Recent Servers • Safari
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Information in the User’s Library Folder (cont’d) • Includes information about applications installed, and may show usage information Application Support • User specific actions such as file copying, server connections, and other actions a user wants to automate will be stored here Automator • Include information of application usage, web sites visited, buddy lists, and downloaded files Caches • Used by Safari and other web browsers for the Cookies of various websites Cookies • Show other network resources that the User considered important enough to be able to easily return to Favorites
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Information in the User’s Library Folder (cont’d) • This folder contains log files for many applications and usage information Logs • These folders contain email and files that were attached to emails received under this account Mail and Mail Downloads • This folder contains cell phones that have been connected to this computer under this account Phones • This folder contains information on servers that have been recently connected to including AFP and FTP sites Recent Servers • This folder contains the vital information on Safari’s usage including bookmarks, history Safari
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect User Accounts Information Check the non-admin and admin account to verify the additional user privileges or restrictions The following table shows the access provided to user accounts: User Account User Access Guest non-administrator Restricted user access (disabled by default) Standard non-administrator Non privileged user access Managed non-administrator Restricted user access Administrator Full computer configuration administration System administrator (root) Unrestricted access to the computer
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited User IDs Every user account has User ID, which is a number that uniquely identifies a user The user ID is a unique string of digits between 500 and 2,147,483,648 Use the user ID to track a user’s folder and file ownership The user ID is reserved for the root user and user IDs below 100 are reserved for system’s use
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering User Information from Plist Files • /Library/Preferences/com.apple.loginwindow.plist Auto-Login User and Last Login User • /Users/username/Library/Preferences/loginwindow.plist User Auto-Launch Items • /Library/Preferences/com.apple.preferences.accounts.plist Deleted Users
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use Spotlight for Keyword Search • The Documents, Movies, Music, and Pictures folders • The Trash of all users and each mounted volume •~/Library/Metadata/ •~/Library/Caches/Metadata/ •~/Library/Mail/ •~/Library/Caches/com.apple.AddressBook/Metadata/ •~/Library/PreferencePanes/ Spotlight will index and search in the following locations: •/Library/PreferencePanes/ •/System/Library/PreferencePanes/ •/Applications Spotlight also searches these non-Home folder locations by default: Mac OS X features Spotlight search technology that instantly allows you to find things on Mac
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Information Regarding Parental Controls for a Local Account Users are limited by using Parental Control preferences • Open System Preferences, then click Accounts, and collect the setting information • Click System tab and check “Simple Finder” setting • Click Content tab and check the settings to: • Limit access to adult websites automatically • Always allow these sites • Never allow these sites • Click Mail & iChat tab and check the setting to: • Only allow emailing and instant messaging • Send permission request • Click Time Limits tab and check the setting • Click Logs tab and check the setting Parental Control Preferences:
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parental Controls: Screenshot
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File Vault and MacOS X Security • FileVault is the security technology available in MacOS to secure a user's home directory • It encrypts user's home directory using 128 bit AES encryption to a Sparse image DMG file FileVault Preference Pane: Figure: File vault preference pane
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cracking the File Vault Crack protection password to access FileVault encrypted Home directory • John the Ripper • THC Hydra • crowbarDMG • Mac Marshal • MacLockPick II Tools • Brute force • Dictionary attack • Hybrid Attack (brute force with a dictionary attack) Cracking methods that can be used:
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited POSIX Permissions Portable Operating System Interface (POSIX) controls access to files and folders Check the types of standard POSIX permissions given to each user or group • Read & Write • Read Only • Write Only • None POSIX provides four types of permission:
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing POSIX Permissions POSIX access permissions can be assigned to the following category of users: • Owner- who creates an item has Read & Write permissions • Group- who needs the same access to files and folders into group accounts • Everyone- who can log in to the file server Steps to view the current permission settings: • Open Terminal • Run the ls command: •$ ls -l
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing ACL Permissions ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user Each ACE contains the following components: • User—owner, group, and other • Action—read, write, or execute • Permission—allow or deny the action Steps to view ACL permission: • Select an object in the Finder • Select the menu item File > Get Info, or press Cmd+I • Open the section Ownership & Permissions in the information panel
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Log Files Log files maintains a log of the user activity on the system and the log entry itself would show the crime The Console utility, found in the /Applications/Utilities store logs
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Log Files (cont’d) Some of the log files are as follows: Log File Uses /var/log/crashreporter.log Application Usage History, information is written here when an application crashes only /var/log/cups/access_log Printer Connection Information /var/log/cups/error_log Printer Connection Information /var/log/daily.out Network Interface History /var/log/samba/log.nmbd Samba (Windows based machine) connection information ~/Library/Logs Any logs in this area will be specific to the user of this Home directory; application-specific logs will be found here
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Log Files (cont’d) Log File Uses ~/Library/Logs/DiscRecording.log Log of CD or DVD media burned using the Finder; this is specific to the user of this Home directory ~/Library/Logs/DiskUtility.log Log of CD or DVD media burned using the Finder, mount and unmount history of ISO or DMG image files, Permission Repair history, and hard disk partition information ~/Library/Logs/iChatConnectionErrors Log files here contain information of past iChat connection attempts; data such as username, IP address, and date & time of the attempt ~/Library/Logs/Sync Log files here will contain information on .Mac syncing, mobile devices such as iPods, and cell phones, and date & time of the activities
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Locating the iChat Configuration File iChat configuration settings are stored in the configuration files iChat components and their corresponding configuration file location is as follows: Component Location jabberd2 (startup script) /etc/jabberd/jabberd.cfg router (inter-module message routing) /etc/jabberd/router.xml resolver (domain resolution) /etc/jabberd/resolver.xml sm (session manager) /etc/jabberd/sm.xml C2S (client-to-server communications) /etc/jabberd/c2s.xml S2S (server-to-server communications) /etc/jabberd/s2s.xml
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checking Instant Messaging Configuration Plist Files Check following Plist files for various instant messaging services’ configuration settings: • /Library/Preferences/com.apple.iChat.AIM.plist • /Library/Preferences/com.apple.iChat.plist • /Library/Preferences/com.apple.iChat.SubNet.plist • /Users/username/Library/Preferences/com.aol.aim.plist • /Users/username/Library/Preferences/com.adiumX.adiumX.plist • /Users/username/Library/Preferences/com.apple.iChat.AIM.plist • /Users/username/Library/Preferences/com.apple.iChat.plist • /Users/username/Library/Preferences/com.apple.SubNet.plist • /Users/username/Library/Preferences/com.skype.skype.plist • /Users/username/Library/Preferences/com.yahoo.messenger3.plist • /Users/username/Library/Preferences/com.yahoo.messenger3.Users.screenname.plist
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing iChat Logs • The iChat service log is located in /var/log/system.log • The iChat file proxy log is located in /private/var/jabberd/log/proxy65.log • The iChat multiuser conference log is located in /var/jabberd/log/jcr.log iChat logs are located in the following locations: • Open Server Admin and connect to the server • Click the triangle to the left of the server • Click iChat • Click Logs and then choose a log from the View pop-up menu Steps to view iChat logs:
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering Safari Information Files Information /Users/username/Library/Safari/Bookmarks.plist User's bookmarks /Users/username/Library/Safari/Downloads.plist Contents of the user's Downloads window in Safari /Users/username/Library/Safari/History.plist Safari browser history /Users/username/Library/Safari/LastSession.plist Defines the last browsing session (window and tabs that were open) The following files provide important forensics information on browsing activities:
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checking Wi-Fi Support To check the Wi-Fi support setting, open the /System/Library/Extensions folder The information will help to know about the wireless access to the system Check the following files: • AppleAirPort.kext • AppleAirPort2.kext • AppleAirPortFW.kext
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checking Bluetooth Support To check the system has enabled Bluetooth support or not, open the /System/Library/Extensions folder This information provides clues about the Bluetooth attack on the system Check the following files: • IOBluetoothFamily.kext • IOBluetoothHIDDriver.kext Check /Library/Preferences/com.apple.Bluetooth.plist file for obtaining bluetooth history
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering Information from Printer Spool (CUPS) Browse to the web page http://localhost:631/
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vulnerable Features of Mac Hidden Extensions • File extensions are kept hidden from the user • Trojan can exploit this to hide its own true nature Bundle Architecture • Bundle is a special folder that allows multiple resources to be contained in one single folder • It makes the process of creating a virus easier since it greatly assists the process of installing multiple executables into one program Unprotected Application Folder • The programs that a user relies upon are stored unprotected inside a folder called /Applications • The common application running on the system can be modified and replaced with the viruses Centralized Open Address Book • A Mac OS X provides Address Book which contains instant messaging addresses, email addresses, phone numbers, and physical addresses • The addresses in the address book will be used for spreading the virus • For example: “ILOVEYOU”, the “Love Bug worm” spreads by interrogating users’ contacts and emailing its copies
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensics: Imaging
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Imaging a Target Macintosh • Target Disk Mode • LiveCD method • Drive Removal Mac system imaging techniques are as follows:
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Target Disk Mode In target disk mode, the target computer acts as an external firewire hard drive Steps for a Target Disk Mode acquisition: • Turn off Disk Arbitration on your forensic Macintosh • Shut down your forensic Macintosh • Start the target Macintosh • Connect the target Macintosh to your forensic Macintosh through a firewire cable • Boot your forensic Macintosh either to your forensic partition or with Disk Arbitration turned off • Enter the Terminal and check for your attached Target Disk Mode Macintosh
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Target Disk Mode (cont’d) Determine which disk to acquire and create a digital fingerprint of the target device by running MD5 hash Use the MD5 command md5 /dev/disk0 > /Evidence/targetMacintosh.md5_start Use dd to make the acquisition of the raw disk as follows: •dd if=/dev/rdisk1 conv=noerror,sync of=/Evidence/targetMacintosh.dd Create a second digital fingerprint of the target device to show nothing has been altered by the dd process •md5 /dev/disk0 > /Evidence/targetMacintosh.md5_end Power down your forensic Macintosh Power down the target Macintosh Disconnect the firewire cable
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited LiveCD Method LiveCD method involves booting the target Macintosh with a known, forensically sound CD It can include a custom tailored Linux distribution such as Helix, SMART, or a Knoppix variant A LiveCD method for acquisition of a Macintosh is sometimes the preferred method
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Drive Removal Physical drive removal is the complicated part of a Macintosh examination Use a physical write blocking device for the acquisition Once the disk drive is physically write-blocked, an imaging process can begin with the help of any tool Possible failures of this system: • Bad cable between the drive and the physical write blocking device • Bad cable from the physical write blocking device to the forensic computer • Imaging tool that does not recognize the file system of the target Macintosh
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquiring the Encrypted User Home Directory While copying Encrypted User Home Directory file, set the "Locked" property in the window • This will prevent the file from any further changes Steps to successfully acquire Encrypted User Home Directory: • Open a shell in the terminal with root privileges • Example "sudo sh" • Copy the file from its present location to your Evidence Collection directory • Example "cp /Users/dogcow/dogcow.sparseimage /Evidence" • Take ownership of the file • Example "chown yourusername /Evidence/dogcow.sparseimage" • Set the Locked flag to prevent any changes to this file • Example "chflags uchg /Evidence/dogcow.sparseimage”
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited .Mac and Related Evidence .Mac is an Internet resource; its features include email, web site hosting, and iDisk storage of files A user may store files here, Backup files, Address Book entries, Safari bookmarks, and Quicken data Figure: Mac plist Window
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Quick View Plus Quick view plus tool supports information created in Windows, Macintosh, Internet, and DOS formats It helps to access the information from sources such as e-mail attachments, the Web, legacy document stores • It maintains the formatting of the original documents • It integrates with the latest browser and e-mail applications • All or a portion of any viewed file can be copied and then pasted into an application • It is possible to transfer data between Windows, Macintosh and DOS word processing and presentation programs Features:
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cover Flow Cover Flow is a three-dimensional graphical user interface which allows users to visually rummage through files and digital media library Figure: Cover Flow
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Customizing Cover Flow: Screenshot Figure: Customizing Cover Flow
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensic Tools
  66. 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited gpart gpart ignores the primary partition table and scans the disk (or disk image, file) for several file system/ partition types This is done by resembling the sequence of sectors with the beginning of a file system or partition type
  67. 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited gpart (cont’d) File system known to gpart: File system Description beos BeOS filesystem type bsddl FreeBSD/NetBSD/386BSD disklabel sub-partitioning scheme used on Intel platforms ext2 Linux second extended filesystem fat MS-DOS FAT12/16/32 "filesystems" hpfs IBM OS/2 High Performance filesystem hmlvm Linux LVM physical volumes lswap Linux swap partitions minix The Minix operating system filesystem type ntfs MS Windows NT filesystem qnx4 QNX 4.x filesystem rfs The Reiser filesystem (version 3.5.X, X > 11)
  68. 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacLockPick MacLockPick uses the setting files to keep track of contacts, activities and history It extracts and saves the data to its own flash drive It can be used to extract: • Internet login password, WiFi, AppleShare • File and Folder details such as creation, modification, and the most recently accessed dates • Instant Messaging details • Email account details • Web History and Preferences • Hardware Preferences
  69. 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File Juicer File Juicer finds and extracts images, video, audio or text from files It saves the images in its original format • JPEG • PNG • GIF • PDF • BMP • WMF • EMF • PICT • MOV • MP4 • MP3 It finds and extracts the following file types :
  70. 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File Juicer: Screenshot Source: http://www.macupdate.com/images/screens/uploaded/16101_scr.png
  71. 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacAnalysis MacAnalysis is a security auditing/cracker prevention application • Reverse IP • Port Scan • Services Scan • Name Scan • OS Fingerprinting • POP3/SMTP/FTP Brute Force • Network Info • IP Monitoring • DUP Broadcast Scanning • Telnet client • Buffers Overflow It can perform the following functions:
  72. 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacAnalysis: Screenshot
  73. 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition MacQuisition is a forensic acquisition tool used to safely and easily image Mac source drives using the source system • Easily identify the source device • Configure destination location • Image directly over the network • Use the command line • Log case, exhibit and evidence tracking numbers and notes • Automatically generate MD5, SHA1 and SHA 256 hashes Features:
  74. 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition Steps Step 1: Source Identification Step 3: Case Information
  75. 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition Steps (cont’d) Step 5: Imaging /Status Information
  76. 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FTK Imager • Making an exact copy of a drive or folder • Taking an MD5 or SHA-1 digital signature of a drive or file • Determining properties of drives, folders or files • Viewing files FTK Imager is used for:
  77. 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensic Tools dd_rescue images the drives or files from the attacked system and also overcomes the bad sectors or other errors while imaging the drives md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA- 256, Tiger, or Whirlpool message digests on an arbitrary number of files
  78. 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensic Tools (cont’d) Foremost is used to recover files based on their headers, footers, and internal data structures that can work on image files, such as those generated by dd, Encase or directly on a drive Mac forensic lab acquires bit-by-bit replica of the original media, while maximizing data recovery, even with corrupted media and Forensic images are created with integrated segmenting and granular hashing LinkMASSter tool with ‘Forensic Mac Acquisition’ option allows to acquire data from unopened Mac computer through 1394B or USB ports
  79. 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Mac OS consists of unique file systems and applications HFS+ and HFS are the two file systems found on Macintosh Open Firmware Password helps to physically secure the computer Disk Arbitration needs to be enabled for Disk Utility to function The home directory is the area to find all of the evidence for any case, barring system- wide log and settings files
  80. 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  81. 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×