This document provides an overview of investigating Mac OS X systems, including analyzing the file system and various system artifacts. It discusses the HFS+ file system structures like the volume header, catalog file, and attributes file. It also covers time stamps, Spotlight indexing, and managed storage revisions. Key directories in the local, system, network, and user domains are outlined. Specific sources of evidence from the user domain like user accounts, shares, and trash are also mentioned. The document discusses tools like OpenBSM for system auditing and various system logs and databases that can be analyzed.

1. CNIT 152:
Incident
Response
13 Investigating Mac OS X Systems
Updated 12-2-21

2. Topics

3. New: APFS
From wikipedia

4. New: APFS

5. HFS+ and File System
Analysis
• Hierarchical File System features:

6. Nine Structures
1. Boot block
s
2. Volume heade
r
3. Allocation
fi
l
e
4. Extents over
fl
ow
fi
l
e
5. Catalog
fi
l
e
6. Attributes
fi
l
e
7. Startup
fi
l
e
8. Alternate volume heade
r
9. Reserved blocks

8. Nine Structures
1. Boot block
s
• First 1024 bytes of volum
e
• Typically empty on modern system
s
2. Volume Header and Alternate Volume Heade
r
•Located 1024 bytes from the beginning of
the volum
e
•Information about the volume, including the
location of other structures

10. iBored
Disk Editor
for
Mac

11. Mac Timestamps
•All in local tim
e
•HFS+ Volum
e
•Create date, modify date, backup date,
checked dat
e
•Fil
e
•Access, modify, inode change, inode birth
time (
fi
le creation)

12. Stat Command
• Shows all four timestamps on Mac

13. Allocation File
• A bit for
every bloc
k
• 1 = in us
e
• 0 = available

14. Extents Over
fl
ow File
• "Extents" are
contiguous
allocation
blocks

15. Catalog File
• Details hierarchy of
fi
les and folders in the syste
m
• Each
fi
le and folder has a unique catalog node ID
(CNID)

16. Attributes File
• Optiona
l
• Used for named fork
s
• Additional metadata assigned to a
fi
l
e
• Like Microsoft's Alternate Data Stream
s
• Stores origin of
fi
les from the Internet, and tags
like "Green" and "Important"

17. Startup File
• Not used by Mac OS
X
• Usually empty

18. File System Services
• Spotligh
t
• Managed Storage

19. Spotlight

20. Spotlight
• Metadata indexing and searching servic
e
• Indexers examine the content of
fi
les to
fi
nd
keyword
s
• Some index entire content, others only import
metadata

21. Spotlight
• Can be used to search a live syste
m
• Not much use for a static acquisitio
n
• Indexes are deleted when a
fi
le is delete
d
• No tools are available to parse the data stored
by the Spotlight indexer once it's extracted
from a drive image

22. Managed Storage
• New in Mac OS X Lion (10.7
)
• Allows apps to continuously save dat
a
• Uses daemon "revisiond
"
• Saves data on volumes under the "hidden"
directory
• /.DocumentRevisions-V100

23. Capturing db Files
• Copy them to another folde
r
• Originals are in use and won't ope
n
• db.sqlite shows
fi
les used with timestamps

24. • Consider the
fi
le with
fi
le_storage_id 6

25. Generations
• 394 revisions of that
fi
le save
d
• With timestamps and other info
.
• Still the same on Mojave (Dec. 2018)

26. 13a

27. Core Operating System Data

28. File System Layout
• Four domains for data classi
fi
catio
n
• Loca
l
• Syste
m
• Networ
k
• User

29. Local Domain
• Applications and con
fi
gurations that are shared
among all users of a syste
m
• Administrative privileges required to modify
data in this domai
n
• These directories are in the local domain:

30. System Domain
• Data installed by Apple, and a few specialized
low-level utilitie
s
• Most useful domain for intrusion investigations
because it contains the system log
s
• Includes all the traditional Unix structures, all of
which require administrative privileges to
modif
y
• /bin, /usr, /dev, /etc, and so on, also /System

31. Network Domain
• Applications and data stored here is shared
among a network of systems and user
s
• In practice, rarely populated with dat
a
• Located under the /Network directory

32. User Domain
• Primary source of data for most other
investigation
s
• Contains user home directories and a shared
director
y
• All user-created content and con
fi
gurations will
be found under /User
s
• High-privilege and Unix-savvy users may break
this model

33. MacPorts Package Manager
• Lets you add BSD packages to your Ma
c
• Very usefu
l
• Requires command-line developer tool
s
• Link Ch 13b

34. The Local Domain

35. /Applications
• Nearly every installed application is her
e
• Application Bundle
s
• Contain everything an application needs to
run
:
• Executable code, graphics, con
fi
guration
fi
les, libraries, helper applications and scripts

36. Application Bundles
• Finder treats the bundle as a single
fi
l
e
• Most common extensions

37. Inside the Bundle
• Right-click, Show Package Content
s
• Subdirectorie
s
• MacOS, Resources, Library, Frameworks,
PlugIns, SharedSuppor
t
• Developers can put anything in these
directorie
s
• VMware Fusion's Library folder contains
command-line utilities to manage the VMware
hypervisor

38. Console App

39. Package Contents
• Contains additional metadat
a
• Time and date stamps show when the app was
installe
d
• A good place to hide data

40. /Developer
• Used by XCode, Apple's development
environmen
t
• Until recently, all development tools, SDKs,
documentation, and debugging tools were her
e
• Later versions of XCode moved the tool
s
• This directory may still be present on some
systems

41. /Library
• /System/Librar
y
• App settings for the operating syste
m
• /Librar
y
• Settings shared between user
s
• /Users/username/Librar
y
• User-speci
fi
c settings

42. Application Support
• /Library/Application Suppor
t
• /User/username/Library/Application Suppor
t
• Settings, caches, license information, and
anything else desired by the developer

43. Caches
• /Library/Cache
s
• /User/username/Library/Cache
s
• Temporary data for applications

44. Frameworks
• /Library/Framework
s
• /System/Library/Framework
s
• Drivers or helper applications, for
application
s
• Usually nothing signi
fi
cant here

45. Keychains
• /Library/Keychain
s
• /System/Library/Keychain
s
• /User/username/Library/Keychain
s
• Passwords and certi
fi
cate
s
• Requires user's password to open

46. Logs
• /Library/Log
s
• /User/username/Library/Logs
• Application log
s
• Very important to review

47. Preferences
• /Library/Preference
s
• /User/username/Library/Preferences
• Application preferences, if the application
allows a system API to manage the
m
• Stored in .plist
fi
le
s
• Comparable to the Software hive in Windows

48. Receipts
• /Library/Receipt
s
• /User/username/Library/Receipts
• Files here are updated when an application is
added to the syste
m
• InstallHistory.plist contains information about
every application installed via the OS's
installer or update framework

49. Same on Mojave

50. Same on Mojave

51. WebServer
• /Library/WebServe
r
• Apache, installed on every copy of Mac OS X,
is started when a user turns on Web sharin
g
• Removed from Preferences in 10.8, but
Apache is still installe
d
• This folder is Apache's Document Root

52. File Types
• Used by nearly every applicatio
n
• Property lists (.plist
)
• Tools: plutil on Mac, "plist Explorer" on
Window
s
• SQLite database
s
• Tools: Firefox Plugin SQLite Manager,
sqlitebrowser

53. 13b

54. The System Domain

55. Traditional Unix Paths
• Some investigations are based entirely on data
found here, such as log
fi
le
s
• /System directory is structured similarly to the
/Library director
y
• Locations where applications maintain
persistenc
e
• Requires administrator privileges to create or
modify
fi
les

56. Artifacts
• System logs in /var/lo
g
• Databases in /var/d
b
• Records of printed data in the CUPS lo
g
• System sleep imag
e
• Software imported using MacPorts or Fink, or
compiled in place, may be in /opt

57. The User Domain

58. User-Created Content

59. Speci
fi
c Sources of
Evidence

60. User and Service
Con
fi
guration
• Apple uses LDAP for enterprise management
and Directory Services for local user
managemen
t
• Directory Services doesn't use the traditional
Unix
fi
les /etc/passwd and /etc/group
s
• Data in SQLite databases and binary-formatted
property lists

61. The Evidence
• Directory Service data is in
/private/var/db/dsloca
l
• Databases (or nodes) for the local system are in
the subdirectory nodes/Defaul
t
• My password hash is on the next slid
e
• More info at links Ch 13c and 13d

62. Password Hash

63. Decoding the Password
Hash

64. Mojave
• Now password hashes are inaccessibl
e
• Even to roo
t
• Hashes can still be captured from Recovery
Mode under some circumstance
s
• Link Ch 13g

65. Other Con
fi
guration Options

66. sqlindex
• In /private/var/db/dsloca
l
• Maintains creation and modi
fi
cation time for the
plist
fi
les in the directory structur
e
• And information on the relationships between
the dat
a
• Automatically backed up to /private/var/db/
dslocal-backup.xar (a gzip tar
fi
le)

67. Analysis of sqlindex
• Shows when a share was create
d
• Whether an account existed, and its privilege
level

68. User Accounts

69. Sharepoints
• Status of the share for
• AFP (Apple Filing Protocol
)
• SMB (Server Message Block
)
• FTP (File Transfer Protocol
)
• Sharepoint names and share pat
h
• When the share was created

70. Trash and Deleted Files
• Files deleted from USB sticks go into a Trash
folder on the stick, labeled by user ID, lik
e
• /Volumes/USBDRIVE/.Trashes/501

71. System Auditing,
Databases, and Logging
• Open Source Basic Security Module (OpenBSM
)
• Powerful auditing syste
m
• Logs
:
• File acces
s
• Network connection
s
• Execution of applications and their
command-line options

72. OpenBSM
• Default con
fi
guration doesn't save detailed
information and is of limited use for I
R
• Con
fi
guration
fi
les in /etc/securit
y
• Primary
fi
le is audit_control

73. OpenBSM
• This con
fi
guration will log everything for all
users, an
d
• Login/logout, administrative events,
processes, and network activity

74. Helper Services
• Run in backgroun
d
• Track events or common dat
a
• Maintain state with SQLite databases or
property lis
t
• Examples:

75. Airportd
• Runs in an application sandbo
x
• Con
fi
gured in /usr/share/sandbox

76. Airportd Plist

77. Networks

78. System and Application
Logging
• Many log and forensic artifacts in these folder
s
• Most are in plaintext, some are binary

80. Read with Syslog

81. Other ASL Log Files
• Filenames starting with B
B
• Authentication logs from long ag
o
• Year is 1 year after the correct date

82. Other ASL Log Files
• Filenames starting with AU
X
• Backtrace for crashed or abnormally
terminated application
s
• Plaintext

83. /private/var/audit
• Read with praudit

84. Example Log Entries
• Erase
fl
ash driv
e
• Failed login attempt

85. Interesting Items in Log
• iCloud connection, Time Machine, iTune
s
• Indicates that there are backups of data on
other devices

86. Scheduled Tasks and
Services
• Apple moved from cron to launch
d
• Commands to execute at startup

87. Properties for LaunchAgents

88. Application Installers
• When an application is installed, two
fi
les are
placed in /private/var/db/receipt
s
• Bill of Materials (BOM) and plist

89. Application Installers

90. • BOM contains a complete inventory of
fi
le
s
• Plist contains install date, package identi
fi
er,
and path access control lists
Application Installers

91. Review

98. 13c