A false digital alibi on Mac OS X

A false digital alibi on Mac OS X
Challange and solutions

Dario Di Nucci
Fabio Palomba
Stefano Ricchiuti

University of Salerno
domenica 15 luglio 12

Focusing on Mac OS X
Mac OS X & Forensic: how and what?

A case study
- Developing the false digital alibi
- A post-mortem digital forensic

Evaluation of the work
Is realistic a false digital alibi on a Mac OS X?


r3 s
pte esi
ha th
C e
th
Focusing on Mac OS X
in


Use of BTree
Journaling

Max File Dim 263
Max Folde r Dim 231

Hierarchical File System +

Disk utility
Manager of all ﬁle systems in
your Mac
Complete information
retrieving on all disks
Improve stability and
performance
Runnable from live
boot
First AID
Fix the ﬁle system errors

Prevent errors

Disk Utility

....What is right,
what is wrong...

Mac apps

XTS - AES 128 bit Cryptography

User Password: Cr ypt and Decrypt
Disk

Master Password: For System
recovering

File Vault

All action on ﬁles (deleted,
modiﬁed, moved) are recorded on
external disk

The actions are revertable!

Huge impact on Digital
Forensic

Time Machine

Why analyze these?

Create false digital evidences is possible!

How?
Construct a false digital alibi using
built-in software


A false digital alibi: how to...

AppleScript

“AppleScript is a scripting language that
makes possible direct control of scriptable
applications and of many parts of the Mac
OS. With scriptable applications, users can
write scripts to automate operations.”

[https://developer.apple.com]


Example...

tell application "Finder" to quit

display dialog "Mostra Files nascosti..." buttons {"Si", "No", "Annulla"}
default button 3
copy the result as list to {buttonpressed}

try
if the buttonpressed is "No" then do shell script ¬
"defaults write com.apple.finder AppleShowAllFiles OFF"
if the buttonpressed is "Si" then do shell script ¬
"defaults write com.apple.finder AppleShowAllFiles ON"
end try

tell application "Finder" to launch


Automator

“Automator is your personal automation
assistant, making it easy for you to do more,
and with less hassle.With Automator, you use
a simple drag-and-drop process to create and
run “automation recipes” that perform simple
or complex tasks for you, when and where you
need them.”

[http://support.apple.com]


Simple to learn and use
Direct control on Mac OS X

REJ
ACC V ECT
E PT S

Actions via Drag & Drop
What about translation?

Automator or AppleScript?

r4 s
pte esi
ha th
C e
in th

A case study


.B
-4
4.A sis
raph the
rag the
Pa in

th e
lo pi ng
D e ve a lib i
ig it al
ls e d
fa


Best practices

Software built-in is better!

Automatism habits-based

Needs to clean all traces!
No stupid error!

Automatism setup

The automatism activator

Manager of the actions of
delection of traces and
scheduling

The false digital alibi maker

Automatism setup - Structural Decomposition


How to develop these modules?

Develop the Simulator before
the others modules allows us to
understand which are the traces
to cover

Bottom-up

Automatism setup - Structural Decomposition


The Simulator module

am
0 0
9.
at
am
. 00
10
at

m
.0 0 a
2
a t 1

at 15.00 p
m

AppleScript at work

AppleScript at work

thi
s is t
he
mod simu
ule lato
! r

AppleScript as app

The Wiper/Scheduler module

How retrieve traces of the automation?


Manual execution -> State t1

Launch automatism -> State t2

Find of the accessed and modiﬁed ﬁles in t1 e t2

Retrieve differences between t1 and t2

Double execution

/System/Library/Components/AppleScript.component
/System/Library/Components/AppleScript.component/Contents
/System/Library/Components/AppleScript.component/Contents/Resources
/System/Library/Components/AppleScript.component/Contents/Resources/
Italian.lproj
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/Applications/Utilities/AppleScript Editor.app/Contents/Resources/
ScriptEditor.help/Contents/Resources
/Applications/Utilities/AppleScript Editor.app/Contents/Resources/
ScriptEditor.help/Contents/Resources/Italian.lproj

find / -amin -3 > accessedFiles.txt

Anomalies in accessed ﬁles

/private/var/log/asl/AUX.2012.06.04
/private/var/log/asl/AUX.2012.06.04/3793
/private/var/log/DiagnosticMessages/2012.06.04.asl
/private/var/log/DiagnosticMessages/StoreData
/private/var/log/opendirectoryd.log
/private/var/log/secure.log/private/var/log/system.log

find / -mmin -3 > modifiedFiles.txt

Anomalies in modiﬁed ﬁles

How remove this traces?


Via software

The software must delete itself!

Interpreted language!

Removing traces

Python

Interpreted language!

Very simple for complex jobs!

Removing traces

Retrieve the last access dates of a os.path.getatime(%PATH)
resource before running the automation

Run automation (Simulator module)

Roll-back last access time after the
touch -c -t -%TIME -%PATH
execution of the script

Removing traces

Compiling Python ﬁles...why?

Introduction of indirect traces!

Cannot clean its own traces!

A stand-alone app doesn’t leave traces,
AT ALL!

Removing traces

Compiling Python ﬁles...how?

curl -O http://peak.telecommunity.com/dist/ez_setup.py

sudo python ez_setup.py -U setuptools
thi
sudo easy_install -U py2app
s isMyApplication.py
S--make-setup t
py2applet C
H py2app -A he
python setup.pyE
DUL
ER WIP
mod ER/
ule
!

Removing traces

And what about the direct traces?


Names of legal apps for the modules
e.g. Wiper/Scheduler = Caffeine.app

Secure deletion of modules and
rename legal apps

Obfuscating direct traces

Names of the apps are not suspect

The apps used in the process are apps really installed
on the laptop!

All references to these apps are legal!

Obfuscating direct traces

The Launcher module

Problem: How launch the procedure?
Wiper/Scheduler module needs
administrator privileges

Solution

A launcher module is needed


Terminal???

It’s not a good idea because
some resources would be touch!

Other resources
Shell resources
Bash History

Launcher module

AppleScript???

AppleScript can leave traces!

Who cleans these traces???

Launcher module

Python, again!

thi
s is
the mpiled Python app, again!
Co
mod laun
ule che
! r
os.system("echo password|sudo -S /Volumes/MYPEN/Anonimus_e-
Mail.app/Contents/MacOS/Anonimus_e-Mail")

Launcher module

Problem
Launcher can’t be deleted while
running!

Launcher Wiper/Scheduler Simulator

callWiperScheduler()
callSimulator()

When the Simulator ends its execution, Wiper/
Scheduler does not delete the Launcher
module because is the Launcher that keep alive
the Wiper/Scheduler!


Solution

Use of threads

ppid=os.getppid()
pid=os.fork()
if pid==0 :
os.kill(pid, signal.SIGKILL)

Launcher Wiper/Scheduler Wiper/Scheduler Simulator

callWiperScheduler()
os.fork() callSimulator()
kill()

Using a thread we create a “good brother” of
Wiper/Scheduler. This allows the “bad brother”
to kill the Launcher module, keeping alive the
good brother and the whole work of the
Wiper/Scheduler module


.log But this operation leave
undesiderable traces in the log ﬁles

host-001 [0x0-0x71071].org.pythonmac.unspecified.Caffeine[1406]:
1410 Killed: 9 | sudo -S /Volumes/MYPEN/Anonimus_e-Mail.app/
Contents/MacOS/Anonimus_e-Mail

wifipers3128 sudo[1357]:password : TTY=unknown ; PWD=/Volumes/
MYPEN/Caffeine.app/Contents/Resources ; USER=root ; COMMAND=/
Volumes/MYPEN/Anonimus_e-Mail.app/Contents/MacOS/Anonimus_e-Mail


Copy the log ﬁles before the automatism

T ION
A
T OM
AU

Replace the log ﬁles containing
traces, with the previous one

Solving the problem...

How bring the ﬁles on a laptop?


Get a remote resource - curl command
curl -O http://remote_resources

Use a resource of Dropbox

More possibilities

“When things being equivalent,
a simpler explanation
is better than a more complex one”

Put ﬁles on a pendrive with
non-journaled ﬁle system

Occam’s razor

Summarizing...


Launcher
Caf
fei
ne.
app
Wiper/Scheduler

ano
nim
mai ous_
l.a e-
pp

Simulator
Sni
ffo
mu
cca
. app

...The structure of the process

Automatism apps Legal apps
Caffeine.app + Caffeine.py Caffeine_p.app
SniffoMucca.app SniffoMucca_p.app
Anonimous_e-mail.app + Anonimous_e-mail.py Anonimous_e-mail_p.app

MYPEN Contents - Before

Legal apps
Caffeine.app
SniffoMucca.app
Anonimous_e-mail.app

MYPEN Contents - After

Where can we test the whole process?

Where can we test the procedure?


Virtual Machine: Why?

Come back to another state of disk is
simple

Needed to build and test the false
alibi procedure

Enviroment setup

Virtual Machine: The choise

PARALLELS VMWARE
VIRTUALBOX
DESKTOP FUSION

Creation

Management

License


Virtual Machine: The choise

PARALLELS
ACC
VMWARE
VIRTUALBOX
DESKTOP
EPT
FUSION

Creation

Management

License


Generate an exact duplicate of the
source media under investigation

The destination media MUST BE

al
erased!

g o
Some tools could be used: dd,
dcﬂdd, dc3dd

Enviroment setup

First step

dd if=/dev/zero of=dev/disk bs=512 conv=notrunc

HD 1 HD 2

Enviroment setup

Second step

HD 1

Enviroment setup

Third step

dd if
=/dev
/sda
of=de
v/sdb

HD 1
bs=51
2 con
v=not
runc

HD 2
Enviroment setup

h 4.C
grap hesis
ara he t
P t
in

o rt em
s t -m
A po ns ic
fo re
igit al
d


“The use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence
derived from digital sources for the purpose of facilitating of
furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized action shown to be disruptive to
planned operations.”
[Digital Forensics Research Workshop I - 2001]

The only way for being sure about
the construction on the false
digital alibi is to do a digital
forensic analysis on the hard disk,
on the pendrive and in the log
files!

Digital forensic

We have to search in the log files of Mac OS X
“Mac OS X, iPod, and iPhone Forensic Analysis Toolkit”

secure.log
system.log
.bash_history
Safari resources

Digital forensic - How

We have already talk about the log files

The copy on the pendrive before the
automatism does not allow to have surprises!

Anyways, we used a grep command on the
log filed
grep iAmTheAutomatism7777 /private/var/log/secure.log

grep iAmTheAutomatism7777 /private/var/log/system.log

About log files

.bash_history is an hidden ﬁle located in the user home

Bash History

.bash_history is empty!

The bash histor y ﬁle is never
directly open in the process

All the comands are runned
by Python!

About Bash History

Safari Resources - Cache.db

Cache.db does not contains relevant infos

"#“

! _

_CFURLStringType_CFURLString

_
http://www.google.it/s?hl=it&gs_nf=1&cp=20&gs_id=14&xhr=t&q=Extract%20class
%20Fowler&pf=p&output=search&sclient=psy-ab&oq=&aq=&aqi=&aql=&gs_l=&pbx=1&bav=on.

Safari stores in the cache.db
2,or.r_gc.r_pw.r_qf.,cf.osb&fp=b58bcc71a4fb82fa&biw=1024&bih=674&tch=1&ech=2&psi=hCjgT6eFA
s3usgb5oOTACA.1340090487838.1#Aµê`a¡◊
⁄

all sites visited by users
!VServerContent-Type_

Transfer-EncodingTDate_

We cannot use Safari for X-Frame-Options_

dangerous operations Content-Encoding_

X-XSS-Protection_
Content-Disposition]Cache-ControlWExpiresSgws_
application/json; charset=UTF-8XIdentity_
Tue, 19 Jun 2012 07:21:52 GMTZSAMEORIGINTgzip]1; mode=blockZattachment_
private, max-age=0R-1

n_
__CFURLResponseNullTokenString__
≠≤ƒ◊Í

About Cache.db

Safari History contains only the sites visited by
AppleScript

Safari Resources - History

Are there traces in the hard disk or
on the pendrive?


In the automatism ﬁles we have insert a “signature” of
the automatism...

How search traces of the automatism?

...and we used a grep command on the hard disk and on
the pendrive

grep -ros iAmTheAutomatism7777 ./

grep command does not retrieve any ﬁle with this
string

How search traces of the automatism?

Problem
Launcher, Wiper/Scheduler and
Simulator modules could create some
temporar y ﬁles!

Solution

We have to analyze deleted ﬁles!


Photorec is a data recovery software designed to recover
lost ﬁles from hard disks, pendrive and so on

Deleted ﬁles analysis - How

We launched Photorec on the hard disk and on the
pendrive and we used the grep command

grep -ros iAmTheAutomatism7777 ./

grep command does not retrieve any ﬁle with this
string, again!

Deleted ﬁles analysis

r5 s
pte esi
ha th
C e
in th

future works
c onclusions


Is realistic a false digital alibi on Mac OS X 10.7.3?

Create a false digital alibi is possible!
Remove the traces is possible if you use proper
features of Mac OS X!

Conclusions...

Can we create a false digital alibi using
Automator?

Test the automatism on a real enviroment!

Test the automatism on a different
versions of Mac OS X

...and future works...

Thank you!
Questions and/or comments

Remind the link:
https:// www.dropbox.com/sh/8cfw9b0aembhzd5/mbVMwXBCBR

Dario Di Nucci d.dinucci@studenti.unisa.it
Fabio Palomba f.palomba3@studenti.unisa.it
Stefano Ricchiuti s.ricchiuti@studenti.unisa.it

A false digital alibi on Mac OS X

Recommended

Recommended

More Related Content

Similar to A false digital alibi on Mac OS X

Similar to A false digital alibi on Mac OS X (20)

More from Fabio Palomba

More from Fabio Palomba (7)

Recently uploaded

Recently uploaded (20)

A false digital alibi on Mac OS X