This document provides an overview of Mac forensics. It discusses the Mac OS file system and directory structure. It also outlines the prerequisites for performing Mac forensics, including how to obtain the system date and time either from single-user mode or from preferences. Specific commands that can be run in single-user mode for safely gathering information are also provided.
The document discusses the boot processes of Windows, Linux, and Macintosh operating systems. It provides terminology related to booting and describes the basic system boot process. It then details the boot sequence of Windows XP, including the roles of the BIOS, MBR, boot sector, and NTLDR. It also summarizes the boot processes of Linux and Macintosh.
This document provides an overview of using the forensic investigation software EnCase. It describes how EnCase is used to acquire evidence files, verify file integrity, search drives and recover deleted files. Key functions covered include hashing, bookmarking, signature analysis, and generating reports of investigation findings. The document is intended to familiarize users with the main capabilities and workflow of the EnCase forensic software.
This document provides an overview of various Windows-based command line tools. It lists tools like IPSecScan, MKBT, Aircrack, Outwit, Joeware Tools, MacMatch, WhosIP, Forfiles, Sdelete and describes their functions such as scanning for IPSec enabled systems, installing boot sectors, cracking wireless networks, and deleting files securely. It also summarizes command line tools for tasks like Active Directory management, password cracking, network scanning, and file operations.
The document discusses data acquisition and duplication in digital forensics investigations. It describes various data acquisition methods like disk imaging, different data acquisition tools like dd, FTK Imager and SafeBack. It emphasizes the need for data duplication to have a backup copy of evidence and discusses data duplication tools. It also covers data recovery contingencies and mistakes to avoid during acquisition.
The document discusses a new software called Passware Search Index Examiner that allows quick extraction of all data indexed by Windows Search from a Windows computer. It lists documents, emails, spreadsheets, and provides metadata like author, recipients, content summary. A typical extraction takes under 10 minutes and indexes over 150,000 items from an average personal computer. The easy wizard interface makes the process simple to use.
The document discusses CD/DVD forensics. It provides information on different types of CDs and DVDs, including their structure and storage capacities. It also describes tools used for CD/DVD imaging, data recovery from damaged discs, and identifying pirated discs. The document outlines the steps of CD forensics, including collecting, documenting, preserving and analyzing evidence from CDs/DVDs.
The document discusses the logical and physical structure of hard disks, including disk drives, platters, tracks, sectors, clusters, and file systems. It provides an overview of different types of disk interfaces like SCSI, IDE, USB, ATA, and Fibre Channel. It also covers topics like disk partitioning, file structures like FAT, NTFS, Ext2 and HFS, and RAID levels.
This document provides information about performing Linux forensics. It discusses analyzing floppy disks and hard disks using tools like dd, mount, and strings. It describes creating forensic images and obtaining hash values for verification. The document also outlines collecting data from a compromised system using a forensic toolkit, including gathering information on running processes, open ports, loaded kernel modules, and physical memory.
The document discusses the boot processes of Windows, Linux, and Macintosh operating systems. It provides terminology related to booting and describes the basic system boot process. It then details the boot sequence of Windows XP, including the roles of the BIOS, MBR, boot sector, and NTLDR. It also summarizes the boot processes of Linux and Macintosh.
This document provides an overview of using the forensic investigation software EnCase. It describes how EnCase is used to acquire evidence files, verify file integrity, search drives and recover deleted files. Key functions covered include hashing, bookmarking, signature analysis, and generating reports of investigation findings. The document is intended to familiarize users with the main capabilities and workflow of the EnCase forensic software.
This document provides an overview of various Windows-based command line tools. It lists tools like IPSecScan, MKBT, Aircrack, Outwit, Joeware Tools, MacMatch, WhosIP, Forfiles, Sdelete and describes their functions such as scanning for IPSec enabled systems, installing boot sectors, cracking wireless networks, and deleting files securely. It also summarizes command line tools for tasks like Active Directory management, password cracking, network scanning, and file operations.
The document discusses data acquisition and duplication in digital forensics investigations. It describes various data acquisition methods like disk imaging, different data acquisition tools like dd, FTK Imager and SafeBack. It emphasizes the need for data duplication to have a backup copy of evidence and discusses data duplication tools. It also covers data recovery contingencies and mistakes to avoid during acquisition.
The document discusses a new software called Passware Search Index Examiner that allows quick extraction of all data indexed by Windows Search from a Windows computer. It lists documents, emails, spreadsheets, and provides metadata like author, recipients, content summary. A typical extraction takes under 10 minutes and indexes over 150,000 items from an average personal computer. The easy wizard interface makes the process simple to use.
The document discusses CD/DVD forensics. It provides information on different types of CDs and DVDs, including their structure and storage capacities. It also describes tools used for CD/DVD imaging, data recovery from damaged discs, and identifying pirated discs. The document outlines the steps of CD forensics, including collecting, documenting, preserving and analyzing evidence from CDs/DVDs.
The document discusses the logical and physical structure of hard disks, including disk drives, platters, tracks, sectors, clusters, and file systems. It provides an overview of different types of disk interfaces like SCSI, IDE, USB, ATA, and Fibre Channel. It also covers topics like disk partitioning, file structures like FAT, NTFS, Ext2 and HFS, and RAID levels.
This document provides information about performing Linux forensics. It discusses analyzing floppy disks and hard disks using tools like dd, mount, and strings. It describes creating forensic images and obtaining hash values for verification. The document also outlines collecting data from a compromised system using a forensic toolkit, including gathering information on running processes, open ports, loaded kernel modules, and physical memory.
A new visual voice-mail application and the Opera Mini 4.2 mobile browser were made available for T-Mobile's Android-based G1 smartphone. The free Opera Mini browser runs faster than the beta version, with performance increased by up to 30 percent. It is also available for other phones like the Samsung Instinct and newer phones from Sony Ericsson and Nokia. The Opera Mini browser and a beta version of a visual voice-mail application from PhoneFusion are now available via the Android Market and on T-Mobile's G1 smartphone.
This document provides an overview of analyzing Windows event logs, password issues, and other digital forensic artifacts for forensic investigations. It discusses parsing various Windows logs like security, system, application, IIS, FTP, and DHCP logs. It also describes evaluating account management events, examining audit policy changes, and using the Microsoft Log Parser tool to analyze log files.
The document provides information about installing and using AccessData Forensic Toolkit (FTK), a digital forensics software. It discusses installing FTK and its components like Oracle database, configuring cases within FTK, adding evidence to cases, searching cases, and using tools within FTK like data carving and decryption. The document is a guide for forensic examiners on how to set up and utilize FTK for forensic investigations of digital evidence.
This document discusses network configuration files and utilities on UNIX systems. It examines common configuration files such as /etc/hosts, /etc/hostname.if_name, /etc/nodename, /etc/services, /etc/inetd.conf, and /etc/resolv.conf that store network settings. It also describes configuration commands like ifconfig and route that can be used to modify network interfaces and routing tables. The document notes that while network configuration methods are generally similar across UNIX, there are also OS-specific differences to consider.
This document provides summaries of various Windows-based GUI tools across different categories such as process viewers, registry tools, desktop utilities, office applications, remote control tools, network tools, network scanners, network sniffers, hard disk tools, hardware info tools, file management tools, file recovery tools, file transfer tools, file analysis tools, password tools, and password cracking tools. For each tool, a brief description and link to the tool's website is given. The document is intended to familiarize the reader with these various Windows-based security tools.
This document discusses disk and file system concepts including:
- Creating file systems using newfs and how it connects to mkfs
- Mounting file systems manually, via fstab, and using volume manager
- Identifying mounted file systems using mount, df, and mnttab
- Repairing file systems using fsck and handling recoverable vs unrecoverable damage
- Benefits of journaling file systems like reduced reboot time and data retention
The document discusses log management and analysis. It notes that while security logs could help detect breaches, analyzing them is tedious. A new tool from LogRhythm aims to make log analysis easier by automatically classifying, tagging, and prioritizing log entries. This may help administrators more quickly detect breaches by making searches easier. However, the Verizon report found that only 4% of breaches were detected through log analysis due to a lack of diligence in monitoring logs. The tedious nature of manual log analysis is a key challenge.
This document discusses system devices and device configuration from both the hardware and software perspectives on various operating systems like Windows, UNIX, Linux, and Solaris. It covers device terminology, device naming schemes, how devices are represented in the operating system, and how to view the system's device configuration from both the PROM and software levels. The goal is to understand how devices are interconnected, configured, and accessed on the system.
The document discusses system security and provides seven common sense rules for security. It covers account security, file permissions, data encryption, single user security, dialup modems, security tools, and an overview of viruses, trojans, and worms. Monitoring logs, using security scanning tools, and educating yourself on security best practices are emphasized as important ways to help secure systems.
The document discusses the boot sequence of a computer system. It examines each step including the PROM monitor, boot block, secondary boot loader, and OS kernel initialization. It also covers modifying the boot process, selecting alternate boot devices, different boot loaders, and proper system shutdown procedures.
The document contains templates for conducting various types of forensics investigations. It includes checklists for investigating evidence from different devices and media like hard disks, floppy disks, CDs, flash drives, and mobile phones. There are also templates for documenting information gathered during an investigation like seizure records, evidence logs, and case feedback forms. The templates are intended to guide and standardize forensic investigations of digital evidence.
Configuring and managing printers involves understanding printing concepts, print server and client configuration, and homogeneous and heterogeneous printing. It requires setting up print services under different operating systems like Windows, BSD and System V. Troubleshooting involves checking printers, print queues, filters and data files. Heterogeneous printing across operating systems is the most challenging.
The document discusses disk drives and file systems. It covers disk components, geometry, partitioning, formatting, interfaces like SCSI, IDE, and Fibre Channel. It explains concepts such as cylinders, tracks, sectors, and how disk addressing works. It discusses disk formatting for SCSI and IDE drives, and how alternate sectors are used to map out bad blocks. Load balancing techniques like splitting file systems across multiple disks and spindles are also summarized.
The document discusses user account management tasks for system administrators, including creating login names, assigning home directories and user IDs, setting passwords and shells, and formatting the password file. It describes challenges around reusable passwords and methods to improve security such as password aging, lockouts for failed attempts, and one-time password tokens.
This document discusses serial ports and their management. Serial ports are universal I/O ports that can connect terminals, printers, modems and other devices. The most common standard is RS-232, which defines pinouts and voltage levels. Serial port configuration involves setting parameters like baud rate, parity and stop bits. Management involves starting processes like getty on ports to allow logins and monitoring modem connections. Solaris uses the Service Access Facility (SAF) to configure ports and monitors like ttymon that direct data to ports.
These are notes I made while I was studying. The Linux community is so friendly and shares so much, so I am uploading my work to give back to the community. You won't find answers to test questions here, but you will find some solid notes around each of the exam points.
This document discusses the topics of computer/digital forensics including hard drive imaging, volume and file system analysis, tools, and case studies. It describes the acquisition of digital evidence from devices, analyzing the evidence while maintaining integrity, and preparing the evidence for trial. The key aspects covered are hard disk imaging standards, volume layout and partitioning, file system analysis formats like FAT, NTFS, EXT2/3, and UFS, as well as forensic analysis techniques and layers.
The document provides information on conducting a computer forensics investigation, including preparing for an investigation by building an investigation team and workstation, obtaining authorization and assessing risks, collecting evidence while following guidelines to preserve integrity, and analyzing evidence as part of the overall investigation process.
Linux treats all devices as files that can be accessed in the same way. Devices are split into three categories: block devices, character devices, and network devices. Block devices represent storage devices and allow random access to fixed size blocks of data. Character devices like keyboards are accessed sequentially one character at a time. Network devices are accessed indirectly through opening a connection to the kernel's networking subsystem rather than direct data transfer.
This document defines operating system concepts and terminology, and explores the history of operating systems. It discusses early and modern operating systems, distinguishing features like resource sharing, storage access control, and memory protection. The document also covers UNIX and Windows architecture, hardware considerations, and the development history of UNIX, Windows, and Mac OS to provide context for system administration tasks.
Lawyers often lack knowledge about electronic data discovery compared to traditional paper discovery. To properly handle digital evidence, lawyers should understand basic computer functions and data storage. They should also identify qualified forensic experts, ensure the forensic process follows proper procedures, and understand what types of computer forensic analysis may be necessary for different legal cases.
This document provides information on investigating sexual harassment incidents. It discusses types of sexual harassment like quid pro quo and hostile work environment harassment. It outlines the investigation process including interviewing witnesses and victims. Responsibilities of supervisors and employees are defined, such as supervisors addressing complaints and employees reporting issues. The document also discusses stalking behaviors and effects. Laws prohibiting sexual harassment are referenced, such as Title VII of the Civil Rights Act.
A new visual voice-mail application and the Opera Mini 4.2 mobile browser were made available for T-Mobile's Android-based G1 smartphone. The free Opera Mini browser runs faster than the beta version, with performance increased by up to 30 percent. It is also available for other phones like the Samsung Instinct and newer phones from Sony Ericsson and Nokia. The Opera Mini browser and a beta version of a visual voice-mail application from PhoneFusion are now available via the Android Market and on T-Mobile's G1 smartphone.
This document provides an overview of analyzing Windows event logs, password issues, and other digital forensic artifacts for forensic investigations. It discusses parsing various Windows logs like security, system, application, IIS, FTP, and DHCP logs. It also describes evaluating account management events, examining audit policy changes, and using the Microsoft Log Parser tool to analyze log files.
The document provides information about installing and using AccessData Forensic Toolkit (FTK), a digital forensics software. It discusses installing FTK and its components like Oracle database, configuring cases within FTK, adding evidence to cases, searching cases, and using tools within FTK like data carving and decryption. The document is a guide for forensic examiners on how to set up and utilize FTK for forensic investigations of digital evidence.
This document discusses network configuration files and utilities on UNIX systems. It examines common configuration files such as /etc/hosts, /etc/hostname.if_name, /etc/nodename, /etc/services, /etc/inetd.conf, and /etc/resolv.conf that store network settings. It also describes configuration commands like ifconfig and route that can be used to modify network interfaces and routing tables. The document notes that while network configuration methods are generally similar across UNIX, there are also OS-specific differences to consider.
This document provides summaries of various Windows-based GUI tools across different categories such as process viewers, registry tools, desktop utilities, office applications, remote control tools, network tools, network scanners, network sniffers, hard disk tools, hardware info tools, file management tools, file recovery tools, file transfer tools, file analysis tools, password tools, and password cracking tools. For each tool, a brief description and link to the tool's website is given. The document is intended to familiarize the reader with these various Windows-based security tools.
This document discusses disk and file system concepts including:
- Creating file systems using newfs and how it connects to mkfs
- Mounting file systems manually, via fstab, and using volume manager
- Identifying mounted file systems using mount, df, and mnttab
- Repairing file systems using fsck and handling recoverable vs unrecoverable damage
- Benefits of journaling file systems like reduced reboot time and data retention
The document discusses log management and analysis. It notes that while security logs could help detect breaches, analyzing them is tedious. A new tool from LogRhythm aims to make log analysis easier by automatically classifying, tagging, and prioritizing log entries. This may help administrators more quickly detect breaches by making searches easier. However, the Verizon report found that only 4% of breaches were detected through log analysis due to a lack of diligence in monitoring logs. The tedious nature of manual log analysis is a key challenge.
This document discusses system devices and device configuration from both the hardware and software perspectives on various operating systems like Windows, UNIX, Linux, and Solaris. It covers device terminology, device naming schemes, how devices are represented in the operating system, and how to view the system's device configuration from both the PROM and software levels. The goal is to understand how devices are interconnected, configured, and accessed on the system.
The document discusses system security and provides seven common sense rules for security. It covers account security, file permissions, data encryption, single user security, dialup modems, security tools, and an overview of viruses, trojans, and worms. Monitoring logs, using security scanning tools, and educating yourself on security best practices are emphasized as important ways to help secure systems.
The document discusses the boot sequence of a computer system. It examines each step including the PROM monitor, boot block, secondary boot loader, and OS kernel initialization. It also covers modifying the boot process, selecting alternate boot devices, different boot loaders, and proper system shutdown procedures.
The document contains templates for conducting various types of forensics investigations. It includes checklists for investigating evidence from different devices and media like hard disks, floppy disks, CDs, flash drives, and mobile phones. There are also templates for documenting information gathered during an investigation like seizure records, evidence logs, and case feedback forms. The templates are intended to guide and standardize forensic investigations of digital evidence.
Configuring and managing printers involves understanding printing concepts, print server and client configuration, and homogeneous and heterogeneous printing. It requires setting up print services under different operating systems like Windows, BSD and System V. Troubleshooting involves checking printers, print queues, filters and data files. Heterogeneous printing across operating systems is the most challenging.
The document discusses disk drives and file systems. It covers disk components, geometry, partitioning, formatting, interfaces like SCSI, IDE, and Fibre Channel. It explains concepts such as cylinders, tracks, sectors, and how disk addressing works. It discusses disk formatting for SCSI and IDE drives, and how alternate sectors are used to map out bad blocks. Load balancing techniques like splitting file systems across multiple disks and spindles are also summarized.
The document discusses user account management tasks for system administrators, including creating login names, assigning home directories and user IDs, setting passwords and shells, and formatting the password file. It describes challenges around reusable passwords and methods to improve security such as password aging, lockouts for failed attempts, and one-time password tokens.
This document discusses serial ports and their management. Serial ports are universal I/O ports that can connect terminals, printers, modems and other devices. The most common standard is RS-232, which defines pinouts and voltage levels. Serial port configuration involves setting parameters like baud rate, parity and stop bits. Management involves starting processes like getty on ports to allow logins and monitoring modem connections. Solaris uses the Service Access Facility (SAF) to configure ports and monitors like ttymon that direct data to ports.
These are notes I made while I was studying. The Linux community is so friendly and shares so much, so I am uploading my work to give back to the community. You won't find answers to test questions here, but you will find some solid notes around each of the exam points.
This document discusses the topics of computer/digital forensics including hard drive imaging, volume and file system analysis, tools, and case studies. It describes the acquisition of digital evidence from devices, analyzing the evidence while maintaining integrity, and preparing the evidence for trial. The key aspects covered are hard disk imaging standards, volume layout and partitioning, file system analysis formats like FAT, NTFS, EXT2/3, and UFS, as well as forensic analysis techniques and layers.
The document provides information on conducting a computer forensics investigation, including preparing for an investigation by building an investigation team and workstation, obtaining authorization and assessing risks, collecting evidence while following guidelines to preserve integrity, and analyzing evidence as part of the overall investigation process.
Linux treats all devices as files that can be accessed in the same way. Devices are split into three categories: block devices, character devices, and network devices. Block devices represent storage devices and allow random access to fixed size blocks of data. Character devices like keyboards are accessed sequentially one character at a time. Network devices are accessed indirectly through opening a connection to the kernel's networking subsystem rather than direct data transfer.
This document defines operating system concepts and terminology, and explores the history of operating systems. It discusses early and modern operating systems, distinguishing features like resource sharing, storage access control, and memory protection. The document also covers UNIX and Windows architecture, hardware considerations, and the development history of UNIX, Windows, and Mac OS to provide context for system administration tasks.
Lawyers often lack knowledge about electronic data discovery compared to traditional paper discovery. To properly handle digital evidence, lawyers should understand basic computer functions and data storage. They should also identify qualified forensic experts, ensure the forensic process follows proper procedures, and understand what types of computer forensic analysis may be necessary for different legal cases.
This document provides information on investigating sexual harassment incidents. It discusses types of sexual harassment like quid pro quo and hostile work environment harassment. It outlines the investigation process including interviewing witnesses and victims. Responsibilities of supervisors and employees are defined, such as supervisors addressing complaints and employees reporting issues. The document also discusses stalking behaviors and effects. Laws prohibiting sexual harassment are referenced, such as Title VII of the Civil Rights Act.
The document discusses personal digital assistants (PDAs), including their components, operating systems like Palm OS, Pocket PC, and Linux-based systems. It describes the generic states of a PDA and architecture of PDA operating systems, which typically involve layers for applications, the operating system, drivers and hardware. Forensics of PDAs is also mentioned.
I apologize, upon reviewing the document again I do not see any clear context to summarize it in 3 sentences or less. The document appears to be describing various concepts related to information system evaluation and certification but does not provide enough cohesive information to summarize concisely.
This document outlines the course materials, schedule, facilities, and expectations for a Computer Hacking Forensic Investigator (CHFI) training course. The course covers 65 modules on topics related to computer forensics over 10 days, with some modules marked for self-study. Students will receive courseware, use computer forensics tools in hands-on lab sessions to reinforce lessons, and are expected to practice additional skills independently. The pace of the course is described as fast-moving, similar to a climax scene from Mission Impossible, with many forensic tools and technologies covered and not all able to be demonstrated during class time.
This document discusses best practices for writing investigative reports based on computer forensics investigations. It provides guidelines on the format, structure, and content of reports, including maintaining objectivity, documenting evidence collection methods, and including relevant findings, conclusions, and recommendations. The document also provides a sample report template and discusses using forensic analysis tools like FTK to help generate reports.
This document provides information about USB forensics. It defines USB and USB flash drives, describes how USB devices can be misused, and outlines the process of conducting a USB forensic investigation. This includes securing the scene, documenting evidence, imaging devices, acquiring data, examining registry entries on the computer, and generating a report. Several USB forensic tools are also introduced, such as Bad Copy Pro, Data Doctor Recovery, USB Image Tool, and USBDeview.
This document provides a complete risk management toolkit for information technology processes and systems. It includes introductions and presentations on risk management, information security management (ISM), and IT service continuity management (ITSCM) based on ITIL v3 best practices. The toolkit guides the reader through each stage of the risk management process from assessment and analysis to treatment and monitoring. It defines key risk management terms and concepts, outlines management roles and responsibilities, and discusses benefits and challenges.
The document discusses various methods of virus detection. It describes how antivirus software uses virus signature definitions and heuristic algorithms to detect viruses. Signature definitions work by comparing files to a database of known virus signatures, while heuristic algorithms detect viruses based on their behavior, which can help create signatures for new viruses. Regular scanning with updated antivirus software is the best way to detect and prevent virus infections on a system.
A professor at the University of Colorado Denver has received $710,000 in grants to establish a new National Center for Audio/Video Forensics. The center will develop new techniques for analyzing audio and video evidence to help solve crimes. It will provide training to students and professionals in fields like recording arts, computer science, and law enforcement. The grants were awarded by the Department of Justice and other organizations to create a leading forensics center for audio and video analysis.
This document discusses network forensics and investigating logs. It covers topics such as where to find evidence like logs from firewalls, routers, servers and applications. It also discusses analyzing logs, handling logs as evidence, and different types of log injection attacks like new line injection, separator injection and defending against them. The document provides guidance on ensuring log file authenticity and integrity when investigating security incidents.
This document provides an overview of Module IV - Digital Evidence from an EC-Council course. It defines digital evidence and discusses the characteristics, types, and fragility of digital evidence. It also covers topics like anti-digital forensics, rules of evidence such as the Best Evidence Rule and Federal Rules of Evidence, and the examination process for digital evidence including acquisition, preservation, analysis, and documentation. The module aims to familiarize students with these important concepts regarding digital evidence.
The document discusses iPod and iPhone forensics. It provides an overview of iPods, iPhones, and the iPhone OS. It describes how criminals can use iPods and iPhones for illegal activities. The document outlines the forensic process, including proper collection and preservation of iPod/iPhone evidence, imaging the device, and analyzing the system and data partitions to retrieve potential evidence.
The document discusses investigating wireless networks and attacks. It covers topics like wireless networking technologies, wireless attacks like wardriving and warflying, passive attacks like eavesdropping, active attacks like denial of service attacks and man-in-the-middle attacks. It also discusses steps to investigate wireless networks like obtaining a warrant, documenting the scene, identifying wireless devices, detecting wireless connections using tools like NetStumbler, capturing wireless traffic using Wireshark and tcpdump, and analyzing the data.
The document discusses the risk assessment process, including characterizing the IT system, identifying threats and vulnerabilities, analyzing controls, determining likelihood and impact, assessing risk level, and recommending controls to mitigate risks; it also covers developing policies and procedures for conducting risk assessments, writing risk assessment reports, and coordinating resources to perform risk assessments.
This document discusses server log forensics. It begins by defining logs as files that list actions that have occurred on servers. It then discusses who creates logs, including operating systems, software, and specific locations logs are stored on Windows and Linux systems. Basic terminology is introduced, including definitions of servers, web servers, and FTP. It describes server logs as files automatically created by servers to record activities. It discusses classifying servers and analyzing web server, FTP server, and other logs to uncover forensic evidence about users' activities and attempts like SQL injection.
- Organizations need to implement effective data leakage prevention strategies like data security policies, auditing processes, access control, and encryption to protect their data from internal threats.
- Security policies help define acceptable usage of systems and data, as well as procedures for access control, backups, system administration and more. Logging policies should define which security-relevant events are logged for purposes like intrusion detection and reconstructing incidents.
- Evidence collection and documentation policies are important for responding to security incidents and preserving electronic evidence for analysis or legal proceedings. Information security policies aim to ensure the confidentiality, integrity and availability of organizational data.
This document provides information about BlackBerry forensics. It discusses the BlackBerry operating system, how BlackBerry devices work, the BlackBerry serial protocol, security vulnerabilities and attacks against BlackBerry devices like blackjacking, and best practices for securing and investigating BlackBerry devices forensically. The document also outlines the steps of BlackBerry forensics including acquiring information and logs, imaging the device, reviewing evidence, and using tools like the Program Loader and BlackBerry simulator.
The document discusses video file forensics, including the need for video forensics, common video file formats, devices and tools used in video forensics analysis, and the steps involved in performing video forensics such as demultiplexing, stabilizing, enhancing, and analyzing video and audio files to extract hidden or obscured information for criminal investigations.
This document discusses corporate espionage and methods for protecting against it. It provides an overview of common motivations for corporate spying like financial gain, challenges various techniques spies use such as hacking, social engineering, and dumpster diving. It also notes that insiders and outsiders both pose threats, and that aggregating information in one place increases risks. The document advises controlling access to data, conducting background checks on employees, and basic security measures like shredding documents, securing dumpsters, and training employees.
Linux is an open-source operating system developed by the community in 1991. It provides free and open-source software. The core of Linux is the Linux kernel, which can be micro or monolithic. Users interact with Linux through a command line interface or graphical user interface using shells like Bash. Basic Linux commands allow users to manage files and directories, view processes and users, and change file permissions and owners. The Linux file system is organized into directories for functions like booting, binaries, system configuration, user home directories, and temporary files.
The document provides an overview of the Microsoft Disk Operating System (MS-DOS). It describes the four major components of MS-DOS: the operating system loader, BIOS, user interface (Command.com), and kernel. The kernel provides services like file management, memory management, device I/O, and process control. It manages memory using a pool of variable blocks and supports conventional, expanded, and extended memory. MS-DOS identifies block and character devices differently and uses functions and handles to communicate with devices like keyboards, displays, and printers. While it can run multiple programs, MS-DOS is a single-tasking operating system.
Disk and File System Management in LinuxHenry Osborne
Â
This document discusses disk and file system management in Linux. It covers MBR and GPT partition schemes, logical volume management, common file systems like ext4 and XFS, mounting file systems, and file system maintenance tools. It also discusses disk quotas, file ownership, permissions, and the umask command for setting default permissions.
The document discusses Linux file systems and partitioning. It describes how to use the fdisk command to view and create partitions, and supported local file systems like Ext2, Ext3, Vfat, and ISO9660. It provides details on Ext3 file system structure, creation, conversion from Ext2, and tools like dumpe2fs, fsck, and tune2fs. It also covers mounting file systems using mount, automatic mounting from /etc/fstab, and unmounting file systems with umount.
The document discusses operating system concepts including:
1. The operating system controls computer resources and provides an interface between applications and hardware.
2. It hides hardware complexity and manages resources like processors, memory, and devices.
3. Key OS components include processes, files, pipes, and system calls that allow programs to request services from the OS kernel.
MS-DOS was developed to run on single-user desktop computers and exemplified early operating systems with sequential job management from a single user. It had advantages of simple operation and commands but lacked flexibility and was limited to the Intel processor family. The document outlines MS-DOS's history, design goals, and how it managed memory, processes, devices, files, and the user interface.
The document provides an overview of the UNIX operating system through a seminar presentation. It discusses the history of UNIX from the 1970s to the 2000s, defines what UNIX is, describes common UNIX commands and the file system structure, and covers topics like memory management, interrupts, reasons for using UNIX, and some applications of UNIX like storage consulting and middleware/database administration. The presentation is intended to educate about the key aspects and functionality of the UNIX operating system.
The document outlines key concepts in file system implementation, including:
- Important on-disk data structures include the boot block, volume control block containing partition details, directory structure linking file names to file control blocks (FCBs), and FCBs containing file metadata.
- Important in-memory structures include a mount table, directory cache, system-wide open file table tracking open files, and per-process open file tables.
- When a file is created, an FCB is allocated and the directory is updated; when opened, the FCB is copied to open file tables and indexed by a file descriptor/handle for I/O operations.
This document discusses operating systems and computer security. It defines operating systems as software that coordinates activities between computer hardware resources. It describes common operating system functions like booting up a computer, managing memory, running programs, and connecting to networks. The document also discusses types of operating systems like DOS, Windows, and Linux. It notes that computer security is important to protect private information exchanged over the internet from hackers.
Selecting and Installing Operating SystemAmir Villas
Â
The document provides an overview of installing and troubleshooting various Windows operating systems, including DOS, Windows 3.1, 95/98/Me, NT/2000/XP. It discusses selecting an OS based on system requirements, starting the setup program from various sources, planning for upgrades or clean installs, and addressing common installation problems like hardware incompatibilities or errors reading from the installation media.
It is the File system that is contained on the same partition on which the "Root directory" is located. It is the File system on which all the other file systems are mounted
The document provides an introduction to operating systems, covering their basic functions and components. It discusses how operating systems manage hardware resources and provide abstraction for applications. The key components described include the kernel, drivers, utilities, and applications/processes. It also covers process scheduling, file systems, APIs/system calls, memory management, and popular operating systems like IBM z/OS, IBM i, and OpenVMS.
This document summarizes key concepts about file systems in Linux:
1. It describes the structure of file systems including superblocks, inodes, and data blocks. Inodes contain metadata about files and pointers to data blocks.
2. It discusses device files that correspond to devices in the system and are represented in the /dev directory. Each device has a major and minor ID.
3. Journaling file systems like ext4 are described which eliminate the need for lengthy consistency checks after crashes by journaling file system updates.
4. The concept of mounting other file systems at mount points under the single directory hierarchy rooted at / is summarized along with the mount() and umount() system calls.
This presentation will provide the information about the Linux Root File systems and its hierarchy. So any technocrate who is willing to gain info about root files of Linux can easily understand . preffered for Embedded system design Students who are pursuing diploma courses in various CDAC centers.
The document describes the standard Linux filesystem hierarchy, including the purpose and some examples of the contents of the top-level directories like /bin, /boot, /dev, /etc, /home, /lib, /media, /mnt, /opt, /proc, /root, /sbin, /usr, and /var. Many directories contain essential system files and programs needed for booting, administration, and operation of the system, while others provide variable storage and mounting points for removable devices. The filesystem layout separates core operating system, user, and variable files for security and manageability.
The document provides an overview of installing Windows 2000/XP, including:
1) Planning installation by verifying hardware compatibility, partitioning drives, and deciding on clean install, upgrade or dual boot.
2) The installation process which involves booting from disc, partitioning drives, selecting components and creating user accounts.
3) Post-installation steps like configuring networks, installing updates and activating the software license.
The document provides an overview of modern operating systems. It discusses that an operating system manages hardware resources like the CPU, memory, disks, and I/O devices and provides a simpler interface for application programmers. The key functions of an operating system are to abstract the underlying hardware and manage resources. It then covers the history of operating systems from vacuum tubes to personal computers and generations like batch processing systems, time-sharing systems, and modern graphical user interface systems. It also discusses operating system concepts like processes, memory, files, I/O, and protection and different system architectures like monolithic, layered, microkernel, and virtual machines.
The document provides information about operating systems including:
1. An operating system manages computer hardware and software resources, allocating storage and memory and providing basic user interfaces and process management.
2. Key components of operating systems include process management, input/output management, memory management, storage management, and security.
3. Popular operating systems discussed include MS-DOS, OS/2, UNIX, Mac OS, and Linux operating systems.
The document discusses the history and concepts of modern operating systems. It covers four generations of operating systems:
1) Vacuum tubes (1945-1955): Large, slow computers that were programmed and operated directly by engineers.
2) Transistors and batch systems (1955-1965): Systems managed by professional operators using punch cards. Programs were run in batches.
3) Integrated circuits and multiprogramming (1965-1980): OS/360 introduced techniques like multiprogramming and spooling to improve efficiency. Timesharing systems like Multics provided interactive use.
4) Personal computers (1980-present): Lower-cost systems led to popular OS like CP/M, DOS, and
This document provides an overview and introduction to the hardware, software, and file structure of the EduBook device. It discusses the hardware components, how to open the case and access internal parts. It then summarizes the available operating systems, describes the Linux file structure and key directories. The document outlines software options like browsers and office applications that are preinstalled. It concludes with some tips on software issues, advanced options for running Windows programs in Wine, and contact information.
Service integration and management (SIAM) is a management methodology that can be applied in an environment that includes services sourced from a number of service providers.
Service integration and management (SIAM) is a management methodology that can be applied in an environment that includes services sourced from a number of service providers.
This document provides an introduction to Service Integration and Management (SIAM). It defines SIAM as an operating model that integrates and manages services across multiple internal and external service providers. The document outlines the history and purpose of SIAM, as well as the SIAM ecosystem, practices, roles, structures, and roadmap. It also discusses how SIAM relates to other frameworks and the value it provides organizations through improved service quality, costs, governance and flexibility.
Service integration and management (SIAM) is a management methodology that can be applied in an environment that includes services sourced from a number of service providers.
Service integration and management (SIAM) is a management methodology that can be applied in an environment that includes services sourced from a number of service providers.
The document discusses several digital forensics frameworks that outline procedures for conducting digital investigations. It describes the FORZA framework in detail, which includes different layers representing contextual information, legal considerations, technical preparations, data acquisition, analysis, and legal presentation. Other frameworks covered include an enhanced digital investigation process model, an event-based digital forensic investigation framework, and a computer forensics field triage process model. Key phases of each framework, such as readiness, deployment, physical crime scene investigation, and digital crime scene investigation are also outlined.
This document provides information on various computer forensic tools, including both software and hardware tools. It discusses specific tools such as Visual TimeAnalyzer, X-Ways Forensics, Evidor, Ontrack EasyRecovery, Forensic Sorter, Directory Snoop, PDWIPE, Darik's Boot and Nuke (DBAN), FileMon, File Date Time Extractor, Snapback Datarrest, Partimage, Ltools, Mtools, @stake, Decryption Collection, AIM Password Decoder, and MS Access Database Password Decoder. It also includes screenshots of some of the tools.
This document discusses ethics in computer forensics. It covers ethics in areas like preparing forensic equipment, obtaining and documenting evidence, and bringing evidence to court. Ethics are important in computer forensics to distinguish acceptable and unacceptable behavior. Computer ethics help professionals avoid abuse and corruption. Equipment must be properly maintained and monitored. Evidence must be obtained and documented efficiently and carefully by skilled investigators to be acceptable in court.
A computer forensics specialist was able to disprove a claim involving improper data use through a detailed investigation and report of the computer's internal activities. The specialist examined the computer over a period of time and prepared a step-by-step report that showed what had occurred inside the computer with a particular data set. This helped the attorney address the claim and demonstrated how computer forensics can not only help prove but also disprove allegations of improper data use.
This module discusses computer forensics laws and legal issues. It covers privacy issues involved in investigations, legal issues in seizing computer equipment, and laws in different countries. It also examines organizations that investigate computer crimes like the FBI, as well as US laws related to intellectual property, copyright, trademarks, trade secrets, and computer fraud and abuse. The goal is to familiarize students with the legal aspects of computer forensics investigations.
Digital detectives specialize in computer forensics and network security. Their main roles include handling, investigating, and reacting to computer and network security incidents. They examine computers and other devices to recover evidence, using forensic tools and techniques. Digital detectives should have strong technical skills in computer forensics and operating systems. They may be required to testify in court about evidence and methods used. Continuous training, certification, and staying up to date on new techniques are important for digital detectives.
An expert witness testified in a court case involving a teacher accused of sexual relations with a student. The expert, a computer forensics officer, explained that activity seen on the teacher's computer was likely caused by automatic programs and weather programs, not tampering as the defense suggested. If the computer had been turned back on after seizure, there would have been evidence of that, but there was none. The document then discusses the role of expert witnesses and preparing for testimony in court cases.
The document discusses a new digital forensic data capture device called the Forensic Dossier launched by Logicube. The Dossier allows investigators to capture data from suspect drives at speeds of up to 6GB per minute. It supports capturing from RAID drives and various flash media. The Dossier features built-in support for many drive types and connections. It includes advanced authentication and other forensic features. The Dossier will be showcased at the 2009 International CES conference in Las Vegas.
The document discusses investigating social networking websites for evidence. It provides an overview of social networking sites like MySpace, Facebook, and Orkut and how they are used. It outlines the investigation process, including searching for accounts, mirroring web pages, and documenting evidence. Specific areas of investigation on each site are examined, such as friend lists, photos, and comments. The summary report generation is also reviewed.
Model Liskula Cohen is suing Google over a defamatory blog post that called her the "#1 skanky superstar". She filed the lawsuit to determine the identity of the anonymous blogger. Another woman, Nyree Howlett, sued multiple people for uploading her private photos to Facebook and dating websites without permission. The documents discuss investigating defamation over websites and blog posts, including searching blog content, checking the blog URL and owner information, reviewing comments, and using tools like Archive.org to trace the source.
Five people were indicted for their involvement in an identity theft ring in Aurora, Colorado. The ring's leader, Shadwick Weaver, was facing 56 criminal counts related to identity theft, forgery, conspiracy, and organized crime. The group allegedly stole identities by burglarizing homes and vehicles, and used the stolen information to manufacture fake IDs and commit credit card fraud. They used the proceeds to buy methamphetamines. In a separate case, a woman from California named Jocelyn Kirsch was sentenced to 5 years in prison for her role in an identity theft scheme where she and a co-defendant stole identities from over 16 victims to fraudulently obtain over $119,000.
This module discusses investigating trademark and copyright infringement. It begins with an overview of trademarks, copyrights, and the differences between them. It then covers investigating trademark infringement, including monitoring for infringements, key considerations, and steps to take. It discusses copyright infringement and how copyrights are enforced through lawsuits. The module also covers plagiarism as a form of copyright infringement, types of plagiarism, and tools to detect plagiarism including Turnitin, CopyCatch, and other academic tools.
A hacker accessed a University of Florida dental school server containing personal information for over 344,000 current and former patients. An investigation found unauthorized software installed on the server from an outside location. Meanwhile, Express Scripts, one of the largest US pharmacy benefit firms, received an extortion letter threatening to disclose personal and medical data of millions of Americans if a payment demand was not met. This module discusses how computer data breaches occur through various methods, and how to investigate local machines, networks, and implement countermeasures to prevent future breaches.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Â
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Â
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind fĂźr viele in der HCL-Community seit letztem Jahr ein heiĂes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und LizenzgebĂźhren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer mĂśglich. Das verstehen wir und wir mĂśchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lÜsen kÜnnen, die dazu fßhren kÜnnen, dass mehr Benutzer gezählt werden als nÜtig, und wie Sie ßberflßssige oder ungenutzte Konten identifizieren und entfernen kÜnnen, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnÜtigen Ausgaben fßhren kÜnnen, z. B. wenn ein Personendokument anstelle eines Mail-Ins fßr geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren LÜsungen. Und natßrlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Ăberblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und ĂźberflĂźssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps fßr häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Â
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
Â
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
Â
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di piÚ di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilitĂ , standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunitĂ open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. à stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
Â
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Â
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
Â
An English đŹđ§ translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech đ¨đż version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
Â
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power gridâs behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
Â
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
2. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: ProteMac Announces
ProteMac Meter 1.1 for Mac OS X
Source: http://prmac.com/release-id-3023.htm
3. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
⢠Mac OS and File System
⢠Partitioning Schemes
⢠Mac OS X Directory Structure
⢠Pre-requisites for Mac Forensics
⢠POSIX Permissions
⢠Mac OS X Log Files
⢠Vulnerable Features of Mac
⢠Imaging a Target Macintosh
⢠.Mac and Related Evidence
⢠Mac Forensics Tools
This module will familiarize you with:
4. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Mac OS and File System Partitioning Schemes
Mac OS X Directory StructurePre-requisites for Mac Forensics
POSIX Permissions Mac OS X Log Files
Vulnerable Features of MacImaging a Target Macintosh
.Mac and Related Evidence Mac Forensics Tools
5. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac OS and File Systems
6. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac OS X
Mac OS X is a Unix-based operating system built on object-oriented
NeXTSTEP operating system and development environment
It is a memory management and multitasking Mac platform
The following are some of the Mac OS X versions:
⢠Mac OS X 10.0- âCheetahâ, was the first major release of Mac OS X
⢠Mac OS X 10.1- âPumaâ, was released on September 25, 2001
⢠Mac OS X 10.2- âJaguarâ was the third major release of Mac OS X
⢠Mac OS X 10.3- âPantherâ
⢠Mac OS X 10.4- âTigerâ
⢠Mac OS X 10.5- âLeopardâ
7. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Partitioning Schemes
The partitioning scheme is the basic definition of how a hard drive or
other media is laid out for a file system to be applied
There are two types of Mac partitioning schemes:
⢠Apple partition map (PowerPC based Macintosh)
⢠GUID partition scheme (Intel based Macintosh)
8. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Apple Partition Map (APM)
Apple Partition Map is used to define the low-level organization of data on Mac formatted disks
Apple disks are divided into blocks, with 512 bytes belonging to each block
First block of APM contains driver information
The number of entries in the partition map is not restricted, however, because the partition map must
begin at block 1 and must be contiguous, it cannot easily be expanded once other partitions are created
APM defines itself as one of the partitions on the disk
fdisk and pdisk tool can be used to manipulate an APM
9. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Apple Partition Map Entry
Record
The partition map entry record is defined by the Partition data type
10. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
GUID Partition Table
GUID Partition Table (GPT) is a partitioning scheme introduced by Intel and adopted by Apple
Block layout used by GPT is as follows:
Block Description
0 Protective MBR
1 Partition Table Header (primary)
2 through 2+b-1 Partition Entry Array (primary)
2+b through n-2-b Partition Data
n-2-b+1 through n-2 Partition Entry Array (backup)
n-1 Partition Table Header (backup)
Where,
n is the number of blocks on the disk
b is the number of blocks used to describe the partition entry
11. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
GUID Partition Table (contâd)
Figure: GUID Partition Table
12. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac OS X File System
Mac OS X supports a variety of file systems and volume formats such as:
File System Description
HFS
Mac OS Standard file system. Standard Macintosh file system for older versions
of Mac OS
HFS Plus Mac OS Extended file system. Standard Macintosh file system for Mac OS X
UFS Unix File System. A variant of the BSD âFast File Systemâ
WebDAV Used for directly accessing files on the web
UDF
Universal Disk Format. The standard file system for all forms of DVD media and
some writable CD formats
FAT The MS-DOS file system, with 16- and 32-bit variants
SMB/CIFS Used for sharing files with Microsoft Windows SMB file servers
AFP
AppleTalk Filing Protocol. The primary network file system for all versions of
Mac OS
NFS
Network File System. A commonly-used BSD file sharing standard. Mac OS X
supports NFSv2 and NFSv3 over TCP and UDP
FTP A file system wrapper for the standard Internet File Transfer Protocol
13. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
HFS+ File System
⢠Volume header â contains file system attributes, such as the version and the
allocation block size, and information to locate the metadata files
⢠Allocation file â tracks the usage status of the allocation blocks
⢠Catalog file â contains the majority of file and folder metadata
⢠Extents overflow file â contains additional extents records for files composed of
more fragments than can be recorded in the catalog file
⢠Attributes file â extensible metadata; it is used for features such as access control
lists and Time Machine
⢠Journal file- is allocated as a contiguous set of blocks on the file system
The major components of the HFS+ file system are:
14. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
HFS+ File System (Contâd)
Figure: HFS+ File System
Reserved (1024 bytes)
Volume Header
Allocation File
Extents Overflow File
Catalog File
Attribute s File
Startup File
Alternate Volume Header
Reserved (512 bytes)
File Data
or
Free Space
15. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac OS X Directory Structure
The command /ls is used to see the directories
Following are the directories in the Mac OS X:
Directory Description
/Applications This is where your Macâs applications are kept
/System
System related files, libraries, preferences, critical for the proper function of
Mac OS X
/Library
Shared libraries, files necessary for the operating system to function
properly, including settings, preferences, and other necessities
/Network Contains information about network related devices, servers, libraries, etc
/Users
All user accounts on the machine and their accompanying unique files,
settings
/Volumes
Mounted devices and volumes, either virtual or real, such as hard disks, CDs,
DVDs, DMG mounts
16. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac OS X Directory Structure
(contâd)
Directory Description
/bin
Essential common binaries, holds files, and programs needed to boot the
operating system
/etc
Machine local system configuration, holds administrative, configuration,
and other system files
/usr
Second major hierarchy, includes subdirectories that contain
information, configuration files, and other essentials used by the
operating system
/sbin Essential system binaries, contains utilities for system administration
/tmp Temporary files, caches, etc.
/var
Variable data, contains files whose contents change as the operating
system runs
17. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac Security Architecture
Overview
⢠Berkeley Software Distribution (BSD)
⢠It provides fundamental services, such as the basis for the Mac OS X file
system, including file access permissions
⢠Common Data Security Architecture (CDSA)
⢠It provides a wider array of security services, including finer-grained access
permissions, authentication of usersâ identities, encryption, and secured data
storage
Mac OS X security is built on the following
two standards:
18. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Mac Security
Architecture
Figure: Mac Security Architecture
BSD: Berkeley Software
Distribution
CDSA: Common Data
Security Architecture
API: application
programming interface
19. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac Forensics: Collecting Evidence
20. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pre-requisites for Mac Forensics
⢠Macintosh OS X based laptop for mobile forensics
⢠Macintosh OS X based desktop for laboratory forensics
⢠MacOS X with the XCode tools installed
⢠Firewire cable with the appropriate adapters
⢠USB Flash Drive, minimum of 1GB in size
⢠Examination Notes information sheet
Pre-requisites for Mac forensics are:
21. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Obtaining System Date and Time
Steps to obtain date and time if system is on and has no Open Firmware Password or has
disabled single-user mode:
⢠Press the power button to start the computer
⢠Immediately press and hold the Command (Apple) key and the "s" key to go to single-user mode
⢠Type "date" at the prompt near bottom of the screen and press Return
Steps to obtain date and time if system is running:
⢠Open Date & Time preferences
⢠Take a screenshot of time and date setting
⢠Check the âtime zoneâ selected and take a screenshot
22. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Date and Time Preferences
23. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Single User Mode
Single User Mode provides ârootâ user priviledge
The following commands can be used for safe information gathering in Single User Mode:
â˘date: Returns the date with the current time zone applied
â˘date -u: Returns the date in UTC
â˘hdiutil partition /dev/disk0: Returns the partition table of the boot drive
â˘hdiutil pmap2 /dev/disk0: Returns additional partition table information for the boot drive
â˘ls /dev/disk?: Lists the current device files in use for installed disks
â˘system_profiler SPHardwareDataType: Returns Macintosh hardware info
â˘system_profiler SPSoftwareDataType: Returns operating system info
â˘system_profiler SPParallelATADataType: Returns info on ATA devices
â˘system_profiler SPHardwareRAIDDataType: Returns info on hardware RAID
â˘system_profiler SPMemoryDataType: Returns info on installed memory
â˘system_profiler ParallelSCSIDataType: Returns info on SCSI devices
â˘system_profiler SPSASDataType: Returns info on SAS devices
â˘system_profiler SPSerialATADataType: Returns info on SATA devices
24. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determining and Resetting the
Open Firmware Password
⢠Press the Power button and immediately hold down the Option key
⢠A password dialog confirms the use of Open Firmware Password
First determine if Open Firmware Password is used
⢠The Open Firmware Password will be reset if a user changes the amount of the physical
memory in the machine and reboots
Resetting the password:
Note - Resetting the password will reset the system clock
25. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Checking Plist Files
File Uses
/System/Library/CoreServices/Syste
mVersion.plist
Contains the current version of the installed
operating system
/private/var/log/OSInstall.custom
Contains the date and time the operating
system was first installed (completion time,
not start time)
/private/etc/hosts
Contains defined IP addresses and the
associated name
User settings are stored in plist (Property List Format) files
Property List Editor utility reveals the data contained within plist files
The following are the miscellaneous plist files:
26. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gathering Network Setting
Information from Plist files
Plist Files Network Information
/Library/Preferences/com.apple.alf.plist Firewall Settings
/Library/Preferences/SystemConfiguration/com.apple
.airport.preferences.plist
Airport (Wireless) Settings
/Library/Preferences/SystemConfiguration/com.apple
.nat.plist
Internet Sharing Settings
/Library/Preferences/SystemConfiguration/com.apple
.network.identification.plist
Historical Network TCP/IP Assignments
with Timestamps
/Library/Preferences/SystemConfiguration/com.apple
.NetworkInterfaces.plist
Onboard Interfaces
/Library/Preferences/SystemConfiguration/com.apple
.preferences.plist
Network Configuration for each interface
27. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect User Home Directory
Information
Each time a user is added to the computer, Mac OS X creates a new folder named after that
user called as "Home directory"
The Users folder in the Mac OS X disk stores the Home directories for all of the computer's
users
⢠Desktop - Contains all of the items that are seen on the user's desktop
⢠Documents - Typically contains user data files such as Pages, Keynote, MS Word, and
other types of files
⢠Limewire - This is created by the Limewire application; by default, it stores shared files
and downloaded files
⢠Incomplete - Created by Limewire and contains files that have not yet been successfully
downloaded to this user's account
⢠Library - It contain logs, preferences, browser history, recent files, etc.
Major folders in usersâ Home directories:
28. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect User Home Directory
Information (contâd)
⢠Magazines - Used by the Zinio Reader application
for electronic magazines
⢠Movies - Contain iDVD movie data, Quicktime files,
and other digital video material
⢠Music - Contain a user's iTunes library and other
digital music material such as MP3files
⢠Pictures - Contains a user's digital photo collection
such as the iPhoto library
⢠Public - This is a "drop box" where other users have
permissions to place files, read files, but not delete
files
⢠Sites - If a WWW server is active such as the built in
Apache web server, users can host their website
from this directory
Major folders in usersâ Home directories:
Figure: User Home Directory
29. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Information in the
Userâs Library Folder
User Library folder contains information such as user specific drivers, fonts, settings, and
system add-ons
It also gives information about Browserâs history, webpage cache, email remnants, email
attachments, and indexes
The following are some of the folders in User Library folder:
⢠Application Support
⢠Automator
⢠Caches
⢠Cookies
⢠Favorites
⢠Logs
⢠Mail and Mail Downloads
⢠Phones
⢠Recent Servers
⢠Safari
30. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Information in the
Userâs Library Folder (contâd)
⢠Includes information about applications installed, and may show usage information
Application Support
⢠User specific actions such as file copying, server connections, and other actions a
user wants to automate will be stored here
Automator
⢠Include information of application usage, web sites visited, buddy lists, and
downloaded files
Caches
⢠Used by Safari and other web browsers for the Cookies of various websites
Cookies
⢠Show other network resources that the User considered important enough to be able
to easily return to
Favorites
31. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Information in the
Userâs Library Folder (contâd)
⢠This folder contains log files for many applications and usage information
Logs
⢠These folders contain email and files that were attached to emails received under this
account
Mail and Mail Downloads
⢠This folder contains cell phones that have been connected to this computer under this
account
Phones
⢠This folder contains information on servers that have been recently connected to
including AFP and FTP sites
Recent Servers
⢠This folder contains the vital information on Safariâs usage including bookmarks,
history
Safari
32. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect User Accounts
Information
Check the non-admin and admin account to verify the additional user privileges or
restrictions
The following table shows the access provided to user accounts:
User Account User Access
Guest non-administrator Restricted user access (disabled by default)
Standard non-administrator Non privileged user access
Managed non-administrator Restricted user access
Administrator Full computer configuration administration
System administrator (root) Unrestricted access to the computer
33. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
User IDs
Every user account has User ID, which is a number that uniquely
identifies a user
The user ID is a unique string of digits between 500 and
2,147,483,648
Use the user ID to track a userâs folder and file ownership
The user ID is reserved for the root user and user IDs below 100
are reserved for systemâs use
34. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gathering User Information
from Plist Files
⢠/Library/Preferences/com.apple.loginwindow.plist
Auto-Login User and Last Login User
⢠/Users/username/Library/Preferences/loginwindow.plist
User Auto-Launch Items
⢠/Library/Preferences/com.apple.preferences.accounts.plist
Deleted Users
35. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Use Spotlight for Keyword
Search
⢠The Documents, Movies, Music, and Pictures folders
⢠The Trash of all users and each mounted volume
â˘~/Library/Metadata/
â˘~/Library/Caches/Metadata/
â˘~/Library/Mail/
â˘~/Library/Caches/com.apple.AddressBook/Metadata/
â˘~/Library/PreferencePanes/
Spotlight will index and search in the following
locations:
â˘/Library/PreferencePanes/
â˘/System/Library/PreferencePanes/
â˘/Applications
Spotlight also searches these non-Home folder locations
by default:
Mac OS X features Spotlight search technology that instantly allows you to find things on
Mac
36. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Information Regarding
Parental Controls for a Local Account
Users are limited by using Parental Control preferences
⢠Open System Preferences, then click Accounts, and collect the setting information
⢠Click System tab and check âSimple Finderâ setting
⢠Click Content tab and check the settings to:
⢠Limit access to adult websites automatically
⢠Always allow these sites
⢠Never allow these sites
⢠Click Mail & iChat tab and check the setting to:
⢠Only allow emailing and instant messaging
⢠Send permission request
⢠Click Time Limits tab and check the setting
⢠Click Logs tab and check the setting
Parental Control Preferences:
37. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Parental Controls: Screenshot
38. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
File Vault and MacOS X Security
⢠FileVault is the security
technology available in MacOS
to secure a user's home
directory
⢠It encrypts user's home
directory using 128 bit AES
encryption to a Sparse image
DMG file
FileVault Preference
Pane:
Figure: File vault preference pane
39. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cracking the File Vault
Crack protection password to access FileVault encrypted Home directory
⢠John the Ripper
⢠THC Hydra
⢠crowbarDMG
⢠Mac Marshal
⢠MacLockPick II
Tools
⢠Brute force
⢠Dictionary attack
⢠Hybrid Attack (brute force with a dictionary attack)
Cracking methods that can be used:
40. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
POSIX Permissions
Portable Operating System Interface (POSIX) controls access to files and folders
Check the types of standard POSIX permissions given to each user or group
⢠Read & Write
⢠Read Only
⢠Write Only
⢠None
POSIX provides four types of permission:
41. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing POSIX Permissions
POSIX access permissions can be assigned to the following category of users:
⢠Owner- who creates an item has Read & Write permissions
⢠Group- who needs the same access to files and folders into group accounts
⢠Everyone- who can log in to the file server
Steps to view the current permission settings:
⢠Open Terminal
⢠Run the ls command:
â˘$ ls -l
42. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing ACL Permissions
ACL is a list of access control entries (ACEs), each specifying the permissions to be granted
or denied to a group or user
Each ACE contains the following components:
⢠Userâowner, group, and other
⢠Actionâread, write, or execute
⢠Permissionâallow or deny the action
Steps to view ACL permission:
⢠Select an object in the Finder
⢠Select the menu item File > Get Info, or press Cmd+I
⢠Open the section Ownership & Permissions in the information panel
43. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac OS X Log Files
Log files maintains a log of the user activity on the system and the log entry itself would
show the crime
The Console utility, found in the /Applications/Utilities store logs
44. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac OS X Log Files (contâd)
Some of the log files are as follows:
Log File Uses
/var/log/crashreporter.log
Application Usage History, information is written here when an
application crashes only
/var/log/cups/access_log Printer Connection Information
/var/log/cups/error_log Printer Connection Information
/var/log/daily.out Network Interface History
/var/log/samba/log.nmbd Samba (Windows based machine) connection information
~/Library/Logs
Any logs in this area will be specific to the user of this Home
directory; application-specific logs will be found here
45. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac OS X Log Files (contâd)
Log File Uses
~/Library/Logs/DiscRecording.log
Log of CD or DVD media burned using the Finder;
this is specific to the user of this Home directory
~/Library/Logs/DiskUtility.log
Log of CD or DVD media burned using the Finder,
mount and unmount history of ISO or DMG image
files, Permission Repair history, and hard disk
partition information
~/Library/Logs/iChatConnectionErrors
Log files here contain information of past iChat
connection attempts; data such as username, IP
address, and date & time of the attempt
~/Library/Logs/Sync
Log files here will contain information on .Mac
syncing, mobile devices such as iPods, and cell
phones, and date & time of the activities
46. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locating the iChat Configuration
File
iChat configuration settings are stored in the configuration files
iChat components and their corresponding configuration file location is as follows:
Component Location
jabberd2 (startup script) /etc/jabberd/jabberd.cfg
router (inter-module message routing) /etc/jabberd/router.xml
resolver (domain resolution) /etc/jabberd/resolver.xml
sm (session manager) /etc/jabberd/sm.xml
C2S (client-to-server communications) /etc/jabberd/c2s.xml
S2S (server-to-server communications) /etc/jabberd/s2s.xml
47. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Checking Instant Messaging
Configuration Plist Files
Check following Plist files for various instant messaging servicesâ configuration
settings:
⢠/Library/Preferences/com.apple.iChat.AIM.plist
⢠/Library/Preferences/com.apple.iChat.plist
⢠/Library/Preferences/com.apple.iChat.SubNet.plist
⢠/Users/username/Library/Preferences/com.aol.aim.plist
⢠/Users/username/Library/Preferences/com.adiumX.adiumX.plist
⢠/Users/username/Library/Preferences/com.apple.iChat.AIM.plist
⢠/Users/username/Library/Preferences/com.apple.iChat.plist
⢠/Users/username/Library/Preferences/com.apple.SubNet.plist
⢠/Users/username/Library/Preferences/com.skype.skype.plist
⢠/Users/username/Library/Preferences/com.yahoo.messenger3.plist
⢠/Users/username/Library/Preferences/com.yahoo.messenger3.Users.screenname.plist
48. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing iChat Logs
⢠The iChat service log is located in /var/log/system.log
⢠The iChat file proxy log is located in /private/var/jabberd/log/proxy65.log
⢠The iChat multiuser conference log is located in /var/jabberd/log/jcr.log
iChat logs are located in the following locations:
⢠Open Server Admin and connect to the server
⢠Click the triangle to the left of the server
⢠Click iChat
⢠Click Logs and then choose a log from the View pop-up menu
Steps to view iChat logs:
49. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gathering Safari Information
Files Information
/Users/username/Library/Safari/Bookmarks.plist User's bookmarks
/Users/username/Library/Safari/Downloads.plist
Contents of the user's Downloads window in
Safari
/Users/username/Library/Safari/History.plist Safari browser history
/Users/username/Library/Safari/LastSession.plist
Defines the last browsing session (window and
tabs that were open)
The following files provide important forensics information on browsing activities:
50. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Checking Wi-Fi Support
To check the Wi-Fi support setting, open the /System/Library/Extensions folder
The information will help to know about the wireless access to the system
Check the following files:
⢠AppleAirPort.kext
⢠AppleAirPort2.kext
⢠AppleAirPortFW.kext
51. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Checking Bluetooth Support
To check the system has enabled Bluetooth support or not, open the
/System/Library/Extensions folder
This information provides clues about the Bluetooth attack on the system
Check the following files:
⢠IOBluetoothFamily.kext
⢠IOBluetoothHIDDriver.kext
Check /Library/Preferences/com.apple.Bluetooth.plist file for obtaining
bluetooth history
52. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gathering Information from
Printer Spool (CUPS)
Browse to the web page http://localhost:631/
53. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerable Features of Mac
Hidden Extensions
⢠File extensions are kept hidden from the user
⢠Trojan can exploit this to hide its own true nature
Bundle Architecture
⢠Bundle is a special folder that allows multiple resources to be contained in one single folder
⢠It makes the process of creating a virus easier since it greatly assists the process of installing multiple
executables into one program
Unprotected Application Folder
⢠The programs that a user relies upon are stored unprotected inside a folder called /Applications
⢠The common application running on the system can be modified and replaced with the viruses
Centralized Open Address Book
⢠A Mac OS X provides Address Book which contains instant messaging addresses, email addresses,
phone numbers, and physical addresses
⢠The addresses in the address book will be used for spreading the virus
⢠For example: âILOVEYOUâ, the âLove Bug wormâ spreads by interrogating usersâ contacts and
emailing its copies
54. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac Forensics: Imaging
55. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Imaging a Target Macintosh
⢠Target Disk Mode
⢠LiveCD method
⢠Drive Removal
Mac system imaging techniques are as follows:
56. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Target Disk Mode
In target disk mode, the target computer acts as an external firewire hard drive
Steps for a Target Disk Mode acquisition:
⢠Turn off Disk Arbitration on your forensic Macintosh
⢠Shut down your forensic Macintosh
⢠Start the target Macintosh
⢠Connect the target Macintosh to your forensic Macintosh through a
firewire cable
⢠Boot your forensic Macintosh either to your forensic partition or with
Disk Arbitration turned off
⢠Enter the Terminal and check for your attached Target Disk Mode
Macintosh
57. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Target Disk Mode (contâd)
Determine which disk to acquire and create a digital fingerprint of the target device by running MD5
hash
Use the MD5 command md5 /dev/disk0 > /Evidence/targetMacintosh.md5_start
Use dd to make the acquisition of the raw disk as follows:
â˘dd if=/dev/rdisk1 conv=noerror,sync of=/Evidence/targetMacintosh.dd
Create a second digital fingerprint of the target device to show nothing has been altered by the dd
process
â˘md5 /dev/disk0 > /Evidence/targetMacintosh.md5_end
Power down your forensic Macintosh
Power down the target Macintosh
Disconnect the firewire cable
58. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
LiveCD Method
LiveCD method involves booting the target Macintosh with a known, forensically
sound CD
It can include a custom tailored Linux distribution such as Helix, SMART, or a
Knoppix variant
A LiveCD method for acquisition of a Macintosh is sometimes the preferred
method
59. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Drive Removal
Physical drive removal is the complicated part of a Macintosh examination
Use a physical write blocking device for the acquisition
Once the disk drive is physically write-blocked, an imaging process can begin with the help
of any tool
Possible failures of this system:
⢠Bad cable between the drive and the physical write blocking device
⢠Bad cable from the physical write blocking device to the forensic computer
⢠Imaging tool that does not recognize the file system of the target Macintosh
60. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquiring the Encrypted User
Home Directory
While copying Encrypted User Home Directory file, set the "Locked" property in the
window
⢠This will prevent the file from any further changes
Steps to successfully acquire Encrypted User Home Directory:
⢠Open a shell in the terminal with root privileges
⢠Example "sudo sh"
⢠Copy the file from its present location to your Evidence Collection directory
⢠Example "cp /Users/dogcow/dogcow.sparseimage /Evidence"
⢠Take ownership of the file
⢠Example "chown yourusername /Evidence/dogcow.sparseimage"
⢠Set the Locked flag to prevent any changes to this file
⢠Example "chflags uchg /Evidence/dogcow.sparseimageâ
61. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
.Mac and Related Evidence
.Mac is an Internet resource; its features include email, web site hosting, and iDisk storage of
files
A user may store files here, Backup files, Address Book entries, Safari bookmarks, and
Quicken data
Figure: Mac plist Window
62. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Quick View Plus
Quick view plus tool supports information created in Windows, Macintosh, Internet, and
DOS formats
It helps to access the information from sources such as e-mail attachments, the Web, legacy
document stores
⢠It maintains the formatting of the original documents
⢠It integrates with the latest browser and e-mail applications
⢠All or a portion of any viewed file can be copied and then pasted into an application
⢠It is possible to transfer data between Windows, Macintosh and DOS word processing
and presentation programs
Features:
63. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cover Flow
Cover Flow is a three-dimensional graphical user interface which allows users to visually
rummage through files and digital media library
Figure: Cover Flow
64. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Customizing Cover Flow:
Screenshot
Figure: Customizing Cover Flow
65. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac Forensic Tools
66. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
gpart
gpart ignores the primary partition table and scans the disk (or disk image,
file) for several file system/ partition types
This is done by resembling the sequence of sectors with the beginning of a file
system or partition type
67. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
gpart (contâd)
File system known to gpart:
File system Description
beos BeOS filesystem type
bsddl
FreeBSD/NetBSD/386BSD disklabel sub-partitioning scheme used on Intel
platforms
ext2 Linux second extended filesystem
fat MS-DOS FAT12/16/32 "filesystems"
hpfs IBM OS/2 High Performance filesystem
hmlvm Linux LVM physical volumes
lswap Linux swap partitions
minix The Minix operating system filesystem type
ntfs MS Windows NT filesystem
qnx4 QNX 4.x filesystem
rfs The Reiser filesystem (version 3.5.X, X > 11)
68. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacLockPick
MacLockPick uses the setting files to keep track of contacts, activities and
history
It extracts and saves the data to its own flash drive
It can be used to extract:
⢠Internet login password, WiFi, AppleShare
⢠File and Folder details such as creation, modification, and the most recently
accessed dates
⢠Instant Messaging details
⢠Email account details
⢠Web History and Preferences
⢠Hardware Preferences
69. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
File Juicer
File Juicer finds and extracts images, video, audio or text from files
It saves the images in its original format
⢠JPEG
⢠PNG
⢠GIF
⢠PDF
⢠BMP
⢠WMF
⢠EMF
⢠PICT
⢠MOV
⢠MP4
⢠MP3
It finds and extracts the following file types :
70. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
File Juicer: Screenshot
Source: http://www.macupdate.com/images/screens/uploaded/16101_scr.png
71. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacAnalysis
MacAnalysis is a security auditing/cracker prevention application
⢠Reverse IP
⢠Port Scan
⢠Services Scan
⢠Name Scan
⢠OS Fingerprinting
⢠POP3/SMTP/FTP Brute Force
⢠Network Info
⢠IP Monitoring
⢠DUP Broadcast Scanning
⢠Telnet client
⢠Buffers Overflow
It can perform the following functions:
72. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacAnalysis: Screenshot
73. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition
MacQuisition is a forensic acquisition tool used to safely and easily
image Mac source drives using the source system
⢠Easily identify the source device
⢠Configure destination location
⢠Image directly over the network
⢠Use the command line
⢠Log case, exhibit and evidence tracking numbers and notes
⢠Automatically generate MD5, SHA1 and SHA 256 hashes
Features:
74. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition Steps
Step 1: Source
Identification
Step 3: Case
Information
75. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MacQuisition Steps (contâd)
Step 5: Imaging /Status Information
76. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FTK Imager
⢠Making an exact copy of a
drive or folder
⢠Taking an MD5 or SHA-1
digital signature of a drive
or file
⢠Determining properties of
drives, folders or files
⢠Viewing files
FTK Imager is
used for:
77. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac Forensic Tools
dd_rescue images the drives or files from
the attacked system and also overcomes the
bad sectors or other errors while imaging the
drives
md5deep is a cross-platform set of
programs to compute MD5, SHA-1, SHA-
256, Tiger, or Whirlpool message digests
on an arbitrary number of files
78. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac Forensic Tools (contâd)
Foremost is used to recover files based on their headers, footers, and internal data structures
that can work on image files, such as those generated by dd, Encase or directly on a drive
Mac forensic lab acquires bit-by-bit replica of the original media, while maximizing data
recovery, even with corrupted media and Forensic images are created with integrated
segmenting and granular hashing
LinkMASSter tool with âForensic Mac Acquisitionâ option allows to acquire data from
unopened Mac computer through 1394B or USB ports
79. EC-Council
Copyright Š by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Mac OS consists of unique file systems and applications
HFS+ and HFS are the two file systems found on Macintosh
Open Firmware Password helps to physically secure the computer
Disk Arbitration needs to be enabled for Disk Utility to function
The home directory is the area to find all of the evidence for any case, barring system-
wide log and settings files