Forensics Homework 10

didosld

forensic3e_ppt_ch10.pptx

Home >Information Systems homework help >Forensics Homework 10

System Forensics, Investigation, and Response

Lesson 10

Macintosh Forensics

www.jblearning.com

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Learning Objective

Summarize various types of digital forensics.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Key Concepts

Macintosh basics

Where to find the logs in Macintosh

Forensically interesting Macintosh directories

Forensic techniques for Macintosh

How to undelete files in Macintosh

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

History of Apple/Macintosh

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Apple I

In 1975, Steve Wozniak and Steve Jobs finished the prototype of the first Apple computer. Wozniak worked for Hewlett-Packard (HP) and his employment contract required him to give his employer first right of refusal on any of his inventions. However, HP was not interested and released the technology to Wozniak. Apple Computer was formed in April 1976 by Steve Jobs, Steve Wozniak, and Ronald Wayne. The Apple I, created by Wozniak, had an 8-bit microprocessor running at just below 1 MHz. The Apple I had a built-in video terminal, sockets for 8 kilobytes of onboard RAM, a keyboard, and a cassette board meant to work with regular cassette recorders.

Apple II

This computer was based on the same microprocessor but came in a plastic case with the keyboard built in. It was also the first personal computer with color graphics. Apple II was followed by a series of enhancements, including the Apple IIGS in 1986, which was 16-bit rather than 8-bit. There were multiple operating systems for the Apple II.

Beyond the Apple II

The company changed the name of the product to Macintosh and took a new direction with its computers, including:

The Macintosh—Had an 8-MHz Motorola processor, a black-and-white monitor, and a 3.5-inch floppy drive. The operating system was System 1, which eventually led to the Macintosh II running System 7.

System 7—Allowed text dragging between applications, viewing and switching applications from a menu, a control panel, and cooperative multitasking.

Mac OS for PowerPC—Introduced the System 7.1.2 operating system.

AIX for PowerPC—Used a variation of the IBM AIX system. It also used the Common Desktop Environment, a graphical user interface that is popular in the UNIX world. This product did not do well in the market and was discontinued in 1997.

7/3/2017

1975 First Apple computer

1985 First Macintosh computer released

2007 Apple iPhone released

1998

iMac released

History of Mac OS X

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Mac OS X—This represented a major change and is still used in Macintosh computers today. The operating system was based on FreeBSD, a UNIX clone. When using Mac OS X, you can navigate to a shell and run UNIX/Linux shell commands. The initial release of OS X was followed by periodic improvements, each with an animal name. More recent releases include:

Tiger (Mac OS X v10.4)—Had built-in support for FireWire, a new dashboard, and updated mail program.

Leopard (Mac OS X v10.5)—Had over 300 new features, support for Intel x86 chips, and support for the new G3 processor.

Snow Leopard (Mac OS X v10.6)—Included mostly performance enhancements, such as support for multicore processors, rather than new features.

Lion (Mac OS X v10.7)—Included a major interface change that made it more like the iOS interfaces used on iPhone and iPad.

Mountain Lion (Mac OS X v10.8)—Had built-in support for iCloud, to support cloud computing.

Yosemite (Mac OS X v10.10)—Released in October 2014. The most important part of this release, from a forensics standpoint, is that it allowed users who have iPhones with iOS 8.1 or later to pass certain tasks to their Macintosh computer.

Sierra (Mac OS X v10.12)—The most recent version (as of March 2017). It is meant to be more in synch with the style of other Apple systems, such as iOS and WatchOS.

7/3/2017

2001 Mac OS X v10.0 (Cheetah)

2011 Mac OS X v10.7 (Lion)

2017 Mac OS X 10.12 (Sierra)

Mac OS X Desktop

Screenshot reprinted with permission from Apple Inc.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Macintosh File Systems

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Macintosh File System (MFS)

Macintosh File System (MFS) shipped with the first Macintosh in 1984. It has not been used in more than 15 years and you are unlikely to encounter it.

Hierarchical File System (HFS)

The Hierarchical File System (HFS) was used on the Macintosh Plus. Apple introduced this file system in 1985, specifically to support its new Apple hard drive. It replaced the earlier Macintosh File System.

Hierarchical File System Plus (HFS+)

This is an enhancement of the HFS file system. HFS+ is the preferred file system on Mac OS X.

7/3/2017

Macintosh File System (MFS)

Older technology no longer in use

Hierarchical File System (HFS)

Used on Macintosh Plus

Hierarchical File System Plus (HFS+)

Enhancement of HFS

Beginning with Mac OS 8.1, replaced by HFS+

Preferred file system on Mac OS X

Hierarchical File System Plus (HFS+)

Supports journaling

Supports disk quotas

Has hard and soft links

Uses 32 bits for allocation blocks

Supports long filenames, up to 255 characters

Uses Unicode

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

It supports journaling. Journaling file systems are fault tolerant because the file system logs all changes to files, directories, or file structures.

It also supports disk quotas. That allows the administrator to limit the amount of disk space a given user can use, keeping that user from taking up all the space. HFS+ also has hard links and soft links.

HFS+ is architecturally similar to HFS, however there are some key differences. HFS+:

Uses 32 bits for allocation blocks, rather than 16 bits.

Supports long filenames, up to 255 characters.

Uses Unicode rather than ASCII.

7/3/2017

Hierarchical File System Plus (HFS+) and Forensics

Supports aliases

Performs defragmentation on a per-file basis

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Aliases are like symbolic links; they allow you to have multiple references to a single file or directory.

Regarding defragmentation, the following conditions are checked, and if met, the file is defragmented when it is opened:

• The file is less than 20 megabytes in size.

• The file is not already in use.

• The file is not read-only.

• The file is fragmented.

• The system uptime is at least three minutes.

7/3/2017

Supported File Systems

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

ISO9660 is the file system used by compact discs (CDs). ISO9660 is not Macintosh specific, but Apple does have its own set of ISO9660 extensions.

Mac OS X includes support for Microsoft Disk Operating System (MS-DOS) file systems FAT12, FAT16, and FAT32.

Mac OS X includes read-only support for the New Technology File System (NFTS). This means if you have a portable drive that is NTFS, Mac OS X can read that partition

Universal Disk Format (UDF) is the file system used by DVD-ROM discs (both video and audio). Like ISO9660, this only guarantees that Mac OS X can read the partition or drive; it does not guarantee that Mac OS X can read the files.

UNIX File System (UFS) is the file system used by FreeBSD and many other UNIX variants. Being based on FreeBSD, Mac OS X can read UFS volumes.

7/3/2017

ISO9660 (extensions)

Microsoft Disk Operating System (MS-DOS)

New Technology File System (NTFS)

Universal Disk Format (UDF)

UNIX File System (UFS)

Partition Schemes

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

GUID Partition Table

The GUID Partition Table (GUID stands for “globally unique identifier”) is used primarily with computers that have an Intel-based processor. It requires OS X v10.4 or later. Intel-based Macintosh machines can boot only from drives that use the GUID Partition Table.

Apple Partition Map

The Apple Partition Map is used with any PowerPC-based Mac. Intel-based Macs can mount and use a drive formatted with the Apple Partition Map, but cannot boot from the device. PowerPC-based Macs can both mount and use a drive formatted with the Apple Partition Map, and can also use it as a start-up device.

Master Boot Record

The master boot record (MBR), contained in the boot sector, is used when DOS- or Windows-based computers start up. The MBR contains important information such as a partition table, bootstrap code, and other information.

7/3/2017

GUID Partition Table

Apple Partition Map

Master Boot Record (MBR)

Macintosh Logs

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

/var/log log

This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and potentially get data from them. This folder includes data on removable media, including serial numbers.

/var/spool/cups folder

In this folder, you will find information about printed documents, including the name of the document printed and the user who printed it.

/Library/Receipts folder

This folder contains information about system and software updates. Though less useful for a forensic investigation than some of the other folders, it does include information about if and when a given patch was applied, which might be of some interest in investigating malware crimes.

7/3/2017

/var/log/

General log repository

Data on removable media and serial numbers

/var/spool/cups

Information about printed documents

/Library/Receipts

Information about system and software updates

Name of document, user who printed

Macintosh Logs (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

/Users/<user>/.bash_history log

This log will show you a variety of commands, such as rm (removing or deleting something) and dd (indicating the user might have tried to make an image of the drive).

var/vm folder

In this folder, you will find a subfolder named app profile, which will contain lists of recently opened applications as well as temporary data used by applications.

/Users/ directory

This is where various users’ files are stored. It is a good idea to check in this directory to find out if users have saved data here that could be used as evidence.

/Users/<user>/Library/Preferences/ folder

This folder contains user preferences, including the preferences of programs that have been deleted. This could be a valuable place to get clues about programs that have been deleted from the system.

7/3/2017

/Users/<user>/ .bash_history

Information on Bash shell activity

/var/vm

Contains subfolder named app profile

/Users/

User files and preferences

Lists of recently opened applications, temporary data used by applications

Directories

Macintosh has a number of important directories

Some are relevant to a forensic examination of a Macintosh machine

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

/Volumes

Contains information about mounted devices

Includes data regarding:

Hard disks

External disks

CDs

Digital video discs (DVDs)

Virtual machines (VMs)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

/Users, /Applications, /Network, and /etc

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

/Users directory

This directory contains all the user accounts and associated files.

/Applications directory

This directory is where all applications are stored. It can hold important information about any malware.

/Network directory

This directory contains information about servers, network libraries, and network properties.

/etc directory

Just as in Linux, this is where configuration files are located. Cybercriminals often adjust the system’s configuration. Sometimes this is done in order to facilitate the criminal’s return to the system later.

7/3/2017

/Users User accounts and associated files

/Applications All applications

/Network Information about servers, network libraries, and network properties

/etc Configuration files

/Library/Preferences/System Configuration/dom.apple.preferences. plist

Contains the network configuration data for each network card

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

This file contains the network configuration data for each network card. This is important information to document before beginning your search for evidence.

7/3/2017

Macintosh Forensic Techniques

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Target Disk mode

Searching virtual memory

Shell commands

Target Disk Mode

Create a forensically sound copy of disk contents

dd and netcat

Imaging tools within EnCase or Forensic Toolkit

Begin in Target Disk Mode

Cannot write to disk

No chance of altering source disk

Connect to the suspect computer with via USB or FireWire and image the disk

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Target Disk Mode allows you to preview the computer on-site, so you can do a quick inspection before disconnecting and transporting the computer to a forensic lab. This is important because you will want to check running systems’ processes before shutting the machine down. You simply have to reboot the machine in Target Disk Mode.

7/3/2017

Target Disk Mode (Cont.)

Screenshot reprinted with permission from Apple Inc.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Searching Virtual Memory

Swap file/virtual memory is in /var/vm/

Check it with Linux commands

ls returns list of files

ls –al returns list of all files in virtual memory, who launched program and when

grep lets you search in virtual memory folder

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

With Macintosh OS X, the swap file/virtual memory is located in the folder /var/vm/. You can check it with Linux commands like ls (for listing files). The option ls —al gives you a listing of all the files in virtual memory as well as who launched the program and when. You can use the grep search tool to search in the virtual memory folder.

7/3/2017

Using Shell Commands

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The date command returns the current date and time zone. It is good for documenting when exactly you begin your forensic examination. If you need the date in Coordinated Universal Time (UTC), then use date −u.

The ls /dev/disk? command lists the current device files that are in use. You should document this information before shutting the system down for transport to the forensic lab.

The /hdiutil partition /dev/disk0 command lists the partition table for the boot drive. It is important to know the partitions the machine recognizes upon boot-up.

7/3/2017

date

Returns current date and time zone

ls /dev/disk?

Lists current device files in use

/hdiutil partition /dev/disk0

Lists the partition table for the boot drive

Using Shell Commands (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The system_profiler SPHardwareDataType command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination. There are related commands, such as system_profiler

SPSerialATADataType. This command gives information on all the attached Serial Advanced Technology Attachment (SATA) devices.

The system_profiler SPSoftwareDataType command is related to system_profiler SPHardwareDataType. The system_profiler SPSoftwareDataType command returns information about the operating system. This is also important for documenting the system prior to starting the forensic examination.

7/3/2017

system_ profiler SPHardware DataType

Returns hardware information for host system

system_ profiler SPSoftware DataType

Returns information about the operating system

How to Examine a Mac

Many forensics tools are less effective in extracting data on a Macintosh than in Windows.

One technique is to create a copy of the forensic image and then mount it as a read-only virtual machine (VM).

Mount it as read only.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Deleting Files on Macintosh

Similar to Windows, when file is deleted, references to file are gone and clusters might be used and overwritten

Even if data is overwritten, data might exist in unallocated space and in index nodes

Deleted files moved to the trash folder, similar to Recycle Bin in Windows

Macintosh trash folder is .Trash, a hidden folder on the root directory of file system

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Undeleting Files on Macintosh (Cont.)

Recover deleted files from .Trash by copying or moving to other location

Use tools to recover files, even after trash bin has been emptied

Mac Undelete

Free Undelete

MacKeeper

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Listing Contents of .Trash

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Summary

Macintosh basics

Where to find the logs in Macintosh

Forensically interesting Macintosh directories

Forensic techniques for Macintosh

How to undelete files in Macintosh

Page ‹#›

System Forensics, Investigation, and Response