Mac OS X Live Forensics 101
Hello Internet denizens! In regards to the popularity and ubiquity of the Macintosh operating system, I thought it would be fun to share some ways to get interesting information regarding the start-up, configuration and run-time of your Mac OS X environment. This won't be a super deep forensics dive (yet), as most of these artifacts can be subverted by advanced malware, but none the less, let's dive into OS X!! Again, this article will be mostly focused on how the Operating System caches and uses the information.
First things are first, if your using the console (and you should be), you will be able to see all of the typically hidden files. Mac OS X hidden files are similar to the Linux style of hidden files, these all start with a period, then the hidden file name. To reveal these in your finder, simply enter the following command into the terminal: defaults write com.apple.finder AppleShowAllFiles 1. In regards to hidden files, at the top of every user home directory and mounted media resides a hidden file named ".Trash", that keeps track of every file you've deleted in that directory. These files persist even if you've emptied the trash bin and the files inside are still completely intact.
File attributes are extremely important when inspecting events, such as when a file was created or when it was last accessed. In OS X, these are accessed using the GetFileInfo tool. You can view the attributes of a file by simply issuing the command as such, GetFileInfo [target file]. The file's attribute bits are also highly important, and you can get a good idea of how to decipher them using this Apple Examiner cheat sheet.
A key component of OS X is Property List Files, or plists as you will be come familiar with them. The plists on Mac OS X come in two flavors, XML and binary stream. You won't be able to directly read the binary ones, but the XML ones can provide a wealth of information about how a program or service is configured. Knowing that, it's really important to be able to convert a binary plist file into it's XML counterpart. Fourtantly, Mac OS X provides a convenient utility to do just that, plutil. You can quickly tell if a plist is binary or XML by running the file command on it. Here is a good example of converting a binary plist into an XML one: plutil -convert xml1 -o [file path for xml output plist] [file path to binary plist to convert]. Once we have it converted, we can simply cat it to find some excellent info about our system. What kind of information you ask? Well here's some interesting plists you could read:
Version Information: /System/Library/CoreServices/SystemVersion.plist
Installed Applications and Updates: /Library/Receipts/InstallHistory.plist
Basic Firewall Information: /Library/Preferences/com.apple.alf.plist
Remote Sharing Configs: /var/db/launchd.db/com.apple.launchd/overrides.plist
Startup Programs: /Library/Preferences/com.apple.loginitems.plist
Autolaunch Agents: /Library/LaunchAgents/*.plist
Autolaunch Deamons: /Library/LaunchDaemons/*.plist
FileVault Configuration: /System/Library/Preferences/com.apple.security.plist
Deleted Users: /Library/Preferences/com.apple.preferences.accounts.plist
Last User Login: /Library/Preferences/com.apple.loginwindow.plist
User Autolaunch Programs: /Users/[your user]/Library/Preferences/loginwindow.plist
User Program LastUse: /Users/[your user]/Library/Preferences/com.apple.spotlight.plist
Recent User Information: /Users/[your user]/Library/Preferences/com.apple.recentitems.plist
Remembered Wifi Networks: /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
For a more complete list of these interesting files and their locations see this Apple Examiner list.
Another interesting place to look for data is "/var/folders/" which contains per-user temporary files and caches. For a great post on this, check out James Renolds' blog post.
On OS X, programs are stored as bundles, and have a well documented structure that allows for plugins and changes to be made easily for runtime code. Most everything in a bundle, typically lives under a "Contents" directory, which then contains the "Info.plist", which can be thought of as a header file for how the bundle is put together. The bundles are divided into sections to create the application, such as "Framework", "Plugins", "Resources", and of course the binary, which is often in the "MacOS" section.
Lastly, I want to talk about kernal extensions, which are called KEXTs in Mac OS X. You can list the KEXTs loaded on your system issuing the command kextstat -l. Most KEXTs are stored in "/Library/Preferences/Extensions/". Applications can even load their own specific KEXTs by using the kextload command. For more information on kernal extensions, I would refer to the official Apple documentation.
That's it for now, ladies and gentleman. I will be following this post up with more indepth and robust Mac OS X forensics techniques, as many of these techniques can be circumvented by rootkits and more nefarious malware. Soon we will dive into static disk analysis and even memory analysis, so stop back soon :)
First things are first, if your using the console (and you should be), you will be able to see all of the typically hidden files. Mac OS X hidden files are similar to the Linux style of hidden files, these all start with a period, then the hidden file name. To reveal these in your finder, simply enter the following command into the terminal: defaults write com.apple.finder AppleShowAllFiles 1. In regards to hidden files, at the top of every user home directory and mounted media resides a hidden file named ".Trash", that keeps track of every file you've deleted in that directory. These files persist even if you've emptied the trash bin and the files inside are still completely intact.
File attributes are extremely important when inspecting events, such as when a file was created or when it was last accessed. In OS X, these are accessed using the GetFileInfo tool. You can view the attributes of a file by simply issuing the command as such, GetFileInfo [target file]. The file's attribute bits are also highly important, and you can get a good idea of how to decipher them using this Apple Examiner cheat sheet.
A key component of OS X is Property List Files, or plists as you will be come familiar with them. The plists on Mac OS X come in two flavors, XML and binary stream. You won't be able to directly read the binary ones, but the XML ones can provide a wealth of information about how a program or service is configured. Knowing that, it's really important to be able to convert a binary plist file into it's XML counterpart. Fourtantly, Mac OS X provides a convenient utility to do just that, plutil. You can quickly tell if a plist is binary or XML by running the file command on it. Here is a good example of converting a binary plist into an XML one: plutil -convert xml1 -o [file path for xml output plist] [file path to binary plist to convert]. Once we have it converted, we can simply cat it to find some excellent info about our system. What kind of information you ask? Well here's some interesting plists you could read:
Version Information: /System/Library/CoreServices/SystemVersion.plist
Installed Applications and Updates: /Library/Receipts/InstallHistory.plist
Basic Firewall Information: /Library/Preferences/com.apple.alf.plist
Remote Sharing Configs: /var/db/launchd.db/com.apple.launchd/overrides.plist
Startup Programs: /Library/Preferences/com.apple.loginitems.plist
Autolaunch Agents: /Library/LaunchAgents/*.plist
Autolaunch Deamons: /Library/LaunchDaemons/*.plist
FileVault Configuration: /System/Library/Preferences/com.apple.security.plist
Deleted Users: /Library/Preferences/com.apple.preferences.accounts.plist
Last User Login: /Library/Preferences/com.apple.loginwindow.plist
User Autolaunch Programs: /Users/[your user]/Library/Preferences/loginwindow.plist
User Program LastUse: /Users/[your user]/Library/Preferences/com.apple.spotlight.plist
Recent User Information: /Users/[your user]/Library/Preferences/com.apple.recentitems.plist
Remembered Wifi Networks: /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
For a more complete list of these interesting files and their locations see this Apple Examiner list.
Another interesting place to look for data is "/var/folders/" which contains per-user temporary files and caches. For a great post on this, check out James Renolds' blog post.
On OS X, programs are stored as bundles, and have a well documented structure that allows for plugins and changes to be made easily for runtime code. Most everything in a bundle, typically lives under a "Contents" directory, which then contains the "Info.plist", which can be thought of as a header file for how the bundle is put together. The bundles are divided into sections to create the application, such as "Framework", "Plugins", "Resources", and of course the binary, which is often in the "MacOS" section.
Lastly, I want to talk about kernal extensions, which are called KEXTs in Mac OS X. You can list the KEXTs loaded on your system issuing the command kextstat -l. Most KEXTs are stored in "/Library/Preferences/Extensions/". Applications can even load their own specific KEXTs by using the kextload command. For more information on kernal extensions, I would refer to the official Apple documentation.
That's it for now, ladies and gentleman. I will be following this post up with more indepth and robust Mac OS X forensics techniques, as many of these techniques can be circumvented by rootkits and more nefarious malware. Soon we will dive into static disk analysis and even memory analysis, so stop back soon :)