Category Mac Forensics

Plist View using Plist Viewer Plugin EnScript

Just completed my EnCase training and was playing around in my free time on EnCase 7.07. I must say the training received did help me out in navigating the complicated features in EnCase must better. This post is not about EnCase but I find the “Plist Viewer Plugin” EnScript useful for doing MacForensic using EnCase. You can download the EnScript file on https://store.encase.com/appcentral/Pages/default.aspx. I tried out this EnScript on a handful of Plist files and here is one of the output.

001

In case you want to know. I am not in anyway associate with Guidance Software or their products. I just want think it is a pretty good EnScript if you are working on MacForensic on a Windows. Do let me know if you find any tools to do it better. And don’t send me any “hate” comments how much you feel about it. Good Day! : ) I am still exploring the 30+ EnScript I had downloaded.

Advertisement

Mac Forensic Part 6 (Mountain Lion 10.8 – Logs)

Application Firewall

  • /private/var/log/appfirewall.log
  • /private/var/log/appfirewall.log.[x].bz2

System Logs

  • /private/var/log/asl/YYYY.MM.DD.U[XX].asl
  • /private/var/log/DiagnosticMessages/YYYY.MM.DD.asl
  • /private/var/log/install.log
  • /private/var/log/install.log.[x].bz2
  • /private/var/log/opendirectoryd.log
  • /private/var/log/opendirectoryd.log.[x].bz2
  • /private/var/log/system.log
  • /private/var/log/system.log.[x].bz2
  • /private/var/log/vnetlib
  • /private/var/log/weekly.out
  • /private/var/log/zzz.log

Last shutdown logs

  • /private/var/log/com.apple.launchd/launchd-shutdown.system.log
  • /private/var/log/com.apple.launchd/launchd-shutdown.system.log

System setup information (if available)

a. wirelessconnection
b. registered country and city
c. firmware version at logged time
d. created username
e. Install apps

  • /private/var/log/install.log

Disk status (at logged time)

  • /private/var/log/daily.out MAC address/

Untitled1

Network Status (at logged time)

  • /private/var/log/daily.out

Untitled2

Connecting USB Device
(Look for “USBMSC”)

  • /private/var/log/System.log

Untitled3

Bootup time
(Look for “BOOT_TIME”)

  • /private/var/log/System.log

Untitled4

Proper Shutdown time
(Look for “SHUTDOWN_TIME”)

  • /private/var/log/System.log

Untitled5

User’s Logs

  • ~/Library/Logs/AMRestore.txt
  • ~/Library/Logs/appstore.log
  • ~/Library/Logs/DiagnosticReports/
  • ~Library/Logs/SMSMigrator/SMSMigrator.log
  • ~/Library/Logs/sync/syncservices.log
  • ~/Library/Logs/Ubiquity/[User]/ubiquity-digest.log
  • ~/Library/Logs/Ubiquity/[User]/ubiquity.log

Disc burning log

  • ~/Library/Logs/DiskRecording.log

Untitled6

Disk Utility log

  • ~/Library/Logs/DiskUtility.log

Untitled7

File system log

  • ~/Library/Logs/fsck_hfs.log

VMWare

  • ~/Library/Logs/VMWare
  • ~/Library/Logs/VMWare Fusion/

.

Mac Forensics Part 5 (Mountain Lion 10.8 – User Profile)

User Default Folder

  • Deleted files (Trash bin): ~/.Trash/
  • Desktop files: ~/Desktop/
  • Document folder (default): ~/Documents/
  • Download folder (default): ~/Downloads/
  • Library – configurations and settings: ~/Library/
  • Movies folder (default): ~/Movies/
  • Music folder (default): ~/Music/
  • Public – file sharing, if it is enabled: ~/Public

User Profile Artifacts

Bash command history

  • ~/bash_history

SSH connection detail:

  • ~/.ssh/known_hosts

Settings for Apps to access contacts

  • ~/Library/Application Support/com.apple.TCC/TCC.db

CrashReporter – Apps crashed timestamp

  • ~/Library/Application Support/CrashReporter/[App]_[GUID].plist

Untitled1

CrashReporter – Crash count

  • ~/Library/Application Support/User_Crash_History_[GUID].plist

Untitled2

Dock – Apps appear/Keep in Dock

  • ~/Library/Application Support/Dock/[GUID].db

Notification Center

  • ~/Library/Application Support/NotificationCenter/[GUID].db

Sandbox container

  • ~/Library/Containers/

Keychains (User)

  • ~/Library/Keychains/
  • ~/Library/Keychains/login.keychain
  • ~/Library/Keychains/metadata.keychain
  • ~/Library/Keychains/[XXXX].keychain

LaunchAgents (User)

  • ~/Library/LaunchAgents/[App].plist

Untitled3

Quicktime – URL to online multimedia

  • ~/Library/Caches/Quicktime/downloads/TOC.plist

Untitled4

Recent folders

  • ~/Library/Preferences/com.apple.finder.plist

Untitled5

Language

  • ~/Library/Preferences/.GlobalPreferences.plist

Untitled6

AppStore – available update

  • ~/Library/Preferences/com.apple.appstore.plist

Untitled7

Recent disk image (ISO/DMG)

  • ~/Library/Preferences/com.apple.DiskUtility.plist

Untitled8

Dock – Persistent apps

  • ~/Library/Preferences/com.apple.dock.plist

Untitled9

Dock – Other persistent items

  • ~/Library/Preferences/com.apple.dock.plist

Untitled10

Dashboard – gadget/widget

  • ~/Library/Preferences/com.apple.dashboard.plist

Untitled11

Recent Applications * Default is 10

  • ~/Library/Preferences/com.apple.recentitems.plist

Untitled12

Recent Documents * Default is 10

  • ~/Library/Preferences/com.apple.recentitems.plist

Untitled13

Scheduler

  • ~/Library/Preferences/com.apple.scheduler.plist

Untitled14

Screensaver – Password enabled

  • ~/Library/Preferences/com.apple.screensaver.plist

Untitled15

Finder Sidebar

  • ~/Library/Preferences/com.apple.sidebarlists.plist

Spaces

  • ~/Library/Preferences/com.apple.spaces.plist

Printers

  • ~/Library/Printers/

Connected iDevices

a) Type of device
b) Last connected timestamp
c) Firmware version
d) Serial number and IMEI

  • ~/Library/Preferences/com.apple.iPod.plist Connected storage ~/Library/Preferences/com.apple.sidebarlists.plist

Untitled16

Connected storage

  • ~/Library/Preferences/com.apple.sidebarlists.plist

Untitled17

Flash Cookies

  • ~/Library/Preferences/Macromedia/Flash Player/

Last Used Printers

  • ~/Library/Preferences/org.cups.PrintingPrefs.plist

Untitled18

Preview – Recent Documents

  • ~/Library/Preferences/com.apple.Preview.plist

Untitled19

Quicktime – Recent documents

  • ~/Library/Preferences/com.apple.QuickTimePlayerX.LSSharedFileList.plist

Untitled20

Console – Recent documents

  • ~/Library/Preferences/com.apple.Console.LSSharedFileList

Untitled21

Textedit – Recent documents

  • ~/Library/Preferences/com.apple.TextEdit.LSSharedFileList.plist

Untitled22

Saved Application Stated

– folders of application’s saved state

  • ~/Library/Saved Application State/

RSS

  • ~/Library/PubSub/Database/Database.sqlite3
  • ~/Library/PubSub/Clients.plist
  • ~/Library/PubSub/Feeds/

Spotlight folder

  • ~/.Spotlight-V100/

Download Quarantine Events

  • ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

.

Mac Forensics Part 4 (Mountain Lion 10.8 – System File Artifacts)

OS Version:

  • /System/Library/CoreServices/SystemVersion.plist

001

Timezone:

  • /Library/Preferences/.GlobalPreferences.plist

002

Language:

  • /Library/Preferences/.GlobalPreferences.plist

003

MAC Address:

  • /private/var/log/daily.out

004

Startup Folders:

  • /Library/LaunchAgents/
  • /Library/LaunchDaemons/
  • /System/Library/LaunchAgents/
  • /System/Library/LaunchDaemons/

System Preferences Apps:

  • /Library/PreferencePanes/

Firewall

  • /Library/Preferences/com.apple.alf.plist

005

Bluetooth:

  • /Library/Preferences/com.apple.Bluetooth.plist

006

Keyboard:

  • /Library/Preferences/com.apple.HIToolbox.plist

007

Last User Logged In:

  • /Library/Preferences/com.apple.loginwindow.plist

008

Last Update

  • /Library/Preferences/com.apple.SoftwareUpdate.plist

009

Time Machine:

Last Backup , Oldest Backup, No of snapshot

  • /Library/Preferences/com.apple.TimeMachine.plist

010

Time Machine – Snapshots:

  • /private/var/db/com.apple.TimeMAchine.SnapshotDates.plist

011

Printer:

  • /Library/Preferences/org.cups.printers.plist

Airport – Remembered Network:

  • /Library/Preferences/SystemConfigurations/com.apple.airport.preferences.plist

012

Last Sleep Time:

  • /Library/Preferences/SystemConfigurations/com.apple.PowerManagement.plist

013

Network Interface Name:

  • /Library/Preferences/SystemConfigurations/NetworkInterfaces.plist

014

Network Information:

  • /Library/Preferences/SystemConfigurations/preferences.plist

015

Hostname:

  • /Library/Preferences/SystemConfigurations/preferences.plist

016

VMWare Fusion Network:

  • /Library/Preferences/VMWare Fusion/networking

017

Keychains:

  • /Library/Keychains/ /System/Keychains/

Host file:

  • /private/etc/hosts Path /private/etc/paths

DNS:

  • /private/etc/resolv.conf

User’s account:

  • /private/var/db/dslocal/nodes/[user].plist

User’s account – picture:

  • /private/var/db/dslocal/nodes/[user].plist

018

User’s account – password hint:

  • /private/var/db/dslocal/nodes/[user].plist

019

User’s account:

Realname (full name) – name – UID – GID

  • /private/var/db/dslocal/nodes/[user].plist

020

Group:

Members and GID

  • /private/var/db/dslocal/nodes/[group].plist

022

* admin.plist for admin user * staff.plist for root user

Hibernation file:

  • /private/var/vm/sleepimage

Swap file:

  • /private/var/vm/swapfile[x]

Installed Printers:

  • /Library/Printers/
  • /Library/Printers/InstalledPrinters.plist

021

.

Mac Forensic Part 3 (Filesystem)

Supported Filesystem in Mac OS X

HFS Plus or HFS+ is a file system developed by Apple Inc and is the primary file system used in Macintosh computers. Another version of HFS Plus called HFSX is introduced in OS X 10.3.

MAC OS X support the following filesystem:

  • Read/Write:
    • Mac OS X Extended (Journaled)
    • Mac OS X Extended (Journaled, Encrypted)
    • Mac OS X Extended (Case-sensitive, Journaled)
    • Mac OS X Extended (Case-sensitive, Journaled, Encrypted)
    • MS-DOS (FAT)
    • ExFat
  • Read Only:
    • NTFS

Partition in OS X

There are 3 choices of partitioning in OS X:

  • GUID Partition Table (GPT), primarily used in Intel-based Mac. GPT uses Extensible Firmware Interface (EFI) in place of a BIOS
  • Apple Partition Map, mainly used in PowerPC based MAC
  • Master Boot Record (MBR) for Windows compatibility system

000

Files in HFS are made up of 2 parts; data fork and resource fork. Data fork contains the actual data of the file. Resource fork contain information of the file. Resource fork may contain icon, metadata, preferences and application code. Volumes in HFS are divided into 512-byte logical blocks. A group of 8 blocks is known as an allocation block.

Like NTFS, HFS also use metadata files to keep track of the volume:

  • Volume header: information of the volume; total files, size of allocation table, number of allocation block and write-protected status.
  • Catalog File: keep track of folders and files on the volume
  • Extents overflow: hold the location of the extents that are greater than 8.
  • Allocation File: keep track of the allocation block on a volume
  • Attributes File: Used to store extended metadata attributes and additional files’ forks.

Folders in OS X

The key folders are as follows:

  • Applications/: Default folder for applications
  • Library/: Contained OS X files and supported operating system items for system global functionality and apply to all users. Network/: Network domain, open directory or active directory
  • System/: Reserved for OS X System files and contained items such as system setup and functionality of the system
  • Users/: Home folders for local users. There will also be a “Public” folder for sharing of files between users.
  • .DocumentRevisions/: Contain files of previous versions of documents. (Root access only)
  • .fseventsd/: Logging of filesystem events. (Root access only)
  • .Trashes (Empty)
  • mach_kernel:  OS X Mach kernel
  • etc or private/etc/: Configurations and other system files
  • private/sbin/: Linux-styled binaries for admin
  • var/ or private/var
  • Volumes/: Mounted devices such as harddisk, CD, DMG and USB drives.

Mac Forensics Part 2 (Acquisition)

Method 1: Remove harddisk and image harddisk using forensic equipments/software.

  • Advantage: This is generally accepted method for all systems. Imaging using this method can be applied using all common forensic equipments/software.
  • Drawback: Require to disassemble the system. Apple are using custom screws on some of their models. To add on, Apple is using a different SSD connector for it’s MacBook Air model [Link].

Method 2: Forensic Linux Boot CD.

  • Advantage: Many options are available (eg Sumuri’s Paladin). Typically, Read-only are enable on boot for all storage media.
  • Drawback: Remember to test (and retest) before using it. Some Linux CDs are not updated frequently or lack drivers supports. One limitation is that some Linux CD do not provide imaging to a NTFS or HFS partition.

Method 3: Target Disk Mode

  • Advantage:Allow a Mac to turn into an external harddisk. Quick and easy way to image the harddisk without opening the system. Allow ‘field mode’ or instantly view artifacts on a Mac before imaging.
  • Drawback: FireWire Target Disk Mode works on internal PATA or SATA drives only. Target Disk Mode only connects to the master PATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI, or SCSI drives [Link]. Remember to put device into write-block mode!!

Method 4: Commercial Mac Imaging Tool

  • Advantage: Most tools are generally work well for most models. Supports and bug-fix are usually promptly.
  • Drawback: Remember to test these tools on the latest Mac you can lay your hands on. Usually take awhile before upgrades are available.

As a rule of thumb, a good forensic examiner must be armed with more than one method to image a system, especially when you are on the field. This is also important to monitor upgrades, test (retest) and keep on open mind to try out new methods/tools. Do let me know if you have new methods. Thanks!!

Mac OS X Start up command

  • Available Startup Option: (Hold) Option
  • Boot from CD: (Hold) C
  • Target Disk Mode: (Hold) T
  • Start in Hardware Test Mode: (Hold) D
  • Force Mac to startup: (Hold) X
  • Safe Boot Mode: (Hold) Shift
  • Network Boot: (Hold) N
  • Bypass primary startup volume: Option + Command + Shift + Delete
  • Reset PRAM and NVRAM: Option + Command + P + R
  • Verbose Boot: (Hold) Command + V
  • Single User Mode: (Hold) Command + S
  • Start in Recovery: (Hold) Command + R
  • Eject CD: Hold mouse button, or Fn + F12, Eject button

Common Shortcut in Mac OS X system

  • Right Click: Control + Mouse Click
  • Switch applications: Command + Tab
  • Screen Capture (Full): Command + Shift + 3
  • Screen Capture (Selective): Command + Shift + 4
  • Screen Capture (Windows): Command + Shift + 4 + spacebar
  • Close Window: Command + W
  • Hide Finder: Command + H
  • Save: Command + S
  • Print: Command + P
  • Show Info: Command + I
  • Connect to Server: Command + K
  • Copy: Command + C
  • Paste: Command + V
  • Quit Application: Command + Q

Mac Forensics Part 1

Just completed my work on Mac Forensic. I decided to remove the previous “mini-series” and re-post my work.

OS X is a series of Unix-based graphical interface operating systems developed, marketed, and sold by Apple Inc. It is designed to run exclusively on Mac computers. Version of OS X releases:

  • Rhapsody Developer Release – 31 Aug 1997
  • Mac OS X Server 1.0 (Hera) – 16 Mar 1999
  • Mac OS X Developer Preview – 16 Mar 1999
  • Public Beta (Kodiak) – 13 Sep 2000
  • Mac OS X 10.0 (Cheetah) – 24 Mar 2001
  • Mac OS X 10.1 (Puma) – 18 Jul 2001
  • Mac OS X 10.2 (Jaguar) – 6 May 2002
  • Mac OS X 10.3 (Panther) – 23 Jun 2003
  • Mac OS X 10.4 (Tiger) – 4 May 2004
  • Mac OS X 10.5 (Leopard) – 26 Jun 2006
  • Mac OS X 10.6 (Snow Leopard) – 9 Jun 2008
  • Mac OS X 10.7 (Lion) – 20 Oct 2010
  • Mac OS X 10.8 (Mountain Lion) – 16 Feb 2012

* source from http://en.wikipedia.org/wiki/OS_X

OS X originally was developed and ran on PowerPC-based Macs. In 2006, Macs developed a version of OS X 10.4 for ‘Intel’ system. In 2007, 10.5 “Leopard” was first to run on both PowerPC and Intel Macs. OS X 10.6 (Snow Leopard) was the first version of OS X to replace PowerPC Macs with Intel Macs. Mac OS X 10.7 “Lion” was the first version of OS X to drop support for 32-bit Intel processors and run on 64-bit Intel CPUs.

Mac Products (as of Mar 2013)

  • MacBook Air 11 inch (default with 64 GB /128GB SSD)
  • MacBook Air 13 inch (default with 128GB/ 256GB SSD)
  • MacBook Pro 13 inch (default with 500GB/ 750GB HDD)
  • MacBook Pro 15 inch (default with 500GB HDD)
  • MacBook Pro 13 inch Retina Display (default with 128GB/ 256GB SSD)
  • MacBook Pro 15 inch Retina Display (default with 256GB/ 512GB SSD)
  • Mac Mini (default with 500GB/1TB HDD, or 2X1TB HDD)
  • iMac 21.5 inch (default with 1TB HDD)
  • iMac 27 inch (default with 1TB HDD)

** for more details, please refer to apple.com.

Apple products also includes “Mac Pro” computers and a variant of “Mac Mini” running OS X server operating system. There is also a hacking project to run OS X on non-apple computer computers and these computers are known as “Hackintosh”. However this is not licensed by Apple and may be illegal in some countries.

Mac OSX Forensic (Mini-Series 4) – 10.8 User Folder

User folder in OS X 10.8 (Mountain Lion) is the same like other version of OS X 10. This folder contain most of the login user’s activities on a Mac system. Among the wealth of information in this folder are the user’s preferences. In a default user folder, you are likely to find the following folders/files:

  • Desktop
  • Documents
  • Downloads
  • Library: hidden folder containing preferences
  • Movies
  • Music
  • Pictures
  • Public
  • Trash: User trash folder before they are remove from the system
  • .bash_history: Terminal command history

Some of important files include:

  • General preferences for user: ~/Library/Preferences/.GlobalPreferences.plist
  • AddressBook preferences: ~/Library/Preferences/com.apple.AddressBook.plist
  • Desktop Service: ~/Library/Preferences/com.apple.desktopservices.plist
  • Dock – Apps keep in Docks (presistent-apps): ~/Library/Preferences/com.apple.com.apple.dock.plist
  • Finder preferences: ~/Library/Preferences/com.apple.finder.plist
  • Finder – Recent folders: ~/Library/Preferences/com.apple.finder.plist
  • iCal preferences: ~/Library/Preferences/com.apple.iCal.plist
  • Facetime – Account: ~/Library/Preferences/com.apple.imservice.FaceTime.plist
  • iMessage – Account: ~/Library/Preferences/com.apple.imservice.iMessage.plist
  • iPhoto preferences: ~/Library/Preferences/com.apple.iPhoto.plist
  • Connected iDevices: ~/Library/Preferences/com.apple.iPod.plist
  • iTunes Preferences: ~/Library/Preferences/com.apple.iTunes.plist
  • Preview – Recent Documents: ~/Library/Preferences/com.apple.Preview.LSSharedFileList
  • Recent Apps: ~/Library/Preferences/com.apple.recentitems.plist
  • Recent Documents: ~/Library/Preferences/com.apple.recentitems.plist
  • Safari preferences: ~/Library/Preferences/com.apple.Safari.plist
  • Scheduler plist: ~/Library/Preferences/com.apple.scheduler.plist
  • Screensaver plist: ~/Library/Preferences/com.apple.screensaver.plist
  • Spotlight – User’s search: ~/Library/Preferences/com.apple.spotlight.plist
  • Appstore – AppleID: ~/Library/Preferences/com.apple.storeagent.plist
  • Appstore – Last Auth Time: ~/Library/Preferences/com.apple.storeagent.plist
  • Appstore Preferences: ~/Library/Preferences/com.apple.storeagent.plist
  • Terminal preferences: ~/Library/Preferences/com.apple.Terminal.plist
  • Textedit – Recent documents: ~/Library/Preferences/com.apple.TextEdit.LSSharedFileList
  • User Keychains: ~/Library/Keychains/
  • User Autorun: ~/Library/LaunchAgents/
  • User Logs: ~/Library/Logs/

Apple Mail Forensics

Apple Mail is an email program included in Mac OS X operating system. Like other mail client, Apple Mail support POP3, IMAP and Exchange 2007 accounts.Some mailboxes are added such as ‘To Do’, ‘Notes’ and ‘RSS mailboxes’.

~~~~~ ~~~~~

Default Locations

Apple Mail’s artifacts are stored in the following default location:

  • Default Location: ~/Library/Mail/
  • Mail Box: ~/Library/Mail/[Mail Box]/
  • RSS Feeds: ~/Library/Mail/RSS/
  • Configurations: ~/Library/Preferences/com.apple.mail.plist

~~~~~ ~~~~~

com.apple.mail.plist

Information about mail delivery configurations can be found in ‘DeliveryAccounts’. My analysis revealed on my Gmail account revealed that it contained information to:

  • SMTP mail server hostname
  • Mail server port number
  • Authentication
  • Username of mail account

A more detailed information of the configured mailbox can be found under ‘MailAccounts’. Each ‘item’ listed are the configured respectively email accounts by the users. The graphic below is the configured mailbox for my Gmail account. From here, we can derive:

  • AccountName: The name of the mailbox displayed in Apple Mail
  • AccountPath: path where the messages are stored
  • AccountType: IMAP or SMTP
  • DateOfLastSync: timestamp of the last synchronisation
  • Mail server hostname
  • FullUserNAme: Name used

~~~~~ ~~~~~

Messages Analysis

Email messages are stored in ~/Library/Mail/[Mail Box]/Messages. Each email message is individually stored as a file. Each message file is numbered and has a file extension “emlx”. The corresponding email attachments may be stored separately in the ~/Library/Mail/[Mail Box]/Messages/Attachments” folder. For example, the attachments of “1649.emlx” is located at “Attachment/1649/” folder.

~~~~~ ~~~~~

Recovery and Examination

  1. To perform a recovery and examination, I have to export the mailboxes from “~/Library/Mail/” and the configuration file from “~/Library/Preferences/com.apple.mail.plist”.
  2. Set up a new user account on the examiner’s MAC system.
  3. You can then copy the Mail folder and com.apple.mail.plist in the respective locations.
  4. All you need to do now is to open Apple Mail and you can read the email messages as what your suspect’s see

~~~~~ ~~~~~

Howto recover passwords on Mac OS X

This method require you to have the system’s root password. To do it, you need to launch “Key Chain Access.app” from Utilities. Within this application, you can find accounts information stored via Key Chain Access application.

Click on the item that you wanted to view the password, check the “Show password” and you will be asked to enter the root password. Enter the password and the password will appear in the field beside the “Show password”.