Just completed my EnCase training and was playing around in my free time on EnCase 7.07. I must say the training received did help me out in navigating the complicated features in EnCase must better. This post is not about EnCase but I find the “Plist Viewer Plugin” EnScript useful for doing MacForensic using EnCase. You can download the EnScript file on https://store.encase.com/appcentral/Pages/default.aspx. I tried out this EnScript on a handful of Plist files and here is one of the output.
In case you want to know. I am not in anyway associate with Guidance Software or their products. I just want think it is a pretty good EnScript if you are working on MacForensic on a Windows. Do let me know if you find any tools to do it better. And don’t send me any “hate” comments how much you feel about it. Good Day! : ) I am still exploring the 30+ EnScript I had downloaded.
Last shutdown logs
System setup information (if available)
b. registered country and city
c. firmware version at logged time
d. created username
e. Install apps
Disk status (at logged time)
- /private/var/log/daily.out MAC address/
Network Status (at logged time)
Connecting USB Device
(Look for “USBMSC”)
(Look for “BOOT_TIME”)
Proper Shutdown time
(Look for “SHUTDOWN_TIME”)
Disc burning log
Disk Utility log
File system log
- ~/Library/Logs/VMWare Fusion/
User Default Folder
- Deleted files (Trash bin): ~/.Trash/
- Desktop files: ~/Desktop/
- Document folder (default): ~/Documents/
- Download folder (default): ~/Downloads/
- Library – configurations and settings: ~/Library/
- Movies folder (default): ~/Movies/
- Music folder (default): ~/Music/
- Public – file sharing, if it is enabled: ~/Public
User Profile Artifacts
Bash command history
SSH connection detail:
Settings for Apps to access contacts
- ~/Library/Application Support/com.apple.TCC/TCC.db
CrashReporter – Apps crashed timestamp
- ~/Library/Application Support/CrashReporter/[App]_[GUID].plist
CrashReporter – Crash count
- ~/Library/Application Support/User_Crash_History_[GUID].plist
Dock – Apps appear/Keep in Dock
- ~/Library/Application Support/Dock/[GUID].db
- ~/Library/Application Support/NotificationCenter/[GUID].db
Quicktime – URL to online multimedia
AppStore – available update
Recent disk image (ISO/DMG)
Dock – Persistent apps
Dock – Other persistent items
Dashboard – gadget/widget
Recent Applications * Default is 10
Recent Documents * Default is 10
Screensaver – Password enabled
a) Type of device
b) Last connected timestamp
c) Firmware version
d) Serial number and IMEI
- ~/Library/Preferences/com.apple.iPod.plist Connected storage ~/Library/Preferences/com.apple.sidebarlists.plist
- ~/Library/Preferences/Macromedia/Flash Player/
Last Used Printers
Preview – Recent Documents
Quicktime – Recent documents
Console – Recent documents
Textedit – Recent documents
Saved Application Stated
– folders of application’s saved state
- ~/Library/Saved Application State/
Download Quarantine Events
System Preferences Apps:
Last User Logged In:
Last Backup , Oldest Backup, No of snapshot
Time Machine – Snapshots:
Airport – Remembered Network:
Last Sleep Time:
Network Interface Name:
VMWare Fusion Network:
- /Library/Preferences/VMWare Fusion/networking
- /Library/Keychains/ /System/Keychains/
- /private/etc/hosts Path /private/etc/paths
User’s account – picture:
User’s account – password hint:
Realname (full name) – name – UID – GID
Members and GID
* admin.plist for admin user * staff.plist for root user
Supported Filesystem in Mac OS X
HFS Plus or HFS+ is a file system developed by Apple Inc and is the primary file system used in Macintosh computers. Another version of HFS Plus called HFSX is introduced in OS X 10.3.
MAC OS X support the following filesystem:
- Mac OS X Extended (Journaled)
- Mac OS X Extended (Journaled, Encrypted)
- Mac OS X Extended (Case-sensitive, Journaled)
- Mac OS X Extended (Case-sensitive, Journaled, Encrypted)
- MS-DOS (FAT)
- Read Only:
Partition in OS X
There are 3 choices of partitioning in OS X:
- GUID Partition Table (GPT), primarily used in Intel-based Mac. GPT uses Extensible Firmware Interface (EFI) in place of a BIOS
- Apple Partition Map, mainly used in PowerPC based MAC
- Master Boot Record (MBR) for Windows compatibility system
Files in HFS are made up of 2 parts; data fork and resource fork. Data fork contains the actual data of the file. Resource fork contain information of the file. Resource fork may contain icon, metadata, preferences and application code. Volumes in HFS are divided into 512-byte logical blocks. A group of 8 blocks is known as an allocation block.
Like NTFS, HFS also use metadata files to keep track of the volume:
- Volume header: information of the volume; total files, size of allocation table, number of allocation block and write-protected status.
- Catalog File: keep track of folders and files on the volume
- Extents overflow: hold the location of the extents that are greater than 8.
- Allocation File: keep track of the allocation block on a volume
- Attributes File: Used to store extended metadata attributes and additional files’ forks.
Folders in OS X
The key folders are as follows:
- Applications/: Default folder for applications
- Library/: Contained OS X files and supported operating system items for system global functionality and apply to all users. Network/: Network domain, open directory or active directory
- System/: Reserved for OS X System files and contained items such as system setup and functionality of the system
- Users/: Home folders for local users. There will also be a “Public” folder for sharing of files between users.
- .DocumentRevisions/: Contain files of previous versions of documents. (Root access only)
- .fseventsd/: Logging of filesystem events. (Root access only)
- .Trashes (Empty)
- mach_kernel: OS X Mach kernel
- etc or private/etc/: Configurations and other system files
- private/sbin/: Linux-styled binaries for admin
- var/ or private/var
- Volumes/: Mounted devices such as harddisk, CD, DMG and USB drives.
Method 1: Remove harddisk and image harddisk using forensic equipments/software.
- Advantage: This is generally accepted method for all systems. Imaging using this method can be applied using all common forensic equipments/software.
- Drawback: Require to disassemble the system. Apple are using custom screws on some of their models. To add on, Apple is using a different SSD connector for it’s MacBook Air model [Link].
Method 2: Forensic Linux Boot CD.
- Advantage: Many options are available (eg Sumuri’s Paladin). Typically, Read-only are enable on boot for all storage media.
- Drawback: Remember to test (and retest) before using it. Some Linux CDs are not updated frequently or lack drivers supports. One limitation is that some Linux CD do not provide imaging to a NTFS or HFS partition.
Method 3: Target Disk Mode
- Advantage:Allow a Mac to turn into an external harddisk. Quick and easy way to image the harddisk without opening the system. Allow ‘field mode’ or instantly view artifacts on a Mac before imaging.
- Drawback: FireWire Target Disk Mode works on internal PATA or SATA drives only. Target Disk Mode only connects to the master PATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI, or SCSI drives [Link]. Remember to put device into write-block mode!!
Method 4: Commercial Mac Imaging Tool
- Advantage: Most tools are generally work well for most models. Supports and bug-fix are usually promptly.
- Drawback: Remember to test these tools on the latest Mac you can lay your hands on. Usually take awhile before upgrades are available.
As a rule of thumb, a good forensic examiner must be armed with more than one method to image a system, especially when you are on the field. This is also important to monitor upgrades, test (retest) and keep on open mind to try out new methods/tools. Do let me know if you have new methods. Thanks!!
Mac OS X Start up command
- Available Startup Option: (Hold) Option
- Boot from CD: (Hold) C
- Target Disk Mode: (Hold) T
- Start in Hardware Test Mode: (Hold) D
- Force Mac to startup: (Hold) X
- Safe Boot Mode: (Hold) Shift
- Network Boot: (Hold) N
- Bypass primary startup volume: Option + Command + Shift + Delete
- Reset PRAM and NVRAM: Option + Command + P + R
- Verbose Boot: (Hold) Command + V
- Single User Mode: (Hold) Command + S
- Start in Recovery: (Hold) Command + R
- Eject CD: Hold mouse button, or Fn + F12, Eject button
Common Shortcut in Mac OS X system
- Right Click: Control + Mouse Click
- Switch applications: Command + Tab
- Screen Capture (Full): Command + Shift + 3
- Screen Capture (Selective): Command + Shift + 4
- Screen Capture (Windows): Command + Shift + 4 + spacebar
- Close Window: Command + W
- Hide Finder: Command + H
- Save: Command + S
- Print: Command + P
- Show Info: Command + I
- Connect to Server: Command + K
- Copy: Command + C
- Paste: Command + V
- Quit Application: Command + Q
Just completed my work on Mac Forensic. I decided to remove the previous “mini-series” and re-post my work.
OS X is a series of Unix-based graphical interface operating systems developed, marketed, and sold by Apple Inc. It is designed to run exclusively on Mac computers. Version of OS X releases:
- Rhapsody Developer Release – 31 Aug 1997
- Mac OS X Server 1.0 (Hera) – 16 Mar 1999
- Mac OS X Developer Preview – 16 Mar 1999
- Public Beta (Kodiak) – 13 Sep 2000
- Mac OS X 10.0 (Cheetah) – 24 Mar 2001
- Mac OS X 10.1 (Puma) – 18 Jul 2001
- Mac OS X 10.2 (Jaguar) – 6 May 2002
- Mac OS X 10.3 (Panther) – 23 Jun 2003
- Mac OS X 10.4 (Tiger) – 4 May 2004
- Mac OS X 10.5 (Leopard) – 26 Jun 2006
- Mac OS X 10.6 (Snow Leopard) – 9 Jun 2008
- Mac OS X 10.7 (Lion) – 20 Oct 2010
- Mac OS X 10.8 (Mountain Lion) – 16 Feb 2012
* source from http://en.wikipedia.org/wiki/OS_X
OS X originally was developed and ran on PowerPC-based Macs. In 2006, Macs developed a version of OS X 10.4 for ‘Intel’ system. In 2007, 10.5 “Leopard” was first to run on both PowerPC and Intel Macs. OS X 10.6 (Snow Leopard) was the first version of OS X to replace PowerPC Macs with Intel Macs. Mac OS X 10.7 “Lion” was the first version of OS X to drop support for 32-bit Intel processors and run on 64-bit Intel CPUs.
Mac Products (as of Mar 2013)
- MacBook Air 11 inch (default with 64 GB /128GB SSD)
- MacBook Air 13 inch (default with 128GB/ 256GB SSD)
- MacBook Pro 13 inch (default with 500GB/ 750GB HDD)
- MacBook Pro 15 inch (default with 500GB HDD)
- MacBook Pro 13 inch Retina Display (default with 128GB/ 256GB SSD)
- MacBook Pro 15 inch Retina Display (default with 256GB/ 512GB SSD)
- Mac Mini (default with 500GB/1TB HDD, or 2X1TB HDD)
- iMac 21.5 inch (default with 1TB HDD)
- iMac 27 inch (default with 1TB HDD)
** for more details, please refer to apple.com.
Apple products also includes “Mac Pro” computers and a variant of “Mac Mini” running OS X server operating system. There is also a hacking project to run OS X on non-apple computer computers and these computers are known as “Hackintosh”. However this is not licensed by Apple and may be illegal in some countries.
User folder in OS X 10.8 (Mountain Lion) is the same like other version of OS X 10. This folder contain most of the login user’s activities on a Mac system. Among the wealth of information in this folder are the user’s preferences. In a default user folder, you are likely to find the following folders/files:
- Library: hidden folder containing preferences
- Trash: User trash folder before they are remove from the system
- .bash_history: Terminal command history
Some of important files include:
- General preferences for user: ~/Library/Preferences/.GlobalPreferences.plist
- AddressBook preferences: ~/Library/Preferences/com.apple.AddressBook.plist
- Desktop Service: ~/Library/Preferences/com.apple.desktopservices.plist
- Dock – Apps keep in Docks (presistent-apps): ~/Library/Preferences/com.apple.com.apple.dock.plist
- Finder preferences: ~/Library/Preferences/com.apple.finder.plist
- Finder – Recent folders: ~/Library/Preferences/com.apple.finder.plist
- iCal preferences: ~/Library/Preferences/com.apple.iCal.plist
- Facetime – Account: ~/Library/Preferences/com.apple.imservice.FaceTime.plist
- iMessage – Account: ~/Library/Preferences/com.apple.imservice.iMessage.plist
- iPhoto preferences: ~/Library/Preferences/com.apple.iPhoto.plist
- Connected iDevices: ~/Library/Preferences/com.apple.iPod.plist
- iTunes Preferences: ~/Library/Preferences/com.apple.iTunes.plist
- Preview – Recent Documents: ~/Library/Preferences/com.apple.Preview.LSSharedFileList
- Recent Apps: ~/Library/Preferences/com.apple.recentitems.plist
- Recent Documents: ~/Library/Preferences/com.apple.recentitems.plist
- Safari preferences: ~/Library/Preferences/com.apple.Safari.plist
- Scheduler plist: ~/Library/Preferences/com.apple.scheduler.plist
- Screensaver plist: ~/Library/Preferences/com.apple.screensaver.plist
- Spotlight – User’s search: ~/Library/Preferences/com.apple.spotlight.plist
- Appstore – AppleID: ~/Library/Preferences/com.apple.storeagent.plist
- Appstore – Last Auth Time: ~/Library/Preferences/com.apple.storeagent.plist
- Appstore Preferences: ~/Library/Preferences/com.apple.storeagent.plist
- Terminal preferences: ~/Library/Preferences/com.apple.Terminal.plist
- Textedit – Recent documents: ~/Library/Preferences/com.apple.TextEdit.LSSharedFileList
- User Keychains: ~/Library/Keychains/
- User Autorun: ~/Library/LaunchAgents/
- User Logs: ~/Library/Logs/
Apple Mail is an email program included in Mac OS X operating system. Like other mail client, Apple Mail support POP3, IMAP and Exchange 2007 accounts.Some mailboxes are added such as ‘To Do’, ‘Notes’ and ‘RSS mailboxes’.
Apple Mail’s artifacts are stored in the following default location:
- Default Location: ~/Library/Mail/
- Mail Box: ~/Library/Mail/[Mail Box]/
- RSS Feeds: ~/Library/Mail/RSS/
- Configurations: ~/Library/Preferences/com.apple.mail.plist
Information about mail delivery configurations can be found in ‘DeliveryAccounts’. My analysis revealed on my Gmail account revealed that it contained information to:
- SMTP mail server hostname
- Mail server port number
- Username of mail account
A more detailed information of the configured mailbox can be found under ‘MailAccounts’. Each ‘item’ listed are the configured respectively email accounts by the users. The graphic below is the configured mailbox for my Gmail account. From here, we can derive:
- AccountName: The name of the mailbox displayed in Apple Mail
- AccountPath: path where the messages are stored
- AccountType: IMAP or SMTP
- DateOfLastSync: timestamp of the last synchronisation
- Mail server hostname
- FullUserNAme: Name used
Email messages are stored in ~/Library/Mail/[Mail Box]/Messages. Each email message is individually stored as a file. Each message file is numbered and has a file extension “emlx”. The corresponding email attachments may be stored separately in the ~/Library/Mail/[Mail Box]/Messages/Attachments” folder. For example, the attachments of “1649.emlx” is located at “Attachment/1649/” folder.
Recovery and Examination
- To perform a recovery and examination, I have to export the mailboxes from “~/Library/Mail/” and the configuration file from “~/Library/Preferences/com.apple.mail.plist”.
- Set up a new user account on the examiner’s MAC system.
- You can then copy the Mail folder and com.apple.mail.plist in the respective locations.
- All you need to do now is to open Apple Mail and you can read the email messages as what your suspect’s see
This method require you to have the system’s root password. To do it, you need to launch “Key Chain Access.app” from Utilities. Within this application, you can find accounts information stored via Key Chain Access application.
Click on the item that you wanted to view the password, check the “Show password” and you will be asked to enter the root password. Enter the password and the password will appear in the field beside the “Show password”.