Difference between pages "Incident Response" and "Mac OS X"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.  
+
Apple Inc.'s Macintosh OS X (pronounced "'''OS Ten'''") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including [[Apple Mail]], a web browser called [[Apple Safari | Safari]], and an [[Apple Address Book]], and [[iCal]].  
  
== Tools ==
+
== EFI boot ==
 +
The firmware is responsible for initializing the hardware and performing a POST (Power-On Self Test).
  
Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.
+
The default boot volume is stored in NVRAM and can be configured through the "Startup Disk" preference pane or the nvram command line utility [https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man8/nvram.8.html]. E.g. to print all of the firmware variables.
 +
<pre>
 +
nvram -p
 +
</pre>
  
Standalone tools have been combined to create '''Script Based Tools'''. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.
+
Additional boot arguments can be provided via the "boot-args" value [http://www.cnet.com/news/boot-argument-options-in-os-x/].
  
The final category of tools are '''Agent Based Tools'''. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.
+
Mac OS X extends EFI with a read-only HFS+ driver. According to [http://refit.sourceforge.net/info/boot_process.html] HFS+ volume header fields are used to point to a "blessed file" to be loaded as an EFI application. Though it is not clear which header field the source is referring to but likely related to the "bless" utility [https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man8/bless.8.html].
  
== See Also ==
+
The firmware start the Mac OS X boot loader (boot.efi). The bootloader displays a dark grey Apple logo on the screen and loads the Darwin kernel from disk, as well as the essential driver extensions.
* Obsolete: [[List of Script Based Incident Response Tools]]
+
  
== External Links ==
+
The bootloader can be eithe a MZ-PE/COFF or EFI fat binary type [[Executable|executables]] and is commonly stored in:
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders], by [[Jesse Kornblum]], DFRWS 2002
+
<pre>
* [https://labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf Journey to the Centre of the Breach], by Ben Downton, June 2, 2010
+
/com.apple.recovery.boot/boot.efi
* [http://blog.handlerdiaries.com/?p=325 Keeping Focus During an Incident], by jackcr, January 17, 2014
+
/System/Library/CoreServices/boot.efi
 +
/usr/standalone/i386/boot.efi
 +
</pre>
  
=== Emergency Response ===
+
The behavior of the bootloader can be configured in the com.apple.Boot.plist [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/com.apple.Boot.plist.5.html] which can be found in:
* [http://www.mdchhs.com/sites/default/files/JEM-9-5-02-CHHS.pdf Addressing emergency response provider fatigue in emergency response preparedness, management, policy making, and research], Clark J. Lee, JD, September 2011
+
<pre>
 +
/Library/Preferences/SystemConfiguration/
 +
</pre>
  
=== Kill Chain ===
+
== Disk image types ==
* [http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains], by Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, March 2011
+
* [http://www.emc.com/collateral/hardware/solution-overview/h11154-stalking-the-kill-chain-so.pdf Stalking the kill chain], by RSA
+
  
=== Incident Lifecycle ===
+
Mac OS X has support for various disk image types build-in, some of which are:
* [http://www.itsmsolutions.com/newsletters/DITYvol5iss7.htm Expanding the Expanded Incident Lifecycle], by Janet Kuhn, February 18, 2009
+
* read-write disk image (.dmg) some of which use the [[Raw Image Format]]
* [https://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/workflows/incident-lifecycle Incident lifecycle], by [[ENISA]]
+
* [[Sparse Image format|Sparse disk image (.spareimage)]]
 +
* [[Sparse Bundle Image format|Sparse bundle disk image (.sparsebundle)]]
  
== Tools ==
+
== Burn Folder ==
=== Individual Tools ===
+
 
* [http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]
+
Mac OS X Burn Folder:
 +
<pre>
 +
$NAME.fpbf
 +
</pre>
 +
 
 +
This folder normally contains [[Mac OS X Alias Files|alias files]] (similar to LNK files under Windows). Which should have the following signature.
 +
<pre>
 +
00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|
 +
</pre>
 +
 
 +
These [[Mac OS X Alias Files|alias files]] contain additional date and time values.
 +
 
 +
Also check the following files for references to deleted .fpbf paths:
 +
<pre>
 +
/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
 +
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist
 +
</pre>
 +
 
 +
Actual burning of optical media is logged in:
 +
<pre>
 +
/var/log/system.log
 +
/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
</pre>
 +
 
 +
== HFS/HFS+ date and time values ==
 +
 
 +
In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: [http://web.archive.org/web/20090214212148/http://developer.apple.com/technotes/tn/tn1150.html Technical Note TN1150 - HFS Plus Volume Format]
 +
 
 +
Converting HFS/HFS+ date and time values with Python:
 +
<pre>
 +
import datetime
 +
 
 +
print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )
 +
</pre>
 +
 
 +
== Launch Agents ==
 +
System-wide:
 +
<pre>
 +
/Library/LaunchAgents
 +
/System/Library/LaunchAgents
 +
</pre>
 +
 
 +
Per user:
 +
<pre>
 +
/Users/$USERNAME/Library/LaunchAgents
 +
</pre>
 +
 
 +
These directories contain  [[Property list (plist)]] files.
 +
 
 +
== Launch Daemons ==
 +
System-wide:
 +
<pre>
 +
/Library/LaunchDaemons
 +
/System/Library/LaunchDaemons
 +
</pre>
 +
 
 +
These directories contain [[Property list (plist)]] files.
 +
 
 +
== Startup Items ==
 +
<pre>
 +
/Library/StartupItems/
 +
/System/Library/StartupItems/
 +
</pre>
 +
 
 +
== Crash Reporter ==
 +
<pre>
 +
/Library/Application Support/CrashReporter
 +
</pre>
 +
 
 +
Contains text files named .crash, .diag, .spin
 +
 
 +
== Diagnostic Reports ==
 +
<pre>
 +
/Library/Logs/DiagnosticReports
 +
</pre>
 +
 
 +
== Internet Plug-Ins ==
 +
System-wide:
 +
<pre>
 +
/Library/Internet Plug-Ins
 +
</pre>
 +
 
 +
Per user:
 +
<pre>
 +
/Users/$USERNAME/Library/Internet Plug-Ins
 +
</pre>
 +
 
 +
== Quarantine event database ==
 +
See [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/]
 +
 
 +
Snow Leopard and earlier
 +
<pre>
 +
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
 +
</pre>
 +
 
 +
<pre>
 +
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;
 +
</pre>
 +
 
 +
Lion and later
 +
<pre>
 +
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
 +
</pre>
 +
 
 +
== sleepimage ==
 +
This file is similar to the hibernation file on Windows.
 +
<pre>
 +
/private/var/vm/sleepimage
 +
</pre>
 +
 
 +
Also see: [http://osxdaily.com/2010/10/11/sleepimage-mac/]
 +
 
 +
== Last shutdown logs ==
 +
<pre>
 +
/private/var/log/com.apple.launchd/launchd-shutdown.system.log
 +
/private/var/log/com.apple.launchd/launchd-shutdown.system.log.1
 +
</pre>
 +
 
 +
== Package Files (.PKG) ==
 +
Package Files (.PKG) are XAR archives [http://en.wikipedia.org/wiki/Xar_(archiver)] that contain a cpio archive and metadata [http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html].
 +
 
 +
== Also see ==
 +
* [[MacOS Process Monitoring]]
 +
* [[Acquiring a MacOS System with Target Disk Mode]]
 +
* [[Converting Binary Plists]]
 +
* [[FileVault Disk Encryption]]
 +
* [[File Vault]]
 +
 
 +
=== Formats ===
 +
* [[Basic Security Module (BSM) file format]]
 +
* [[Property list (plist)]]
 +
 
 +
== External Links ==
 +
* [http://www.apple.com/macosx/ Official website]
 +
* [http://en.wikipedia.org/wiki/OS_X Wikipedia entry on OS X]
 +
* [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/ Quarantine event database]
 +
* [http://www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf Mac Forensics: Mac OS X and the HFS+ File System] by P. Craiger
 +
* [http://web.me.com/driley/iWeb/Previous_files/Directory_Services_Overview.pdf Mac OS X Directory Services Integration including Active Directory]
 +
* [http://digitalinvestigation.wordpress.com/2012/04/04/geek-post-nskeyedarchiver-files-what-are-they-and-how-can-i-use-them/ NSKeyedArchiver files – what are they, and how can I use them?]
 +
* [http://krypted.com/mac-os-x/command-line-alf-on-mac-os-x/ Command Line ALF on Mac OS X]
 +
* [http://newosxbook.com/DMG.html Demystifying the DMG File Format]
 +
* [https://code.google.com/p/mac-security-tips/wiki/ALL_THE_TIPS mac-security-tips]
  
=== Script Based Tools ===
+
=== Apple Examiner ===
* [[First Responder's Evidence Disk|First Responder's Evidence Disk (FRED)]]
+
* [http://www.appleexaminer.com/ The Apple Examiner]
* [[COFEE|Microsoft COFEE]]
+
* [http://www.appleexaminer.com/MacsAndOS/Analysis/USBOSX/USBOSX.html USB Entries on OS X]
* [[Windows Forensic Toolchest|Windows Forensic Toolchest (WFT)]]
+
* [http://www.appleexaminer.com/Downloads/MacForensics.pdf Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer] by Ryan R. Kubasiak
* [[Regimented Potential Incident Examination Report|RAPIER]]
+
  
=== Agent Based Tools ===
+
=== EFI ===
* [[GRR]]
+
* [http://refit.sourceforge.net/info/boot_process.html The Intel Mac boot process], by the [[rEFIt|rEFIt project]]
* [[First Response|Mandiant First Response]]
+
* [http://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/ Carving up EFI fat binaries], by snare, February 24, 2012
  
== Books ==
+
=== iCloud ===
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.
+
* [http://support.apple.com/kb/HT4865?viewlocale=en_US&locale=en_US iCloud: iCloud security and privacy overview]
  
[[Category:Incident Response]]
+
[[Category:Mac OS X]]
 +
[[Category:Operating systems]]

Revision as of 09:07, 25 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Inc.'s Macintosh OS X (pronounced "OS Ten") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including Apple Mail, a web browser called Safari, and an Apple Address Book, and iCal.

EFI boot

The firmware is responsible for initializing the hardware and performing a POST (Power-On Self Test).

The default boot volume is stored in NVRAM and can be configured through the "Startup Disk" preference pane or the nvram command line utility [1]. E.g. to print all of the firmware variables.

nvram -p

Additional boot arguments can be provided via the "boot-args" value [2].

Mac OS X extends EFI with a read-only HFS+ driver. According to [3] HFS+ volume header fields are used to point to a "blessed file" to be loaded as an EFI application. Though it is not clear which header field the source is referring to but likely related to the "bless" utility [4].

The firmware start the Mac OS X boot loader (boot.efi). The bootloader displays a dark grey Apple logo on the screen and loads the Darwin kernel from disk, as well as the essential driver extensions.

The bootloader can be eithe a MZ-PE/COFF or EFI fat binary type executables and is commonly stored in:

/com.apple.recovery.boot/boot.efi
/System/Library/CoreServices/boot.efi
/usr/standalone/i386/boot.efi

The behavior of the bootloader can be configured in the com.apple.Boot.plist [5] which can be found in:

/Library/Preferences/SystemConfiguration/

Disk image types

Mac OS X has support for various disk image types build-in, some of which are:

Burn Folder

Mac OS X Burn Folder:

$NAME.fpbf

This folder normally contains alias files (similar to LNK files under Windows). Which should have the following signature.

00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|

These alias files contain additional date and time values.

Also check the following files for references to deleted .fpbf paths:

/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist

Actual burning of optical media is logged in:

/var/log/system.log
/Users/$USERNAME/Library/Logs/DiscRecording.log
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log

HFS/HFS+ date and time values

In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: Technical Note TN1150 - HFS Plus Volume Format

Converting HFS/HFS+ date and time values with Python:

import datetime

print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )

Launch Agents

System-wide:

/Library/LaunchAgents
/System/Library/LaunchAgents

Per user:

/Users/$USERNAME/Library/LaunchAgents

These directories contain Property list (plist) files.

Launch Daemons

System-wide:

/Library/LaunchDaemons
/System/Library/LaunchDaemons

These directories contain Property list (plist) files.

Startup Items

/Library/StartupItems/
/System/Library/StartupItems/

Crash Reporter

/Library/Application Support/CrashReporter

Contains text files named .crash, .diag, .spin

Diagnostic Reports

/Library/Logs/DiagnosticReports

Internet Plug-Ins

System-wide:

/Library/Internet Plug-Ins

Per user:

/Users/$USERNAME/Library/Internet Plug-Ins

Quarantine event database

See [6]

Snow Leopard and earlier

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;

Lion and later

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

sleepimage

This file is similar to the hibernation file on Windows.

/private/var/vm/sleepimage

Also see: [7]

Last shutdown logs

/private/var/log/com.apple.launchd/launchd-shutdown.system.log
/private/var/log/com.apple.launchd/launchd-shutdown.system.log.1

Package Files (.PKG)

Package Files (.PKG) are XAR archives [8] that contain a cpio archive and metadata [9].

Also see

Formats

External Links

Apple Examiner

EFI

iCloud