adam's notes

Mac OS Forensics

Mac Basics

Mac File Systems

Macintosh File System

  • shipped with the first Macintosh in 1984

Hierarchical File System

  • HFS was used in Macintosh Plus
  • replaced by HFS+ with Mac OS 8.1
  • known as HFS Standard
  • introduced in 1985
  • uses 16 bits for allocation blocks

Hierarchical File System Plus

  • HFS+ is known as HFS Extended
  • supports journaling
    • process whereby the file system keeps a record of what file transactions take place so that in event of a crash, files can be recovered
    • fault tolerant
  • supports disk quotas
    • allows admin to limit amount of disk space for a given user
  • has hard and soft links
    • hard link is an inode that links directly to a specific file
    • soft link, aka symbolic link, is a shortcut
  • uses 32 bits for allocation blocks
  • supports long filenames (255 characters)
  • uses Unicode for file naming
    • rather than ASCII
  • has aliases
    • are like symbolic links
    • allow you to have multiple references to a single file or directory
  • does defragmentation on a per-file basis
    • significant advantage over other file systems such as NTFS and FAT
  • first two sectors are boot blocks
  • third sector has the volume header
    • contains good forensic info
      • size of allocation blocks
      • time stamp for volume creation
      • allocation file keeps track of which allocation blocks are free
      • catalog file contains records for all files/directories on the volume
        • uses B-structure to hold data
        • each record is 8 kb
  • Command prompt is Bash shell
    • can execute Linux commands

Apple File System

  • aka APFS
  • created for MacOS 10.13 (High Sierra) and later
  • also used by iOS 10.3 and later
  • designed to fix issues with HFS+
    • optimized to work with flash drives and solid-state drives
  • uses iNodes
    • but are 64-bit
    • allows for more addresses and larger storage
  • supports creating snapshots of the system and specific points in time
  • supports full disk encryption (FDE)

ISO9660

  • file system used by compact discs (CDs)
  • Apple has its own set of extensions
    • files on the CD might be only able to be read on Apple

Microsoft Disk Operating System (MS-DOS)

  • Mac OS supports MS-DOS file systems
    • FAT12, FAT16, FAT32
  • allows Mac to read floppy discs

New Technology File System

  • Mac OS supports read-only for NTFS

Universal Disk Format

  • UDF is the file system used by DVD-ROM discs
  • Mac can read the drive, but not necessarily read the files

Unix File System

  • File system used by FreeBSD and other Unix variants
  • Mac OS can read UFS volumes

Partition Types

Partition type determines how the partition is organized on the drive.

  • referred to as “partition schemes” in Apple documentation
  • Apple supports 3 schemes:
    • GUID Partition Table
    • Apple Partition Map
    • master boot record
  • if using APFS, should not partition the drive
    • instead create multiple APFS partitions within a single partition
  • if wanting to use dual boot,
    • should not use separate partition
    • use Boot Camp Assistant

GUID Partition Table

  • used primarily with intel-based processors
  • Intel-based Mac OS computers can boot only from drives that use the GUID Partition Table

Apple Partition Map

  • used with any PowerPC-based Mac
  • Intel-based Macs can mount and use a drive formatted with Apple Partition Map
    • but cannot boot from it

Master Boot Record

  • used when DOS or Windows-based computers startup
  • MBR contains a partition table, bootstrap code, etc

Boot Camp Assistant

  • utility used to allow installation of multiple operating systems along Mac OS

Mac OS Logs

  • /var/log
    • contains logs
    • /var/log/daily.out contains data on all mounted volumes
  • /var/spool/cups
    • contains information about printed documents
  • /private/var/audit
    • logs of system audits
    • often in not in human-readable format
  • /private/var/VM
    • contains swap and sleep image files
  • /Library/Receipts
    • contains information about system and software updates
  • /Library/Mobile
    • this folder is what syncs with iCloud
  • /Users/<user>/.bash_history
    • shows history of bash shell commands
    • note that latest macOS versions use zshell
  • var/vm/app profile
    • contains lists of recently opened applications and temporary application data
  • /Users/
    • contains user files
  • /Users/<user>/Library/Preferences
    • contains user preferences
    • maintains preferences of programs that have been deleted

Directories

  • /Volumes
    • contains information about mounted devices
  • /Users
    • contains all user accounts and associated files
  • /Applications
    • stores all applications
  • /Network
    • contains information about servers, network libraries, and network properties
  • /etc
    • contains configuration files
  • /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist
    • contains the network configuration data for each network card

Mac OS Forensic Techniques

Target Disk Mode

  • first step in forensics is to create bit-level copy of a drive
  • 3 ways
    • can use dd command along with netcat
    • can use imaging tools
    • can use Target Disk Mode
      • place suspect computer into Target Disk Mode
        • is read-only
      • connect to the computer with USB and image the disk
      • allows you to preview the computer on-site

Searching Virtual Memory

  • swap file/virtual memory is located in /var/vm/
  • can use grep

Shell Commands

  • Mac OS specific commands:
    • date
      • returns the current date and time zone
    • ls/dev/disk?
      • lists the current device files that are in use
    • /hdiutil partition /dev/disk0
      • lists the partition table for the boot drive
    • system_profiler SPHardwareDataType
      • returns the hardware information for the host system
    • system_profiler SPSoftwareDataType
      • returns information about the operating system

How to Examine an Apple Device

  • create a copy of forensic image and mount as a read-only VM
  • ForensicExplorer can do this

MacQuisition

  • is a tool for imaging Mac OS systems

Can You Undelete in Mac OS?

  • when a file is deleted, it is moved to the Trash folder
    • is a hidden folder .Trash in the root directory
  • can use recovery tools
    • Disk Drill
    • Mac Undelete from Remo Software
    • Free Undelete Mac

Mac OS Password Recovery

  1. Enter Recovery Mode
    • fully power off
    • press power and Command + R
    • when Apple logo appears, let go
  2. Choose Disk Utility
    • if a password is requested, then there is a firmware password set
      • thus this technique won’t work
  3. go to Utilities > Terminal
  4. depending on device:
    1. type resetpassword
      • then close terminal to see a list of accounts
      • set a password for one or more
    2. for later versions of Mac OS,
      • need USB drive formatted in FAT32 or APFS
      • from terminal, find if SIP is enabled
        • ls -R /Volumes/<hard drive name>/var/db/dslocal/nodes/Default/
        • will list all files in the directory and output files
        • if error “operation not permitted”, then SIP is enabled
        • to turn off, csrutil disable
          • then restart computer
      • Boot into Recovery Mode again and start terminal
      • insert USB and copy out plist file:
        • cp /Volumes/<hard drive name>/var/db/dslocal/nodes/Default/users/<username>.plist /Volumes/<usb name>/
      • then take plist file to other computer and convert it to input for the Hashcat tool
      • will get a hash output to save to text file and fed into Hashcat

Graph View

Backlinks