Difference between pages "Forensic Live CD issues" and "Mac OS X"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Orphan inodes deletion)
 
(Startup Items)
 
Line 1: Line 1:
== The problem ==
+
{{Expand}}
  
[[Live CD|Forensic Live CDs]] are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Unfortunately, community-developed distributions are no exception here. Finally, it turns out that many Linux-based forensic Live CDs are not tested properly and there are no suitable test cases published.
+
Apple Inc.'s Macintosh OS X (pronounced "'''OS Ten'''") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including [[Apple Mail]], a web browser called [[Apple Safari | Safari]], and an [[Apple Address Book]], and [[iCal]].  
  
== Another side of the problem ==
+
== Disk image types ==
  
Another side of the problem of insufficient testing of forensic Live CDs is that many users do not know what happens "under the hood" of the provided operating system and cannot adequately test them.
+
Mac OS X has support for various disk image types build-in, some of which are:
 +
* read-write disk image (.dmg) some of which use the [[Raw Image Format]]
 +
* [[Sparse Image format|Sparse disk image (.spareimage)]]
 +
* [[Sparse Bundle Image format|Sparse bundle disk image (.sparsebundle)]]
  
=== Example ===
+
== Burn Folder ==
  
For example, [http://forensiccop.blogspot.com/2009/10/forensic-cop-journal-13-2009.html ''Forensic Cop Journal'' (Volume 1(3), Oct 2009)] describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
+
Mac OS X Burn Folder:
 +
<pre>
 +
$NAME.fpbf
 +
</pre>
  
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
+
This folder normally contains [[Mac OS X Alias Files|alias files]] (similar to LNK files under Windows). Which should have the following signature.
 +
<pre>
 +
00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|
 +
</pre>
  
== Problems ==
+
These [[Mac OS X Alias Files|alias files]] contain additional date and time values.
  
Each problem is followed by a list of distributions affected (currently this list is not up-to-date).
+
Also check the following files for references to deleted .fpbf paths:
 +
<pre>
 +
/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
 +
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist
 +
</pre>
  
=== Journaling file system updates ===
+
Actual burning of optical media is logged in:
 +
<pre>
 +
/var/log/system.log
 +
/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
</pre>
  
When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
+
== HFS/HFS+ date and time values ==
  
{| class="wikitable" border="1"
+
In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: [http://web.archive.org/web/20090214212148/http://developer.apple.com/technotes/tn/tn1150.html Technical Note TN1150 - HFS Plus Volume Format]
|-
+
!  File system
+
!  When data writes happen
+
!  Notes
+
|-
+
|  Ext3
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  Ext4
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  ReiserFS
+
|  File system has unfinished transactions
+
|  "nolog" flag does not work (see ''man mount''). To disable journal updates: use "ro,loop" flags
+
|-
+
|  XFS
+
|  Always (when unmounting)
+
|  "norecovery" flag does not help (fixed in recent 2.6 kernels). To disable data writes: use "ro,loop" flags.
+
|}
+
  
Incorrect mount flags can be used to mount file systems on evidentiary media during the boot process or during the file system preview process. As described above, this may result in data writes to evidentiary media. For example, several Ubuntu-based forensic Live CD distributions mount and recover damaged Ext3/4 file systems on fixed media (e.g. hard drives) during execution of [http://en.wikipedia.org/wiki/Initrd ''initrd''] scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).
+
Converting HFS/HFS+ date and time values with Python:
 +
<pre>
 +
import datetime
  
[[Image:ext3 recovery.png|thumb|right|[[Helix3]]: damaged Ext3 recovery during the boot]]
+
print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )
 +
</pre>
  
List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:
+
== Launch Agents ==
 +
<pre>
 +
/System/Library/LaunchAgents/
 +
</pre>
  
{| class="wikitable" border="1"
+
== Launch Daemons ==
|-
+
<pre>
!  Distribution
+
/Library/LaunchDaemons/
!  Version
+
/System/Library/LaunchDaemons/
|-
+
</pre>
|  Helix3
+
|  2009R1
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|-
+
|  SPADA
+
|  4
+
|-
+
|  DEFT Linux
+
|  7
+
|}
+
  
=== Orphan inodes deletion ===
+
== Startup Items ==
 +
<pre>
 +
/Library/StartupItems/
 +
/System/Library/StartupItems/
 +
</pre>
  
When mounting Ext3/4 file systems all orphan inodes are removed, even if "-o ro" mount flag was specified. Currently, there is no specific mount flag to disable orphan inodes deletion. The only solution here is to use "-o ro,loop" flags.
+
== Crash Reporter ==
 +
<pre>
 +
/Library/Application Support/CrashReporter
 +
</pre>
  
=== Root file system spoofing ===
+
== Diagnostic Reports ==
 +
<pre>
 +
/Library/Logs/DiagnosticReports
 +
</pre>
  
''See also: [[Early userspace | early userspace]]''
+
== Quarantine event database ==
 +
See [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/]
  
Most Ubuntu-based forensic Live CD distributions use Casper (a set of scripts used to complete initialization process during early stage of boot). Casper is responsible for searching for a root file system (typically, an image of live environment) on all supported devices (because a bootloader does not pass any information about device used for booting to the kernel), mounting it and executing ''/sbin/init'' program on a mounted root file system that will continue the boot process. Unfortunately, Casper was not designed to meet computer forensics requirements and is responsible for damaged Ext3/4 file systems recovery during the boot (see above) and root file system spoofing.
+
Snow Leopard and earlier
 +
<pre>
 +
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
 +
</pre>
  
[[Image:Grml.png|thumb|right|[[grml]] mounted root file system from the [[hard drive]]]]
+
<pre>
 +
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;
 +
</pre>
  
Currently, Casper may select fake root file system image on evidentiary media (e.g. [[Hard Drive|HDD]]), because there are no authenticity checks performed (except optional UUID check for a possible live file system), and this fake root file system image may be used to execute malicious code during the boot with root privileges. Knoppix-based forensic Live CD distributions are vulnerable to the same attack.
+
Lion and later
 +
<pre>
 +
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
 +
</pre>
  
List of Ubuntu-based distributions that allow root file system spoofing:
+
== sleepimage ==
 +
This file is similar to the hibernation file on Windows.
 +
<pre>
 +
/private/var/vm/sleepimage
 +
</pre>
  
{| class="wikitable" border="1"
+
Also see: [http://osxdaily.com/2010/10/11/sleepimage-mac/]
|-
+
!  Distribution
+
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  Helix3 Pro
+
|  2009R3
+
|-
+
|  CAINE
+
|  1.5
+
|-
+
|  DEFT Linux
+
|  5
+
|-
+
|  Raptor
+
|  2.0
+
|-
+
|  BackTrack
+
|  4
+
|-
+
|  SMART Linux (Ubuntu)
+
2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|}
+
  
Vulnerable Knoppix-based distributions include: SPADA, LinEn Boot CD, BitFlare.
+
== Package Files (.PKG) ==
 +
Package Files (.PKG) are XAR archives [http://en.wikipedia.org/wiki/Xar_(archiver)] that contain a cpio archive and metadata [http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html].
  
[http://anti-forensics.ru/ Anti-Forensics.Ru project] [http://digitalcorpora.org/corp/images/aor/ released several ISO 9660 images] used to test various Linux Live CD distributions for root file system spoofing (description for all images is [http://anti-forensics.ru/casper/ here]).
+
== Also see ==
 +
* [[MacOS Process Monitoring]]
 +
* [[Acquiring a MacOS System with Target Disk Mode]]
 +
* [[Converting Binary Plists]]
 +
* [[FileVault Disk Encryption]]
 +
* [[File Vault]]
  
=== Swap space activation ===
+
=== Formats ===
 +
* [[Basic Security Module (BSM) file format]]
 +
* [[Property list (plist)]]
  
''Feel free to add information about swap space activation during the boot in some distributions''
+
== External Links ==
 +
* [http://www.apple.com/macosx/ Official website]
 +
* [http://en.wikipedia.org/wiki/OS_X Wikipedia entry on OS X]
 +
* [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/ Quarantine event database]
 +
* [http://www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf Mac Forensics: Mac OS X and the HFS+ File System] by P. Craiger
 +
* [http://web.me.com/driley/iWeb/Previous_files/Directory_Services_Overview.pdf Mac OS X Directory Services Integration including Active Directory]
 +
* [http://digitalinvestigation.wordpress.com/2012/04/04/geek-post-nskeyedarchiver-files-what-are-they-and-how-can-i-use-them/ NSKeyedArchiver files – what are they, and how can I use them?]
 +
* [http://krypted.com/mac-os-x/command-line-alf-on-mac-os-x/ Command Line ALF on Mac OS X]
 +
* [http://newosxbook.com/DMG.html Demystifying the DMG File Format]
 +
* [https://code.google.com/p/mac-security-tips/wiki/ALL_THE_TIPS mac-security-tips]
  
=== Incorrect mount policy ===
+
=== Apple Examiner ===
 +
* [http://www.appleexaminer.com/ The Apple Examiner]
 +
* [http://www.appleexaminer.com/MacsAndOS/Analysis/USBOSX/USBOSX.html USB Entries on OS X]
 +
* [http://www.appleexaminer.com/Downloads/MacForensics.pdf Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer] by Ryan R. Kubasiak
  
==== rebuildfstab and scanpartitions scripts ====
+
=== iCloud ===
 +
* [http://support.apple.com/kb/HT4865?viewlocale=en_US&locale=en_US iCloud: iCloud security and privacy overview]
  
Several forensic Linux Live CD distributions (Helix3 2009R1, Helix3 Pro 2009R3, old versions of CAINE, old versions of grml) use rebuildfstab and scanpartition scripts to create entries for attached devices in ''/etc/fstab''. Some versions of these scripts use wrong wildcards while searching for available block devices (''/dev/?d?'' instead of ''/dev/?d*''), this results in missing several "exotic" devices (like /dev/sdad, /dev/sdad1, etc) and in data writes when mounting them (because fstab lacks of read-only mount options for these devices).
+
[[Category:Mac OS X]]
 
+
[[Category:Operating systems]]
=== Incorrect write-blocking approach ===
+
 
+
Some forensic Linux Live CD distributions rely on [[hdparm]] and [[blockdev]] programs to mount file systems in read-only mode (by setting the underlying block device to read-only mode). Unfortunately, setting the block device to read-only mode does not guarantee that [http://archives.free.net.ph/message/20090721.105120.99250e3f.en.html no write commands will be passed to the drive].
+
 
+
== External links ==
+
 
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators_2.pdf Linux for computer forensic investigators: problems of booting trusted operating system]
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators.pdf Linux for computer forensic investigators: «pitfalls» of mounting file systems]
+
 
+
[[Category:Live CD]]
+

Revision as of 13:07, 12 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Inc.'s Macintosh OS X (pronounced "OS Ten") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including Apple Mail, a web browser called Safari, and an Apple Address Book, and iCal.

Disk image types

Mac OS X has support for various disk image types build-in, some of which are:

Burn Folder

Mac OS X Burn Folder:

$NAME.fpbf

This folder normally contains alias files (similar to LNK files under Windows). Which should have the following signature.

00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|

These alias files contain additional date and time values.

Also check the following files for references to deleted .fpbf paths:

/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist

Actual burning of optical media is logged in:

/var/log/system.log
/Users/$USERNAME/Library/Logs/DiscRecording.log
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log

HFS/HFS+ date and time values

In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: Technical Note TN1150 - HFS Plus Volume Format

Converting HFS/HFS+ date and time values with Python:

import datetime

print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )

Launch Agents

/System/Library/LaunchAgents/

Launch Daemons

/Library/LaunchDaemons/
/System/Library/LaunchDaemons/

Startup Items

/Library/StartupItems/
/System/Library/StartupItems/

Crash Reporter

/Library/Application Support/CrashReporter

Diagnostic Reports

/Library/Logs/DiagnosticReports

Quarantine event database

See [1]

Snow Leopard and earlier

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;

Lion and later

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

sleepimage

This file is similar to the hibernation file on Windows.

/private/var/vm/sleepimage

Also see: [2]

Package Files (.PKG)

Package Files (.PKG) are XAR archives [3] that contain a cpio archive and metadata [4].

Also see

Formats

External Links

Apple Examiner

iCloud