MAC FORENSIC

Part-I

By- Ashmita Gupta

 INTRODUCTION

MacOS is a Unix-based OS used by Apple in their Macintosh computer system.

The OS depends on Mach and Berkeley Software Distribution (BSD) kernel layers.
The ever-increasing adoption of Mac system has made them a primary target for malicious
attacks.
The advancement of malware tools and lower availability of security tools for MacOS-
based system has further expedited these threats.
In order to identify an attack or prove guilt, investigators require evidence such as the
presence of malware, unauthorized logging attempts, and connectivity to malicious servers
and websites.
Mac system store all such evidence data in log files, Directories, applications history, etc.
and investigators need to extract these data and use them to create a timeline to figure
out what happened.
Therefore, to carry out an effective investigators should posses in- depth knowledge of the
MacOS, its filesystem, libaries and directories.
 MAC FORENSIC DATA

Detection of the system version : Application bundles:

Identify the system version by viewing the Systemversion.plist These are special directories that store application data,
file located at and are hidden from the user.
/system/library/CoreServices/SystemVersion.plist Analyze these bundles to identify malware or other
suspicious data.
Timestamp : Evaluate the executable codes to check if something is
it enables you to calculate the uptime of system, correlate log wrong with the application.
events and build a timeline Finder:
It provides important information such as MAC times of any It is the default Mac application that helps find specific
file files and folders.
Gather timestamp of application, services, events and logs of It also helps in sorting in the required order
the system
Use the command line input stat to find the timestamp of any
file
Usage: stat [-FlLnqrax] [-f format] [-t timefmt] [file ...]
 Mac Forensic Data (Cont’d)

USER ACCOUNT FILE SYSTEM BASIC SECURITY

It stores data related to all MacOS uses Apple File MODULE (BSM)
user accounts such as user System(APFS) that
It saves file information and
IDs, and comprises of two layers, the
related events using a
passwordpolicyoption container layer and the file
token, which has a binary
It also helps in identifying system layer.
structure
the guest and administrator The container layer contains
The token represents specific
users data such as volume
data, such as program
The user account data is metadata, encryption state,
arguments, return value,
stored in the user library and snapshot of the volume
text data, socket,
folder- The file system layer stores
execution, and action in a
/Users/username/Library information such as file
file
Collect information such as metadata, the file content,
Data stored in BSM helps
modification, access, and and the directory structures
determine the file type,
creation times for each
creator, and usage data
account.
 SPOTLIGHT TIME MACHINE

An integrated search technology that helps users to Abackup tools that stores the contents of the hard disk
search for specific keywords within files. Includes a BackupAlias file containing the binary
Finds any known suspicious files and applications. information related to the hard disk used to store the
Use a spotlight to search for specific keywords that backups.
represent malicious activity.

HOME DIRECTORY KEXTS

Stores the authentication data, such as logon attemps MacOS can incorporate additional capabilities by
(both success and failure) of all users. loading kernel extensions.
Helps investigator in determining all the attempts Analyze the system for kernel extensions.
made to bypass the security measures along with the
relevant timestamps.
Also stores application and installation folders.
Other files include desktop, document, library, and
magazines.
 Apple Mail iChat

Default email application in MacOS, which provides MacOS comes with default Instant Messaging
multiple POP3 and IMAP account support and application named iChat. It does not automatically store
advanced filtering. previous conversation; but user can choose to save them
Stores user email in the /User/Library/Mail directory. manually.
Saves email in emlx format, where each email is stored Check for any saved chats in the default location:
as a files in ASCII format. /Users/<username>/Documents/iChats
Use email extractors such as Email Extractor 7 and Individual application are stored as <username> on
Data Extractor to analyze email data. <date> at <time>.ichat

Home Directory Command line input

The default web browser on MacOS. MacOS records commands in the bash shell and stores
Data such as browsing history, download history, and them in the file .bash_history
bookmarks can be used as evidence and are stored as Use the $tall.bash_history command to view the most
History.plist, Downloads.plist, and Boolmark.plist recent commands that have been run to the suspect
respectively in the /User/Library/Safari location. machine.
PROPERTY LIST OR PLIST

MacOS stores user settings in the form of Property List Format (plist file)
It stores setting-related data in the form of Core Foundation types including
CFString, CFNumber, CFBoolean, CFData, CFArray and CFDictionary.
It uses XML or binary data format to store data.

KEYCHAIN

It is the built-in password manager that saves credentials for websites, wireless
networks, SSH servers, private keys, etc.
It stores the credentials in an encrypted (3DES) container that can only be
unlocked with the master password.
It can store sensitive information required for investigation.
NETWORK KERNEL EXTENSIONS

These extension modify the networking infrastructure of Mac OS X to connect with

the external network or servers.
These also help in creating modules that can be dynamically placed across the
network to monitor and modify network traffic as well as receive notifications of
asynchronous events.
The modules can stop the transfer of network packets, manipulate incoming or
outgoing packet data, or sniff traffic on specific interfaces.
Gather the data from these extytensions and look for suspicious connections.
 MAC LOG FILES

Log File Uses

/var/log/crashreporter.log Application crash history
/var/log/cups/access_log Printer connection information
/var/log/cups/error_log Printer connection information
/var/log/daily.out Network interface history
/var/log/samba/log.nmbd Samba connection information
~/Library/logs Application logs specific to Home directory

~/Library/Logs/iChatConnection
iChat connection information
Errors
~/Library/Logs/Sync Information of devices on .Mac syncing
/var/log/* Main folder for systemlog files
/var/audit/* Audit logs
/var/log/install.log System and software update installation dates
 MAC DIRECTORIES

File Name Location

Launch agent files /Library/LaunchAgents/*, /System/Library/LaunchAgent/*
Launch daemon files /Library/LaunchDaemons/*, /System/Library/LaunchDaemons/*
Startup item file /Library/StartupItems/*, /System/Library/StartupItems/*

Mac OS X jobs /usr/lib/cron/jobs/*

Cron tabs or scheduled jobs /etc.crontab, /usr/lib/cron/tabs/*
Wireless networks /Library/Preference/SystemConfiguration/com.apple.airport.preference.plist

User preference settings for applications and

%%users.homedir%%/Library/Preferences/*
utilities

Attached iDevices %%users.homedir%%/Library/Preferences/com.apple.iPod.plist

Social accounts %%users.homedir%%/Library/Accounts/Accounts3.sqlite

Trash directory %%users.homedir%%/.Trash/

Safari main folder %%users.homedir%%/Library/Safari/*

Mozilla Firefox web browser %%users.homedir%%/Library/Application Support/Firefox/*
Google Chrome web browser %%users.homedir%%/Library//Application Support/Google/Crome/*
THANK YOU
To Be Continued