CNIT 152 13 Investigating Mac OS X Systems
0 likes149 views
This document provides an overview of investigating Mac OS X systems, including analyzing the file system and various system artifacts. It discusses the HFS+ file system structures like the volume header, catalog file, and attributes file. It also covers time stamps, Spotlight indexing, and managed storage revisions. Key directories in the local, system, network, and user domains are outlined. Specific sources of evidence from the user domain like user accounts, shares, and trash are also mentioned. The document discusses tools like OpenBSM for system auditing and various system logs and databases that can be analyzed.
CNIT 152 13 Investigating Mac OS X Systems
- 1. CNIT 152: Incident Response 13 Investigating Mac OS X Systems Updated 12-2-21
- 2. Topics
- 4. New: APFS
- 5. HFS+ and File System Analysis • Hierarchical File System features:
- 6. Nine Structures 1. Boot block s 2. Volume heade r 3. Allocation fi l e 4. Extents over fl ow fi l e 5. Catalog fi l e 6. Attributes fi l e 7. Startup fi l e 8. Alternate volume heade r 9. Reserved blocks
- 8. Nine Structures 1. Boot block s • First 1024 bytes of volum e • Typically empty on modern system s 2. Volume Header and Alternate Volume Heade r •Located 1024 bytes from the beginning of the volum e •Information about the volume, including the location of other structures
- 11. Mac Timestamps •All in local tim e •HFS+ Volum e •Create date, modify date, backup date, checked dat e •Fil e •Access, modify, inode change, inode birth time ( fi le creation)
- 12. Stat Command • Shows all four timestamps on Mac
- 13. Allocation File • A bit for every bloc k • 1 = in us e • 0 = available
- 14. Extents Over fl ow File • "Extents" are contiguous allocation blocks
- 15. Catalog File • Details hierarchy of fi les and folders in the syste m • Each fi le and folder has a unique catalog node ID (CNID)
- 16. Attributes File • Optiona l • Used for named fork s • Additional metadata assigned to a fi l e • Like Microsoft's Alternate Data Stream s • Stores origin of fi les from the Internet, and tags like "Green" and "Important"
- 17. Startup File • Not used by Mac OS X • Usually empty
- 18. File System Services • Spotligh t • Managed Storage
- 19. Spotlight
- 20. Spotlight • Metadata indexing and searching servic e • Indexers examine the content of fi les to fi nd keyword s • Some index entire content, others only import metadata
- 21. Spotlight • Can be used to search a live syste m • Not much use for a static acquisitio n • Indexes are deleted when a fi le is delete d • No tools are available to parse the data stored by the Spotlight indexer once it's extracted from a drive image
- 22. Managed Storage • New in Mac OS X Lion (10.7 ) • Allows apps to continuously save dat a • Uses daemon "revisiond " • Saves data on volumes under the "hidden" directory • /.DocumentRevisions-V100
- 23. Capturing db Files • Copy them to another folde r • Originals are in use and won't ope n • db.sqlite shows fi les used with timestamps
- 24. • Consider the fi le with fi le_storage_id 6
- 25. Generations • 394 revisions of that fi le save d • With timestamps and other info . • Still the same on Mojave (Dec. 2018)
- 26. 13a
- 27. Core Operating System Data
- 28. File System Layout • Four domains for data classi fi catio n • Loca l • Syste m • Networ k • User
- 29. Local Domain • Applications and con fi gurations that are shared among all users of a syste m • Administrative privileges required to modify data in this domai n • These directories are in the local domain:
- 30. System Domain • Data installed by Apple, and a few specialized low-level utilitie s • Most useful domain for intrusion investigations because it contains the system log s • Includes all the traditional Unix structures, all of which require administrative privileges to modif y • /bin, /usr, /dev, /etc, and so on, also /System
- 31. Network Domain • Applications and data stored here is shared among a network of systems and user s • In practice, rarely populated with dat a • Located under the /Network directory
- 32. User Domain • Primary source of data for most other investigation s • Contains user home directories and a shared director y • All user-created content and con fi gurations will be found under /User s • High-privilege and Unix-savvy users may break this model
- 33. MacPorts Package Manager • Lets you add BSD packages to your Ma c • Very usefu l • Requires command-line developer tool s • Link Ch 13b
- 34. The Local Domain
- 35. /Applications • Nearly every installed application is her e • Application Bundle s • Contain everything an application needs to run : • Executable code, graphics, con fi guration fi les, libraries, helper applications and scripts
- 36. Application Bundles • Finder treats the bundle as a single fi l e • Most common extensions
- 37. Inside the Bundle • Right-click, Show Package Content s • Subdirectorie s • MacOS, Resources, Library, Frameworks, PlugIns, SharedSuppor t • Developers can put anything in these directorie s • VMware Fusion's Library folder contains command-line utilities to manage the VMware hypervisor
- 38. Console App
- 39. Package Contents • Contains additional metadat a • Time and date stamps show when the app was installe d • A good place to hide data
- 40. /Developer • Used by XCode, Apple's development environmen t • Until recently, all development tools, SDKs, documentation, and debugging tools were her e • Later versions of XCode moved the tool s • This directory may still be present on some systems
- 41. /Library • /System/Librar y • App settings for the operating syste m • /Librar y • Settings shared between user s • /Users/username/Librar y • User-speci fi c settings
- 42. Application Support • /Library/Application Suppor t • /User/username/Library/Application Suppor t • Settings, caches, license information, and anything else desired by the developer
- 43. Caches • /Library/Cache s • /User/username/Library/Cache s • Temporary data for applications
- 44. Frameworks • /Library/Framework s • /System/Library/Framework s • Drivers or helper applications, for application s • Usually nothing signi fi cant here
- 45. Keychains • /Library/Keychain s • /System/Library/Keychain s • /User/username/Library/Keychain s • Passwords and certi fi cate s • Requires user's password to open
- 46. Logs • /Library/Log s • /User/username/Library/Logs • Application log s • Very important to review
- 47. Preferences • /Library/Preference s • /User/username/Library/Preferences • Application preferences, if the application allows a system API to manage the m • Stored in .plist fi le s • Comparable to the Software hive in Windows
- 48. Receipts • /Library/Receipt s • /User/username/Library/Receipts • Files here are updated when an application is added to the syste m • InstallHistory.plist contains information about every application installed via the OS's installer or update framework
- 49. Same on Mojave
- 50. Same on Mojave
- 51. WebServer • /Library/WebServe r • Apache, installed on every copy of Mac OS X, is started when a user turns on Web sharin g • Removed from Preferences in 10.8, but Apache is still installe d • This folder is Apache's Document Root
- 52. File Types • Used by nearly every applicatio n • Property lists (.plist ) • Tools: plutil on Mac, "plist Explorer" on Window s • SQLite database s • Tools: Firefox Plugin SQLite Manager, sqlitebrowser
- 53. 13b
- 55. Traditional Unix Paths • Some investigations are based entirely on data found here, such as log fi le s • /System directory is structured similarly to the /Library director y • Locations where applications maintain persistenc e • Requires administrator privileges to create or modify fi les
- 56. Artifacts • System logs in /var/lo g • Databases in /var/d b • Records of printed data in the CUPS lo g • System sleep imag e • Software imported using MacPorts or Fink, or compiled in place, may be in /opt
- 57. The User Domain
- 60. User and Service Con fi guration • Apple uses LDAP for enterprise management and Directory Services for local user managemen t • Directory Services doesn't use the traditional Unix fi les /etc/passwd and /etc/group s • Data in SQLite databases and binary-formatted property lists
- 61. The Evidence • Directory Service data is in /private/var/db/dsloca l • Databases (or nodes) for the local system are in the subdirectory nodes/Defaul t • My password hash is on the next slid e • More info at links Ch 13c and 13d
- 62. Password Hash
- 64. Mojave • Now password hashes are inaccessibl e • Even to roo t • Hashes can still be captured from Recovery Mode under some circumstance s • Link Ch 13g
- 66. sqlindex • In /private/var/db/dsloca l • Maintains creation and modi fi cation time for the plist fi les in the directory structur e • And information on the relationships between the dat a • Automatically backed up to /private/var/db/ dslocal-backup.xar (a gzip tar fi le)
- 67. Analysis of sqlindex • Shows when a share was create d • Whether an account existed, and its privilege level
- 68. User Accounts
- 69. Sharepoints • Status of the share for • AFP (Apple Filing Protocol ) • SMB (Server Message Block ) • FTP (File Transfer Protocol ) • Sharepoint names and share pat h • When the share was created
- 70. Trash and Deleted Files • Files deleted from USB sticks go into a Trash folder on the stick, labeled by user ID, lik e • /Volumes/USBDRIVE/.Trashes/501
- 71. System Auditing, Databases, and Logging • Open Source Basic Security Module (OpenBSM ) • Powerful auditing syste m • Logs : • File acces s • Network connection s • Execution of applications and their command-line options
- 72. OpenBSM • Default con fi guration doesn't save detailed information and is of limited use for I R • Con fi guration fi les in /etc/securit y • Primary fi le is audit_control
- 73. OpenBSM • This con fi guration will log everything for all users, an d • Login/logout, administrative events, processes, and network activity
- 74. Helper Services • Run in backgroun d • Track events or common dat a • Maintain state with SQLite databases or property lis t • Examples:
- 75. Airportd • Runs in an application sandbo x • Con fi gured in /usr/share/sandbox
- 76. Airportd Plist
- 77. Networks
- 78. System and Application Logging • Many log and forensic artifacts in these folder s • Most are in plaintext, some are binary
- 80. Read with Syslog
- 81. Other ASL Log Files • Filenames starting with B B • Authentication logs from long ag o • Year is 1 year after the correct date
- 82. Other ASL Log Files • Filenames starting with AU X • Backtrace for crashed or abnormally terminated application s • Plaintext
- 83. /private/var/audit • Read with praudit
- 84. Example Log Entries • Erase fl ash driv e • Failed login attempt
- 85. Interesting Items in Log • iCloud connection, Time Machine, iTune s • Indicates that there are backups of data on other devices
- 86. Scheduled Tasks and Services • Apple moved from cron to launch d • Commands to execute at startup
- 88. Application Installers • When an application is installed, two fi les are placed in /private/var/db/receipt s • Bill of Materials (BOM) and plist
- 90. • BOM contains a complete inventory of fi le s • Plist contains install date, package identi fi er, and path access control lists Application Installers
- 91. Review
- 98. 13c