Mac OS X Crash Reporter Analysis

I stumbled upon a folder named “CrashReporter” while doing some testing on my Mac. As the name suggests, CrashReporter is a debugging facility in Mac OS X that logs all programs that crash. You might say it is more suitable for developer and advanced users. I still think it is still worth to take a look. On my system, I discovered 3 files inside “CrashReporter” folder. As I remember, the timestamp was most likely the time that my Mac crashed on these occasions.

What got my interest is that one of the plist file “interval_XXXXXXXXX.plist”. Under the field “appDuration”, it logged the applications running on the system and it’s duration (I have not figure out the units for the duration).

When a program crashes, CrashReporter will log the details. On my Mac, I found that it is stored in ~/Library/Application Support/CrashReporter. While doing some searching on the Internet, crash logs are typically stored in ~/Library/Logs/CrashReporter/. Instead of finding crash logs of my Mac, I found a subfolder named “MobileDevice” and a folder named after my iPhone. In this folder, contained crash logs of my iPhone and it’s applications.

In the folder “~/Library/Logs/CrashReporter/ folder, each crash is distinctly saved into 2 files: one *.crash file and one *.plist. If you want to look at the detail of the crash, you probably may want to look at crash file.

According to Mac OS X Reference Library,  it is possible that crash logs are stored in /Library/Logs/CrashReporter/ and these circumstances may be due to that the ownership of the crash process was owned by root or the ownership cannot be determined, or the user’s home directory is not available.

~~~~~ ~~~~~

Credits and References

~~~~~ ~~~~~

Mandiant Web Historian

Web Historian is a free software from Mandiant Corporation. Web Historian parses history files from Internet Explorer, Firefox, Google Chrome and Safari.

 

Web Historian can scan the local system, exported profiles or individual history files as input. The parsed output can be categorized into:

  • Web history
  • Cookie history
  • Download history
  • Form history
  • Thumbnails

Also check out the pre-defined filters for each category tab. They are very useful if you need to examine the entries. For example, the “redirect” filter can help you to display entries of redirect URLs.

 

In term of reporting, Web History can output reports in HTML, CSV or XML format.

Web Historian also has an built-in analytic tools for creating diagrams and analysis graphics. One of the analytical tool that I particularly like is “Daily Timeline” which can output daily web activity into a timeline chart.

 

~~~~~ ~~~~~

Firefox Forensics (Part 3) – Cache

While learning on Firefox Cache, I stumbled upon several articles, I came across two or three good tools that automates the Firefox cache files. However what I really want to get down to the hex levels of the Cache Map and Cache Block. I know a few articles on the Internet that explain pretty clearly on how to analyze Firefox cache. I guess I must have an IQ of below average because I just can’t find the location and interpret these hex into valuable details. If any kind souls who are reading this, please enlightening and point me to any fantastic article that explain Firefox Cache for someone real dumb like me. Thank  You! and Merry Christmas!!!

~~~~~ ~~~~~

When the user browses websites, Firefox cache temporary stores images, scripts and other files from the websites. Firefox cache can be view by typing “about:cache” in the address bar. There are 3 types of caches:

  • Memory cache: cache data in RAM
  • Dish cache: cache data stored on the disk
  • Offline cache:

~~~~~ ~~~~~

Firefox Cache Locations

Win XP:

  • C:\Documents and Settingd\[user]\Local Settings\Application Data\Firefox\Profiles\XXXXXXXX.default\Cache\

Win Vista and Win 7:

  • C:\Users\[user]\AppData]Local\Mozilla\Firefox\Profiles\XXXXXXXX.default\Cache\

Mac OS X:

  • ~/Library/Firefox/Caches/Firefox/Profiles/XXXXXXXX.default/

Linux:

  • ~/.mozilla/firefox/XXXXXXXX.default/Cache/

~~~~~ ~~~~~

Inside Firefox cache folder, there will be one Cache Map file, three Cache block file and cache data files. The Cache Map (“_CACHE_MAP_”) and Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)” are the essential files to analysis Firefox’s cache files.

Firefox Cache Map

The  Cache Map is the main file needed to reconstruct Firefox cache files. If you had read Web Browser Forensics, Part 2, you probably know that within the Cache Map, you probably find Cache Map buckets which contain mapping to the Cache Map records. Within the Cache Map, each Cache Record contain 4 32-bit values

  • Hash Number
  • Eviction Rank
  • Data Location
  • Metadata Location

The 32-bit Metadata Location is bitwise-AND with 0x30000000 to obtain the metadata stored in the Cache Map or any of the 3 Cache Block file. If the resulted value from the bit-wise AND operation return a ‘0’, the metadata are stored in the Cache Map, a value of ‘1’ to ‘3’ are stored in the respectively Cache Block file.

In my hands-on, the single Cache file is named “1F796D27d01”. I did a search with “1F796D27” on the Cache Map and found the the offset 0x0804. The value of the Cache record is as follows:

  • Hash Number = 1F796D27 (1st eight character of the cache file)
  • Eviction Rank =B3148457
  • Data Location =80007401
  • Metadata Location = 91000000
  • Cache Block locatioon = 91000000 AND 30000000 = 1 (location of metadata is stored in Cache Block 1)

Firefox Cache Block

In the Firefox Cache directory, the Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)” contain metadata and data. Each Cache entry will contain the information:

0-3

4 bytes Magic number
4-7 4 bytes Location (Big Endian)
12-15 4 bytes Fetch time (Big Endian)
16-19 4 bytes Modify time (Big Endian)
20-23 4 bytes Expire time (Big Endian)
24-27 4 bytes Data size (Big Endian)
28-31 4 bytes Request size (Big Endian)
32-35 4 bytes Info size (Big Endian)
36-(R) Request string
(R+1)- Info string

Firefox Cache Files

One quick and easy way to view the cache files is to use FTK Imager Lite to browse the cache files. One advantage of FTK Imager allows you to view the contents of the cache files and view the file’s metadata in the “Properties” pane.

Cache files in the Cache folder are created when the content is too large to be stored in the Cache Block.In the Firefox Cache folder, Cache files are named in the following order

In my hands-on, the filename is “1F796D27d01”, it indicates that “1F796D27” is the 32-bit hash number, d represent it is a data file.

~~~~~ ~~~~~

Firefox Disk Cache Setting

Configuration about disk cache can be viewed by typing “about:config” and the 2 main settings for disk cache are:

  • browser.cache.disk.enable
  • browser.cache.disk.capacity

The “browser.cache.disk.enable” setting defines if disk cache is enabled. It is set to ‘true’ on default. The “browser.cache.disk.capacity” defines the maximum size of harddisk allocated for disk cache. The default is set at 512,000KB (or 50MB). Alternate cache storage can also be found if “browser.cache.disk.parent_directory” is present.

~~~~~ ~~~~~

Tools: CacheViewer

CacheViewer is a Firefox addons for GUI front-end for “about:cache”.  This tools is able to parse information from Firefox Cache for:

  • Source URL
  • Destination file cached on disk (if any)
  • Fetch count
  • Date last fetched
  • Date last modified

~~~~~ ~~~~~

Credits and References

  1. Change Firefox Cache Location: a short article on changing disk cache location
  2. Where is Firefox Internet Files Cache Folders – Part II: another article on Firefox Cache
  3. Read Firefox Cache with Python

~~~~~ ~~~~~

Apple Mail Forensics

Apple Mail is an email program included in Mac OS X operating system. Like other mail client, Apple Mail support POP3, IMAP and Exchange 2007 accounts.Some mailboxes are added such as ‘To Do’, ‘Notes’ and ‘RSS mailboxes’.

~~~~~ ~~~~~

Default Locations

Apple Mail’s artifacts are stored in the following default location:

  • Default Location: ~/Library/Mail/
  • Mail Box: ~/Library/Mail/[Mail Box]/
  • RSS Feeds: ~/Library/Mail/RSS/
  • Configurations: ~/Library/Preferences/com.apple.mail.plist

~~~~~ ~~~~~

com.apple.mail.plist

Information about mail delivery configurations can be found in ‘DeliveryAccounts’. My analysis revealed on my Gmail account revealed that it contained information to:

  • SMTP mail server hostname
  • Mail server port number
  • Authentication
  • Username of mail account

A more detailed information of the configured mailbox can be found under ‘MailAccounts’. Each ‘item’ listed are the configured respectively email accounts by the users. The graphic below is the configured mailbox for my Gmail account. From here, we can derive:

  • AccountName: The name of the mailbox displayed in Apple Mail
  • AccountPath: path where the messages are stored
  • AccountType: IMAP or SMTP
  • DateOfLastSync: timestamp of the last synchronisation
  • Mail server hostname
  • FullUserNAme: Name used

~~~~~ ~~~~~

Messages Analysis

Email messages are stored in ~/Library/Mail/[Mail Box]/Messages. Each email message is individually stored as a file. Each message file is numbered and has a file extension “emlx”. The corresponding email attachments may be stored separately in the ~/Library/Mail/[Mail Box]/Messages/Attachments” folder. For example, the attachments of “1649.emlx” is located at “Attachment/1649/” folder.

~~~~~ ~~~~~

Recovery and Examination

  1. To perform a recovery and examination, I have to export the mailboxes from “~/Library/Mail/” and the configuration file from “~/Library/Preferences/com.apple.mail.plist”.
  2. Set up a new user account on the examiner’s MAC system.
  3. You can then copy the Mail folder and com.apple.mail.plist in the respective locations.
  4. All you need to do now is to open Apple Mail and you can read the email messages as what your suspect’s see

~~~~~ ~~~~~

Event Logs Explorer

Event Log Explorer is a software from FSPro Labs for analysing event logs of Microsoft Windows operating systems. The software is free for personal (non-commercial) use. License can be purchased for commercial use. Please refer to Eventlogxp.com for full description and features. And also refer to my disclaimer.

Event Logs can be imported into Event Logs Explorer, open up the event logs on the local computer or remote computer.

Event Logs Explorer displays logs in table format. Details of the event logs are displayed in the Description pane. Event Logs Explorer is useful for most basic analysis work task such as sorting, filtering and colour-coding event logs in its viewer.

Filtering is relatively to use. You can just right-click on the item you want to filter and the context menu display the selection based on the column.

More advance filtering is also available by selecting “Filter…” in the context menu.

The software also provides for options to look up event logs description which is very useful since majority cannot remember all the eventid represent.

In term of presentation, Event Logs Explorer display the respective logs file in separate tab or you can choose to merge all logs into a single table.

In term of exporting logs file for examination report, you can export/print the entire logs or selection. Logs file can be exported to text, HTML, Excel or Excel 2007 format. For more features, you can navigate to Eventlogxp.com.

aa

Howto recover passwords on Mac OS X

This method require you to have the system’s root password. To do it, you need to launch “Key Chain Access.app” from Utilities. Within this application, you can find accounts information stored via Key Chain Access application.

Click on the item that you wanted to view the password, check the “Show password” and you will be asked to enter the root password. Enter the password and the password will appear in the field beside the “Show password”.

Firefox Forensics (Part 2) – Session Restore

Firefox will automatically restore your sessions after software updates, restart or the browser crashed unexpectedly. Session restore information are stored in a file named “sessionrestore.js” in the user’s Firefox profile. A backup of the session restore file is named “sessionrestore.bak”. This folder contain the details of the website visited, and other information such as open tabs, typed-text in forms and windows size require to be restore when Firefox is restarts.  Web Browser Session Restore Forensics is a writeup detailing session restore forensics on Firefox and other browsers.

Firefox’s session restore information can be extracted from the users’ Firefox profile or by craving out from the seized evidence. The information are stored in JSON data structure. The information extracted can then be read using a JSON file editor. The tool of my choice is Allan S Hay’s JSON Viewer. Below is an example of a Session Restore information:

The time value 1291963762473 is the date/time stamp of the saved session in Firefox. The time can be decode in DCode, using “Unix: Millisecond Value”

Other information could be determined at the time of the crash including number of Firefox’s Windows and Tabs saved in the session. In my example, there is one window opened and 3 tabs in the Windows.

Cookie’s information:

Another tool that can be used to parse Firefox session restore data is a command line by Mark Woan called firefoxsessionstoreextractor: