File000128

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: ProteMac Announces
ProteMac Meter 1.1 for Mac OS X
Source: http://prmac.com/release-id-3023.htm

EC-Council
Module Objective
• Mac OS and File System
• Partitioning Schemes
• Mac OS X Directory Structure
• Pre-requisites for Mac Forensics
• POSIX Permissions
• Mac OS X Log Files
• Vulnerable Features of Mac
• Imaging a Target Macintosh
• .Mac and Related Evidence
• Mac Forensics Tools
This module will familiarize you with:

EC-Council
Module Flow
Mac OS and File System Partitioning Schemes
Mac OS X Directory StructurePre-requisites for Mac Forensics
POSIX Permissions Mac OS X Log Files
Vulnerable Features of MacImaging a Target Macintosh
.Mac and Related Evidence Mac Forensics Tools

EC-Council
Mac OS and File Systems

EC-Council
Mac OS X
Mac OS X is a Unix-based operating system built on object-oriented
NeXTSTEP operating system and development environment
It is a memory management and multitasking Mac platform
The following are some of the Mac OS X versions:
• Mac OS X 10.0- “Cheetah”, was the first major release of Mac OS X
• Mac OS X 10.1- “Puma”, was released on September 25, 2001
• Mac OS X 10.2- “Jaguar” was the third major release of Mac OS X
• Mac OS X 10.3- “Panther”
• Mac OS X 10.4- “Tiger”
• Mac OS X 10.5- “Leopard”

EC-Council
Partitioning Schemes
The partitioning scheme is the basic definition of how a hard drive or
other media is laid out for a file system to be applied
There are two types of Mac partitioning schemes:
• Apple partition map (PowerPC based Macintosh)
• GUID partition scheme (Intel based Macintosh)

EC-Council
Apple Partition Map (APM)
Apple Partition Map is used to define the low-level organization of data on Mac formatted disks
Apple disks are divided into blocks, with 512 bytes belonging to each block
First block of APM contains driver information
The number of entries in the partition map is not restricted, however, because the partition map must
begin at block 1 and must be contiguous, it cannot easily be expanded once other partitions are created
APM defines itself as one of the partitions on the disk
fdisk and pdisk tool can be used to manipulate an APM

EC-Council
Apple Partition Map Entry
Record
The partition map entry record is defined by the Partition data type

EC-Council
GUID Partition Table
GUID Partition Table (GPT) is a partitioning scheme introduced by Intel and adopted by Apple
Block layout used by GPT is as follows:
Block Description
0 Protective MBR
1 Partition Table Header (primary)
2 through 2+b-1 Partition Entry Array (primary)
2+b through n-2-b Partition Data
n-2-b+1 through n-2 Partition Entry Array (backup)
n-1 Partition Table Header (backup)
Where,
n is the number of blocks on the disk
b is the number of blocks used to describe the partition entry

EC-Council
GUID Partition Table (cont’d)
Figure: GUID Partition Table

EC-Council
Mac OS X File System
Mac OS X supports a variety of file systems and volume formats such as:
File System Description
HFS
Mac OS Standard file system. Standard Macintosh file system for older versions
of Mac OS
HFS Plus Mac OS Extended file system. Standard Macintosh file system for Mac OS X
UFS Unix File System. A variant of the BSD “Fast File System”
WebDAV Used for directly accessing files on the web
UDF
Universal Disk Format. The standard file system for all forms of DVD media and
some writable CD formats
FAT The MS-DOS file system, with 16- and 32-bit variants
SMB/CIFS Used for sharing files with Microsoft Windows SMB file servers
AFP
AppleTalk Filing Protocol. The primary network file system for all versions of
Mac OS
NFS
Network File System. A commonly-used BSD file sharing standard. Mac OS X
supports NFSv2 and NFSv3 over TCP and UDP
FTP A file system wrapper for the standard Internet File Transfer Protocol

EC-Council
HFS+ File System
• Volume header – contains file system attributes, such as the version and the
allocation block size, and information to locate the metadata files
• Allocation file – tracks the usage status of the allocation blocks
• Catalog file – contains the majority of file and folder metadata
• Extents overflow file – contains additional extents records for files composed of
more fragments than can be recorded in the catalog file
• Attributes file – extensible metadata; it is used for features such as access control
lists and Time Machine
• Journal file- is allocated as a contiguous set of blocks on the file system
The major components of the HFS+ file system are:

EC-Council
HFS+ File System (Cont’d)
Figure: HFS+ File System
Reserved (1024 bytes)
Volume Header
Allocation File
Extents Overflow File
Catalog File
Attribute s File
Startup File
Alternate Volume Header
Reserved (512 bytes)
File Data
or
Free Space

EC-Council
Mac OS X Directory Structure
The command /ls is used to see the directories
Following are the directories in the Mac OS X:
Directory Description
/Applications This is where your Mac’s applications are kept
/System
System related files, libraries, preferences, critical for the proper function of
Mac OS X
/Library
Shared libraries, files necessary for the operating system to function
properly, including settings, preferences, and other necessities
/Network Contains information about network related devices, servers, libraries, etc
/Users
All user accounts on the machine and their accompanying unique files,
settings
/Volumes
Mounted devices and volumes, either virtual or real, such as hard disks, CDs,
DVDs, DMG mounts

EC-Council
Mac OS X Directory Structure
(cont’d)
Directory Description
/bin
Essential common binaries, holds files, and programs needed to boot the
operating system
/etc
Machine local system configuration, holds administrative, configuration,
and other system files
/usr
Second major hierarchy, includes subdirectories that contain
information, configuration files, and other essentials used by the
operating system
/sbin Essential system binaries, contains utilities for system administration
/tmp Temporary files, caches, etc.
/var
Variable data, contains files whose contents change as the operating
system runs

EC-Council
Mac Security Architecture
Overview
• Berkeley Software Distribution (BSD)
• It provides fundamental services, such as the basis for the Mac OS X file
system, including file access permissions
• Common Data Security Architecture (CDSA)
• It provides a wider array of security services, including finer-grained access
permissions, authentication of users’ identities, encryption, and secured data
storage
Mac OS X security is built on the following
two standards:

EC-Council
Screenshot: Mac Security
Architecture
Figure: Mac Security Architecture
BSD: Berkeley Software
Distribution
CDSA: Common Data
Security Architecture
API: application
programming interface

EC-Council
Mac Forensics: Collecting Evidence

EC-Council
Pre-requisites for Mac Forensics
• Macintosh OS X based laptop for mobile forensics
• Macintosh OS X based desktop for laboratory forensics
• MacOS X with the XCode tools installed
• Firewire cable with the appropriate adapters
• USB Flash Drive, minimum of 1GB in size
• Examination Notes information sheet
Pre-requisites for Mac forensics are:

EC-Council
Obtaining System Date and Time
Steps to obtain date and time if system is on and has no Open Firmware Password or has
disabled single-user mode:
• Press the power button to start the computer
• Immediately press and hold the Command (Apple) key and the "s" key to go to single-user mode
• Type "date" at the prompt near bottom of the screen and press Return
Steps to obtain date and time if system is running:
• Open Date & Time preferences
• Take a screenshot of time and date setting
• Check the “time zone” selected and take a screenshot

EC-Council
Date and Time Preferences

EC-Council
Single User Mode
Single User Mode provides “root” user priviledge
The following commands can be used for safe information gathering in Single User Mode:
•date: Returns the date with the current time zone applied
•date -u: Returns the date in UTC
•hdiutil partition /dev/disk0: Returns the partition table of the boot drive
•hdiutil pmap2 /dev/disk0: Returns additional partition table information for the boot drive
•ls /dev/disk?: Lists the current device files in use for installed disks
•system_profiler SPHardwareDataType: Returns Macintosh hardware info
•system_profiler SPSoftwareDataType: Returns operating system info
•system_profiler SPParallelATADataType: Returns info on ATA devices
•system_profiler SPHardwareRAIDDataType: Returns info on hardware RAID
•system_profiler SPMemoryDataType: Returns info on installed memory
•system_profiler ParallelSCSIDataType: Returns info on SCSI devices
•system_profiler SPSASDataType: Returns info on SAS devices
•system_profiler SPSerialATADataType: Returns info on SATA devices

EC-Council
Determining and Resetting the
Open Firmware Password
• Press the Power button and immediately hold down the Option key
• A password dialog confirms the use of Open Firmware Password
First determine if Open Firmware Password is used
• The Open Firmware Password will be reset if a user changes the amount of the physical
memory in the machine and reboots
Resetting the password:
Note - Resetting the password will reset the system clock

EC-Council
Checking Plist Files
File Uses
/System/Library/CoreServices/Syste
mVersion.plist
Contains the current version of the installed
operating system
/private/var/log/OSInstall.custom
Contains the date and time the operating
system was first installed (completion time,
not start time)
/private/etc/hosts
Contains defined IP addresses and the
associated name
User settings are stored in plist (Property List Format) files
Property List Editor utility reveals the data contained within plist files
The following are the miscellaneous plist files:

EC-Council
Gathering Network Setting
Information from Plist files
Plist Files Network Information
/Library/Preferences/com.apple.alf.plist Firewall Settings
/Library/Preferences/SystemConfiguration/com.apple
.airport.preferences.plist
Airport (Wireless) Settings
.nat.plist
Internet Sharing Settings
.network.identification.plist
Historical Network TCP/IP Assignments
with Timestamps
.NetworkInterfaces.plist
Onboard Interfaces
.preferences.plist
Network Configuration for each interface

EC-Council
Collect User Home Directory
Information
Each time a user is added to the computer, Mac OS X creates a new folder named after that
user called as "Home directory"
The Users folder in the Mac OS X disk stores the Home directories for all of the computer's
users
• Desktop - Contains all of the items that are seen on the user's desktop
• Documents - Typically contains user data files such as Pages, Keynote, MS Word, and
other types of files
• Limewire - This is created by the Limewire application; by default, it stores shared files
and downloaded files
• Incomplete - Created by Limewire and contains files that have not yet been successfully
downloaded to this user's account
• Library - It contain logs, preferences, browser history, recent files, etc.
Major folders in users’ Home directories:

EC-Council
Collect User Home Directory
Information (cont’d)
• Magazines - Used by the Zinio Reader application
for electronic magazines
• Movies - Contain iDVD movie data, Quicktime files,
and other digital video material
• Music - Contain a user's iTunes library and other
digital music material such as MP3files
• Pictures - Contains a user's digital photo collection
such as the iPhoto library
• Public - This is a "drop box" where other users have
permissions to place files, read files, but not delete
files
• Sites - If a WWW server is active such as the built in
Apache web server, users can host their website
from this directory
Major folders in users’ Home directories:
Figure: User Home Directory

EC-Council
Forensic Information in the
User’s Library Folder
User Library folder contains information such as user specific drivers, fonts, settings, and
system add-ons
It also gives information about Browser’s history, webpage cache, email remnants, email
attachments, and indexes
The following are some of the folders in User Library folder:
• Application Support
• Automator
• Caches
• Cookies
• Favorites
• Logs
• Mail and Mail Downloads
• Phones
• Recent Servers
• Safari

EC-Council
User’s Library Folder (cont’d)
• Includes information about applications installed, and may show usage information
Application Support
• User specific actions such as file copying, server connections, and other actions a
user wants to automate will be stored here
Automator
• Include information of application usage, web sites visited, buddy lists, and
downloaded files
Caches
• Used by Safari and other web browsers for the Cookies of various websites
Cookies
• Show other network resources that the User considered important enough to be able
to easily return to
Favorites

EC-Council
User’s Library Folder (cont’d)
• This folder contains log files for many applications and usage information
Logs
• These folders contain email and files that were attached to emails received under this
account
Mail and Mail Downloads
• This folder contains cell phones that have been connected to this computer under this
account
Phones
• This folder contains information on servers that have been recently connected to
including AFP and FTP sites
Recent Servers
• This folder contains the vital information on Safari’s usage including bookmarks,
history
Safari

EC-Council
Collect User Accounts
Information
Check the non-admin and admin account to verify the additional user privileges or
restrictions
The following table shows the access provided to user accounts:
User Account User Access
Guest non-administrator Restricted user access (disabled by default)
Standard non-administrator Non privileged user access
Managed non-administrator Restricted user access
Administrator Full computer configuration administration
System administrator (root) Unrestricted access to the computer

EC-Council
User IDs
Every user account has User ID, which is a number that uniquely
identifies a user
The user ID is a unique string of digits between 500 and
2,147,483,648
Use the user ID to track a user’s folder and file ownership
The user ID is reserved for the root user and user IDs below 100
are reserved for system’s use

EC-Council
Gathering User Information
from Plist Files
• /Library/Preferences/com.apple.loginwindow.plist
Auto-Login User and Last Login User
• /Users/username/Library/Preferences/loginwindow.plist
User Auto-Launch Items
• /Library/Preferences/com.apple.preferences.accounts.plist
Deleted Users

EC-Council
Use Spotlight for Keyword
Search
• The Documents, Movies, Music, and Pictures folders
• The Trash of all users and each mounted volume
•~/Library/Metadata/
•~/Library/Caches/Metadata/
•~/Library/Mail/
•~/Library/Caches/com.apple.AddressBook/Metadata/
•~/Library/PreferencePanes/
Spotlight will index and search in the following
locations:
•/Library/PreferencePanes/
•/System/Library/PreferencePanes/
•/Applications
Spotlight also searches these non-Home folder locations
by default:
Mac OS X features Spotlight search technology that instantly allows you to find things on
Mac

EC-Council
Collecting Information Regarding
Parental Controls for a Local Account
Users are limited by using Parental Control preferences
• Open System Preferences, then click Accounts, and collect the setting information
• Click System tab and check “Simple Finder” setting
• Click Content tab and check the settings to:
• Limit access to adult websites automatically
• Always allow these sites
• Never allow these sites
• Click Mail & iChat tab and check the setting to:
• Only allow emailing and instant messaging
• Send permission request
• Click Time Limits tab and check the setting
• Click Logs tab and check the setting
Parental Control Preferences:

EC-Council
Parental Controls: Screenshot

EC-Council
File Vault and MacOS X Security
• FileVault is the security
technology available in MacOS
to secure a user's home
directory
• It encrypts user's home
directory using 128 bit AES
encryption to a Sparse image
DMG file
FileVault Preference
Pane:
Figure: File vault preference pane

EC-Council
Cracking the File Vault
Crack protection password to access FileVault encrypted Home directory
• John the Ripper
• THC Hydra
• crowbarDMG
• Mac Marshal
• MacLockPick II
Tools
• Brute force
• Dictionary attack
• Hybrid Attack (brute force with a dictionary attack)
Cracking methods that can be used:

EC-Council
POSIX Permissions
Portable Operating System Interface (POSIX) controls access to files and folders
Check the types of standard POSIX permissions given to each user or group
• Read & Write
• Read Only
• Write Only
• None
POSIX provides four types of permission:

EC-Council
Viewing POSIX Permissions
POSIX access permissions can be assigned to the following category of users:
• Owner- who creates an item has Read & Write permissions
• Group- who needs the same access to files and folders into group accounts
• Everyone- who can log in to the file server
Steps to view the current permission settings:
• Open Terminal
• Run the ls command:
•$ ls -l

EC-Council
Viewing ACL Permissions
ACL is a list of access control entries (ACEs), each specifying the permissions to be granted
or denied to a group or user
Each ACE contains the following components:
• User—owner, group, and other
• Action—read, write, or execute
• Permission—allow or deny the action
Steps to view ACL permission:
• Select an object in the Finder
• Select the menu item File > Get Info, or press Cmd+I
• Open the section Ownership & Permissions in the information panel

EC-Council
Mac OS X Log Files
Log files maintains a log of the user activity on the system and the log entry itself would
show the crime
The Console utility, found in the /Applications/Utilities store logs

EC-Council
Mac OS X Log Files (cont’d)
Some of the log files are as follows:
Log File Uses
/var/log/crashreporter.log
Application Usage History, information is written here when an
application crashes only
/var/log/cups/access_log Printer Connection Information
/var/log/cups/error_log Printer Connection Information
/var/log/daily.out Network Interface History
/var/log/samba/log.nmbd Samba (Windows based machine) connection information
~/Library/Logs
Any logs in this area will be specific to the user of this Home
directory; application-specific logs will be found here

EC-Council
Mac OS X Log Files (cont’d)
Log File Uses
~/Library/Logs/DiscRecording.log
Log of CD or DVD media burned using the Finder;
this is specific to the user of this Home directory
~/Library/Logs/DiskUtility.log
Log of CD or DVD media burned using the Finder,
mount and unmount history of ISO or DMG image
files, Permission Repair history, and hard disk
partition information
~/Library/Logs/iChatConnectionErrors
Log files here contain information of past iChat
connection attempts; data such as username, IP
address, and date & time of the attempt
~/Library/Logs/Sync
Log files here will contain information on .Mac
syncing, mobile devices such as iPods, and cell
phones, and date & time of the activities

EC-Council
Locating the iChat Configuration
File
iChat configuration settings are stored in the configuration files
iChat components and their corresponding configuration file location is as follows:
Component Location
jabberd2 (startup script) /etc/jabberd/jabberd.cfg
router (inter-module message routing) /etc/jabberd/router.xml
resolver (domain resolution) /etc/jabberd/resolver.xml
sm (session manager) /etc/jabberd/sm.xml
C2S (client-to-server communications) /etc/jabberd/c2s.xml
S2S (server-to-server communications) /etc/jabberd/s2s.xml

EC-Council
Checking Instant Messaging
Configuration Plist Files
Check following Plist files for various instant messaging services’ configuration
settings:
• /Library/Preferences/com.apple.iChat.AIM.plist
• /Library/Preferences/com.apple.iChat.plist
• /Library/Preferences/com.apple.iChat.SubNet.plist
• /Users/username/Library/Preferences/com.aol.aim.plist
• /Users/username/Library/Preferences/com.adiumX.adiumX.plist
• /Users/username/Library/Preferences/com.apple.iChat.AIM.plist
• /Users/username/Library/Preferences/com.apple.iChat.plist
• /Users/username/Library/Preferences/com.apple.SubNet.plist
• /Users/username/Library/Preferences/com.skype.skype.plist
• /Users/username/Library/Preferences/com.yahoo.messenger3.plist
• /Users/username/Library/Preferences/com.yahoo.messenger3.Users.screenname.plist

EC-Council
Viewing iChat Logs
• The iChat service log is located in /var/log/system.log
• The iChat file proxy log is located in /private/var/jabberd/log/proxy65.log
• The iChat multiuser conference log is located in /var/jabberd/log/jcr.log
iChat logs are located in the following locations:
• Open Server Admin and connect to the server
• Click the triangle to the left of the server
• Click iChat
• Click Logs and then choose a log from the View pop-up menu
Steps to view iChat logs:

EC-Council
Gathering Safari Information
Files Information
/Users/username/Library/Safari/Bookmarks.plist User's bookmarks
/Users/username/Library/Safari/Downloads.plist
Contents of the user's Downloads window in
Safari
/Users/username/Library/Safari/History.plist Safari browser history
/Users/username/Library/Safari/LastSession.plist
Defines the last browsing session (window and
tabs that were open)
The following files provide important forensics information on browsing activities:

EC-Council
Checking Wi-Fi Support
To check the Wi-Fi support setting, open the /System/Library/Extensions folder
The information will help to know about the wireless access to the system
Check the following files:
• AppleAirPort.kext
• AppleAirPort2.kext
• AppleAirPortFW.kext

EC-Council
Checking Bluetooth Support
To check the system has enabled Bluetooth support or not, open the
/System/Library/Extensions folder
This information provides clues about the Bluetooth attack on the system
Check the following files:
• IOBluetoothFamily.kext
• IOBluetoothHIDDriver.kext
Check /Library/Preferences/com.apple.Bluetooth.plist file for obtaining
bluetooth history

EC-Council
Gathering Information from
Printer Spool (CUPS)
Browse to the web page http://localhost:631/

EC-Council
Vulnerable Features of Mac
Hidden Extensions
• File extensions are kept hidden from the user
• Trojan can exploit this to hide its own true nature
Bundle Architecture
• Bundle is a special folder that allows multiple resources to be contained in one single folder
• It makes the process of creating a virus easier since it greatly assists the process of installing multiple
executables into one program
Unprotected Application Folder
• The programs that a user relies upon are stored unprotected inside a folder called /Applications
• The common application running on the system can be modified and replaced with the viruses
Centralized Open Address Book
• A Mac OS X provides Address Book which contains instant messaging addresses, email addresses,
phone numbers, and physical addresses
• The addresses in the address book will be used for spreading the virus
• For example: “ILOVEYOU”, the “Love Bug worm” spreads by interrogating users’ contacts and
emailing its copies

EC-Council
Mac Forensics: Imaging

EC-Council
Imaging a Target Macintosh
• Target Disk Mode
• LiveCD method
• Drive Removal
Mac system imaging techniques are as follows:

EC-Council
Target Disk Mode
In target disk mode, the target computer acts as an external firewire hard drive
Steps for a Target Disk Mode acquisition:
• Turn off Disk Arbitration on your forensic Macintosh
• Shut down your forensic Macintosh
• Start the target Macintosh
• Connect the target Macintosh to your forensic Macintosh through a
firewire cable
• Boot your forensic Macintosh either to your forensic partition or with
Disk Arbitration turned off
• Enter the Terminal and check for your attached Target Disk Mode
Macintosh

EC-Council
Target Disk Mode (cont’d)
Determine which disk to acquire and create a digital fingerprint of the target device by running MD5
hash
Use the MD5 command md5 /dev/disk0 > /Evidence/targetMacintosh.md5_start
Use dd to make the acquisition of the raw disk as follows:
•dd if=/dev/rdisk1 conv=noerror,sync of=/Evidence/targetMacintosh.dd
Create a second digital fingerprint of the target device to show nothing has been altered by the dd
process
•md5 /dev/disk0 > /Evidence/targetMacintosh.md5_end
Power down your forensic Macintosh
Power down the target Macintosh
Disconnect the firewire cable

EC-Council
LiveCD Method
LiveCD method involves booting the target Macintosh with a known, forensically
sound CD
It can include a custom tailored Linux distribution such as Helix, SMART, or a
Knoppix variant
A LiveCD method for acquisition of a Macintosh is sometimes the preferred
method

EC-Council
Drive Removal
Physical drive removal is the complicated part of a Macintosh examination
Use a physical write blocking device for the acquisition
Once the disk drive is physically write-blocked, an imaging process can begin with the help
of any tool
Possible failures of this system:
• Bad cable between the drive and the physical write blocking device
• Bad cable from the physical write blocking device to the forensic computer
• Imaging tool that does not recognize the file system of the target Macintosh

EC-Council
Acquiring the Encrypted User
Home Directory
While copying Encrypted User Home Directory file, set the "Locked" property in the
window
• This will prevent the file from any further changes
Steps to successfully acquire Encrypted User Home Directory:
• Open a shell in the terminal with root privileges
• Example "sudo sh"
• Copy the file from its present location to your Evidence Collection directory
• Example "cp /Users/dogcow/dogcow.sparseimage /Evidence"
• Take ownership of the file
• Example "chown yourusername /Evidence/dogcow.sparseimage"
• Set the Locked flag to prevent any changes to this file
• Example "chflags uchg /Evidence/dogcow.sparseimage”

EC-Council
.Mac and Related Evidence
.Mac is an Internet resource; its features include email, web site hosting, and iDisk storage of
files
A user may store files here, Backup files, Address Book entries, Safari bookmarks, and
Quicken data
Figure: Mac plist Window

EC-Council
Quick View Plus
Quick view plus tool supports information created in Windows, Macintosh, Internet, and
DOS formats
It helps to access the information from sources such as e-mail attachments, the Web, legacy
document stores
• It maintains the formatting of the original documents
• It integrates with the latest browser and e-mail applications
• All or a portion of any viewed file can be copied and then pasted into an application
• It is possible to transfer data between Windows, Macintosh and DOS word processing
and presentation programs
Features:

EC-Council
Cover Flow
Cover Flow is a three-dimensional graphical user interface which allows users to visually
rummage through files and digital media library
Figure: Cover Flow

EC-Council
Customizing Cover Flow:
Screenshot
Figure: Customizing Cover Flow

EC-Council
Mac Forensic Tools

EC-Council
gpart
gpart ignores the primary partition table and scans the disk (or disk image,
file) for several file system/ partition types
This is done by resembling the sequence of sectors with the beginning of a file
system or partition type

EC-Council
gpart (cont’d)
File system known to gpart:
File system Description
beos BeOS filesystem type
bsddl
FreeBSD/NetBSD/386BSD disklabel sub-partitioning scheme used on Intel
platforms
ext2 Linux second extended filesystem
fat MS-DOS FAT12/16/32 "filesystems"
hpfs IBM OS/2 High Performance filesystem
hmlvm Linux LVM physical volumes
lswap Linux swap partitions
minix The Minix operating system filesystem type
ntfs MS Windows NT filesystem
qnx4 QNX 4.x filesystem
rfs The Reiser filesystem (version 3.5.X, X > 11)

EC-Council
MacLockPick
MacLockPick uses the setting files to keep track of contacts, activities and
history
It extracts and saves the data to its own flash drive
It can be used to extract:
• Internet login password, WiFi, AppleShare
• File and Folder details such as creation, modification, and the most recently
accessed dates
• Instant Messaging details
• Email account details
• Web History and Preferences
• Hardware Preferences

EC-Council
File Juicer
File Juicer finds and extracts images, video, audio or text from files
It saves the images in its original format
• JPEG
• PNG
• GIF
• PDF
• BMP
• WMF
• EMF
• PICT
• MOV
• MP4
• MP3
It finds and extracts the following file types :

EC-Council
File Juicer: Screenshot
Source: http://www.macupdate.com/images/screens/uploaded/16101_scr.png

EC-Council
MacAnalysis
MacAnalysis is a security auditing/cracker prevention application
• Reverse IP
• Port Scan
• Services Scan
• Name Scan
• OS Fingerprinting
• POP3/SMTP/FTP Brute Force
• Network Info
• IP Monitoring
• DUP Broadcast Scanning
• Telnet client
• Buffers Overflow
It can perform the following functions:

EC-Council
MacAnalysis: Screenshot

EC-Council
MacQuisition
MacQuisition is a forensic acquisition tool used to safely and easily
image Mac source drives using the source system
• Easily identify the source device
• Configure destination location
• Image directly over the network
• Use the command line
• Log case, exhibit and evidence tracking numbers and notes
• Automatically generate MD5, SHA1 and SHA 256 hashes
Features:

EC-Council
MacQuisition Steps
Step 1: Source
Identification
Step 3: Case
Information

EC-Council
MacQuisition Steps (cont’d)
Step 5: Imaging /Status Information

EC-Council
FTK Imager
• Making an exact copy of a
drive or folder
• Taking an MD5 or SHA-1
digital signature of a drive
or file
• Determining properties of
drives, folders or files
• Viewing files
FTK Imager is
used for:

EC-Council
Mac Forensic Tools
dd_rescue images the drives or files from
the attacked system and also overcomes the
bad sectors or other errors while imaging the
drives
md5deep is a cross-platform set of
programs to compute MD5, SHA-1, SHA-
256, Tiger, or Whirlpool message digests
on an arbitrary number of files

EC-Council
Mac Forensic Tools (cont’d)
Foremost is used to recover files based on their headers, footers, and internal data structures
that can work on image files, such as those generated by dd, Encase or directly on a drive
Mac forensic lab acquires bit-by-bit replica of the original media, while maximizing data
recovery, even with corrupted media and Forensic images are created with integrated
segmenting and granular hashing
LinkMASSter tool with ‘Forensic Mac Acquisition’ option allows to acquire data from
unopened Mac computer through 1394B or USB ports

EC-Council
Summary
Mac OS consists of unique file systems and applications
HFS+ and HFS are the two file systems found on Macintosh
Open Firmware Password helps to physically secure the computer
Disk Arbitration needs to be enabled for Disk Utility to function
The home directory is the area to find all of the evidence for any case, barring system-
wide log and settings files

EC-Council

File000128

More Related Content

What's hot

Viewers also liked

Similar to File000128

More from Desmond Devendran

Recently uploaded

File000128