20090712

Mac Forensics


The Macintosh platform has clear advantages over the Windows platform in performing computer forensics. A Mac can mount and read almost any file system while at the same time defeating any Windows based security or permission settings. Because Mac is a Unix system, it uses the Unix file and directory permission structure. This makes it easier to ensure that evidence is not written over. The Mac is almost ready to go right out of the box. With a few configuration tweaks, and some free software, one can be up and running with his or her Mac forensic station in a small amount of time.
The first configuration change required, is to disable auto-mounting of drives. When the Macintosh uses the automount feature to mount a drive, it mounts it in read-write mode. Mounting in this mode will change the access times of certain files, rendering the evidence tainted (Hawkins 2002.) Disabling automount will allow the investigator to later mount the device in read only mode, or make an image of the device without mounting it, a technique that is useful in recovering data from a corrupt file system. To disable the auto mount feature, the investigator must edit the hostconfig file in the /etc directory (/etc/hostconfig), changing the automount flag to –NO-. Once this setting is changed, the user must reboot. They are now ready to connect the suspect device to the system.
There are a number of attachments for connecting IDE, SCSI, and SATA drives to a MacBook through the firewire port. Once the device is connected to the computer, the investigator can issue the ‘mount’ command without any options to see what the address of the device is. Unix-based operating systems assign all drives a filename in the /dev directory. From here, the investigator has the option of mounting the device in read only mode by executing the mount command with the –r flag: $ mount –t ext2 –r /dev/disk1s1 (where disk1s1 is the suspect device.) It is preferable, however; to create a forensic copy of the device.
To create this copy, the investigator can use Mac’s built in ‘dd’ or ‘datadump’ utility. This utility will create a bit by bit copy of the device without mounting it and/or changing any files on the device. To use dd to make a forensic copy pass the location of the device you wish to copy along with a destination for the new image. (# dd if="/dev/disk3s1" of="/Users/donny/badguysstuff.dmg") The .dmg extension is the Macintosh disk image format. These images can be mounted as disks and even booted to if the image is a copy of a complete Mac filesystem. Once the original device is removed and stored in an evidence container, the user can begin the investigation.
At this point, there are a number of tools the investigator can install to aide in discovery. Most of these are commercial products that require nominal to hefty fees to use. One of the more useful commercial utilities is Norton DiskEdit, which can recover deleted files. There is also an entire suite of forensic tools for Macintosh from a company called “BlackBag.” This tool is priced at roughly $500, but gives the user everything he or she needs to get started. While more expensive tools will perform better in most instances, there are freely available forensic tools that can be used on the Mac.
To start, there are a number of command line utilities built into the operating system that can give the investigator useful information regarding the device’s partition structure and access times. Data can be retrieved using the hexdump command. The hexdump command can print to the screen or a file the bit-by-bit information contained on the drive, allowing for analysis at the lowest level (Donnelly 2004.) There is an additional utility, ‘OD’, that can also dump data in ASCII, Octal, and Decimal format.
In addition to these utilities, there is also an open source tool available called ‘Sleuthkit.’ Sluethkit, along with its graphical front-end, ‘Autopsy’, can be downloaded for free at http://www.sluethkit.org. The install is reasonably easy by Unix standards. It is important to remember to install sluethkit before installing autopsy. Once installed, run the autopsy server and login with a browser to http://127.0.0.1:9999. The interface is easy to use and allows for data inspection at the bit level as well as case tracking and note taking.
With a few easy configuration changes, the Macintosh platform can be a very powerful computer forensic tool at a reasonably affordable cost.

Sources
Donnelly, Derrick (2004) O’reily Mac OSX Conference notes Retrieved November 25, 2006 from website http://conferences.oreillynet.com/cs/macosx2004/derrick_donnelly.pdf

Hawkins, Peter (2002) Macintosh forensic analysis using os x Retrieved November 25, 2006 from website http://www.sans.org/reading_room/whitepapers/apple/269.php
Posted by at Sunday, July 12, 2009
Labels: ,
Reactions: 

3 comments:

  1. DaveJul 14, 2009 07:19 AM
    Hi,

    Thanks for doing a posting on Mac OS X as a forensic platform. It is one of the most versatile OS's for forensics. With very little tweaking, you can be up and running as a analysis system quickly.

    Your references are a bit out of date, 2002 (OS X Jaguar) and 2004 (OS X Panther). Things have changed considerably since them. Among other things, both Tiger and Leopard have changed how we stop the auto-mounting (diskarbitrationd) of media. You don't make changes to the hostconfig file to stop the automatic mounting of drives in the current OSs. This is no longer supported and you very may well mount the evidence if the diskarbitration is not turned off correctly. There are two completely different ways to do this for Leopard and Tiger.

    Also, instead of the native DD command to image, I would install DCFLDD or DC3DD. These can be installed either thru Macports or installation packages. These imaging commands are much more versatile and will allow you to hash the evidence as you image. Don't forget that when you are finished imaging, you need to lock that file down thru Get Info. If you have used the split command, you only need to lock the first segment.

    I could be wrong, but I don't think Symantec has produced a Mac version of Norton Utilities since around 2004. A good low cost program to recover deleted files is SubRosaSoft's File Salvage. It is an excellent tool to have in your forensic toolkit.

    Sleuthkit (command line) and Autopsy (GUI of Sleuthkit) are outstanding programs for forensics. While they will run on OS X for examining NTFS, EXT, etc., you can't examine HFS+ filesystems with them as it is not supported.

    If you would like some info on Mac specific forensics, check out our website at Mac OS X Forensics. There is a lot of info there that will provide a starting point for learning about Mac forensics. We also have a Mac forensics podcast, Inside the Core.

    Thanks and keep up the great work.
    Dave
    ReplyDelete
  2. DonovanJul 14, 2009 05:56 PM
    Dave,

    Thank you for taking the time to leave such an insightful comment. I will definitely visit these links and take them into consideration the next time I want to continue on this project.

    In defense of my "outdatedness," this is a republishing of a paper I did for school about 3 years ago. It was probably outdated at that time as well. :-)

    I appreciate you taking the time to read this and correct my deficiencies. I certainly wouldn't want to "mount the evidence." (This will still work on my outdated MacBook though.)
    ReplyDelete
  3. DaveJul 14, 2009 06:17 PM
    Hi Donovan,

    Your post was very well done. I wasn't trying to sharp shoot you, I just wanted to point out some differences in today's OSs.

    Derrick Donnelly is probably the most knowledgeable Mac examiner out there and is an all around great guy. His work is always top notch. I have read both of the papers you used in the past and they are a good basis to start with.

    Every time Apple does an update, they throw a wrench in the works for us. They change key items, such as the location of Safari's cache file, with no documentation. They did that 3 times within a year. So it is very important to keep on top of it. I teach Mac Forensics and am also a full time computer forensics examiner and I am constantly researching and updating my materials. It's part of the business.

    If you want to play around with a great imaging tool, go to www.raptorforensics.com and download their forensic boot CD. This is my buddy's company and I teach the Mac class for him. The PPC version is a little finicky but the Intel version rocks and is used by thousands of law enforcement and civilian examiners. Best part about it is that is is totally free.

    Keep up the good work and I am making your blog one of my weekly stops.

    Dave
    ReplyDelete

Subscribe to: Post Comments (Atom)