Difference between pages "CAINE Live CD" and "Mac OS X"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Launch Agents)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Expand}}
  name = CAINE Live CD |
+
  maintainer = [[CAINE Project]] |
+
  os = {{Linux}} |
+
  genre = {{Live CD}} |
+
  license = {{GPL}}, others |
+
  website = http://www.caine-live.net/ |
+
}}
+
  
'''CAINE Live CD''' (Computer Aided Investigative Environment) is a forensic [[Linux]] [[Live CD]] based on [[Ubuntu]].
+
Apple Inc.'s Macintosh OS X (pronounced "'''OS Ten'''") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including [[Apple Mail]], a web browser called [[Apple Safari | Safari]], and an [[Apple Address Book]], and [[iCal]].  
== CAINE 2.0 ==
+
  
September 2010
+
== Disk image types ==
  
 +
Mac OS X has support for various disk image types build-in, some of which are:
 +
* read-write disk image (.dmg) some of which use the [[Raw Image Format]]
 +
* [[Sparse Image format|Sparse disk image (.spareimage)]]
 +
* [[Sparse Bundle Image format|Sparse bundle disk image (.sparsebundle)]]
 +
 +
== Burn Folder ==
 +
 +
Mac OS X Burn Folder:
 
<pre>
 
<pre>
CHANGELOG CAINE 2.0 "NewLight"
+
$NAME.fpbf
 +
</pre>
  
Kernel 2.6.32-24
+
This folder normally contains [[Mac OS X Alias Files|alias files]] (similar to LNK files under Windows). Which should have the following signature.
 +
<pre>
 +
00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|
 +
</pre>
  
ADDED:
+
These [[Mac OS X Alias Files|alias files]] contain additional date and time values.
Air 2.0.0
+
 
MountManager
+
Also check the following files for references to deleted .fpbf paths:
Disk Utility
+
<pre>
Storage Device Manager
+
/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
SSdeep
+
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist
ByteInvestigator
+
DMIdecode
+
HDSentinel
+
WVSummary
+
Read_open_Xml
+
Fiwalk
+
Bulk Extractor
+
Log2Timeline
+
Midnight Commander
+
SQLJuicer
+
CDFS 2.6.27
+
Nautilus Scripts
+
Fake Casper patch
+
Manual updated
+
 
</pre>
 
</pre>
  
 +
Actual burning of optical media is logged in:
 +
<pre>
 +
/var/log/system.log
 +
/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
</pre>
  
'''Live Preview Nautilus Scripts'''
+
== HFS/HFS+ date and time values ==
CAINE includes scripts activated within the Nautilus web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering with the appropriate tool.
+
The live preview Nautilus scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Nautilus window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.
+
A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address.
+
The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and critiques.
+
The preview scripts were born of a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can used the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
+
by John Lehr
+
------------------------------------------
+
'''CASPER PATCH (not for NBCaine 2.0)'''
+
The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc). ---
+
by Suhanov Maxim
+
  
 +
In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: [http://web.archive.org/web/20090214212148/http://developer.apple.com/technotes/tn/tn1150.html Technical Note TN1150 - HFS Plus Volume Format]
  
 +
Converting HFS/HFS+ date and time values with Python:
 +
<pre>
 +
import datetime
  
== CAINE 1.5 ==
+
print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )
As of December 2009, the current version of [http://www.caine-live.net/ Caine] is 1.5. According to documentation, it is based on [http://releases.ubuntu.com/8.04/ Ubuntu 8.04]. Unlike the [[Helix]] project, Caine is free, freely redistributable, and open-source. CAINE 1.5 supports the Oxford 934dsb SATA chipset, used in (among other devices) the Voyager Q SATA dock from Newer Technologies.
+
</pre>
  
== Forensic Issues ==
+
== Launch Agents ==
 +
System-wide:
 +
<pre>
 +
/Library/LaunchAgents
 +
/System/Library/LaunchAgents
 +
</pre>
 +
 
 +
Per user:
 +
<pre>
 +
/Users/$USERNAME/Library/LaunchAgents
 +
</pre>
 +
 
 +
These directories contain  [[Property list (plist)]] files.
 +
 
 +
== Launch Daemons ==
 +
System-wide:
 +
<pre>
 +
/Library/LaunchDaemons
 +
/System/Library/LaunchDaemons
 +
</pre>
 +
 
 +
These directories contain [[Property list (plist)]] files.
 +
 
 +
== Startup Items ==
 +
<pre>
 +
/Library/StartupItems/
 +
/System/Library/StartupItems/
 +
</pre>
 +
 
 +
== Crash Reporter ==
 +
<pre>
 +
/Library/Application Support/CrashReporter
 +
</pre>
 +
 
 +
== Diagnostic Reports ==
 +
<pre>
 +
/Library/Logs/DiagnosticReports
 +
</pre>
 +
 
 +
== Quarantine event database ==
 +
See [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/]
 +
 
 +
Snow Leopard and earlier
 +
<pre>
 +
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
 +
</pre>
 +
 
 +
<pre>
 +
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;
 +
</pre>
 +
 
 +
Lion and later
 +
<pre>
 +
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
 +
</pre>
 +
 
 +
== sleepimage ==
 +
This file is similar to the hibernation file on Windows.
 +
<pre>
 +
/private/var/vm/sleepimage
 +
</pre>
  
* CAINE Live CD versions before 1.0 will automount [[Ext3]] file systems during the boot process and recover them if required (bug in ''initrd'' scripts);
+
Also see: [http://osxdaily.com/2010/10/11/sleepimage-mac/]
* '''CAINE Live CD version 1.0 introduced new mounting policies''':
+
  
- The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read-only mode on a read-only loopback device.
+
== Package Files (.PKG) ==
 +
Package Files (.PKG) are XAR archives [http://en.wikipedia.org/wiki/Xar_(archiver)] that contain a cpio archive and metadata [http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html].
  
- If a user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.
+
== Also see ==
 +
* [[MacOS Process Monitoring]]
 +
* [[Acquiring a MacOS System with Target Disk Mode]]
 +
* [[Converting Binary Plists]]
 +
* [[FileVault Disk Encryption]]
 +
* [[File Vault]]
  
- The ext3 driver will be ignored when ext3 file systems are mounted and the ext2 driver used instead. This protects any ext3 file systems from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 file system is mounted, there is no danger of modifying the journal metadata.
+
=== Formats ===
 +
* [[Basic Security Module (BSM) file format]]
 +
* [[Property list (plist)]]
  
- By applying a special patch CAINE team fixed the bug that changed the journal of the ext3 file systems when the computer was switched off by pulling the plug.  
+
== External Links ==
 +
* [http://www.apple.com/macosx/ Official website]
 +
* [http://en.wikipedia.org/wiki/OS_X Wikipedia entry on OS X]
 +
* [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/ Quarantine event database]
 +
* [http://www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf Mac Forensics: Mac OS X and the HFS+ File System] by P. Craiger
 +
* [http://web.me.com/driley/iWeb/Previous_files/Directory_Services_Overview.pdf Mac OS X Directory Services Integration including Active Directory]
 +
* [http://digitalinvestigation.wordpress.com/2012/04/04/geek-post-nskeyedarchiver-files-what-are-they-and-how-can-i-use-them/ NSKeyedArchiver files – what are they, and how can I use them?]
 +
* [http://krypted.com/mac-os-x/command-line-alf-on-mac-os-x/ Command Line ALF on Mac OS X]
 +
* [http://newosxbook.com/DMG.html Demystifying the DMG File Format]
 +
* [https://code.google.com/p/mac-security-tips/wiki/ALL_THE_TIPS mac-security-tips]
  
- Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "exotic names" like /dev/sdad1.
+
=== Apple Examiner ===
 +
* [http://www.appleexaminer.com/ The Apple Examiner]
 +
* [http://www.appleexaminer.com/MacsAndOS/Analysis/USBOSX/USBOSX.html USB Entries on OS X]
 +
* [http://www.appleexaminer.com/Downloads/MacForensics.pdf Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer] by Ryan R. Kubasiak
  
- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).
+
=== iCloud ===
 +
* [http://support.apple.com/kb/HT4865?viewlocale=en_US&locale=en_US iCloud: iCloud security and privacy overview]
  
    # ntfs-3g /device-path /your-mount-point
+
[[Category:Mac OS X]]
 +
[[Category:Operating systems]]

Revision as of 13:08, 12 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Inc.'s Macintosh OS X (pronounced "OS Ten") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including Apple Mail, a web browser called Safari, and an Apple Address Book, and iCal.

Disk image types

Mac OS X has support for various disk image types build-in, some of which are:

Burn Folder

Mac OS X Burn Folder:

$NAME.fpbf

This folder normally contains alias files (similar to LNK files under Windows). Which should have the following signature.

00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|

These alias files contain additional date and time values.

Also check the following files for references to deleted .fpbf paths:

/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist

Actual burning of optical media is logged in:

/var/log/system.log
/Users/$USERNAME/Library/Logs/DiscRecording.log
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log

HFS/HFS+ date and time values

In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: Technical Note TN1150 - HFS Plus Volume Format

Converting HFS/HFS+ date and time values with Python:

import datetime

print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )

Launch Agents

System-wide:

/Library/LaunchAgents
/System/Library/LaunchAgents

Per user:

/Users/$USERNAME/Library/LaunchAgents

These directories contain Property list (plist) files.

Launch Daemons

System-wide:

/Library/LaunchDaemons
/System/Library/LaunchDaemons

These directories contain Property list (plist) files.

Startup Items

/Library/StartupItems/
/System/Library/StartupItems/

Crash Reporter

/Library/Application Support/CrashReporter

Diagnostic Reports

/Library/Logs/DiagnosticReports

Quarantine event database

See [1]

Snow Leopard and earlier

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;

Lion and later

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

sleepimage

This file is similar to the hibernation file on Windows.

/private/var/vm/sleepimage

Also see: [2]

Package Files (.PKG)

Package Files (.PKG) are XAR archives [3] that contain a cpio archive and metadata [4].

Also see

Formats

External Links

Apple Examiner

iCloud