Mac OS X Live Forensics 105
Hey All! A friend recently showed me fseventer, as a visual alternative to fs_usage, discussed last time. This approach can provide way better filtering capabilities, allowing you fine grained control similar to the popular filemon tool for windows. It's a little more intense on the system, but the visuals are well worth the tradeoff, as you can quickly gain insights and make decisions much faster.
Speaking of watching key files, I've recently come across some epic files for incident response / forensic investigation. Aside from the typical history and ~/.bash_history commands, there are some really great logs OS X keeps to help with an investigation:
To get timestamps for when software is installed or updated: /var/log/install.log
To get timestamps for when the app store agent is triggered: /var/log/appstore.log
To get timestamps for connections to a specific wireless network: /var/log/wifi.log
To get timestamps for what and when things were printed: /var/log/cups/page_log
OS X’s Quarantine feature keeps a list of everything that has a quarantine bit that the user has downloaded, whether or not these files have since been removed from the system, view it with:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'
But Quarantine shouldn't be relied on as all inclusive, according to a comment on a helpful macworld post: “some applications opt-in to quarantining via a key in their Info.plist, but Apple also includes in the OS a plist containing bundle identifiers of some applications (just common web browsers, last I checked) whose downloads the quarantine system automatically quarantines regardless of whether the application has opted-in itself. So if you download files with command-line tools like curl or wget or a with third-party application that isn't on Apple's list and hasn't opted-in to quarantining, then those files won't be quarantined (and won't be included in this database).”
To get epoch timestamps for download times, and also shows other things like the application that downloaded the item:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select * from LSQuarantineEvent'
Things that come from the Apple AppStore aren't Quarantined or stopped by GateKeeper due to the innate trust Apple puts into their AppStore. However, if the Application comes from the App Store, it will also come with a receipt that includes a timestamp of when it was downloaded. You can view this with the following command, specific to the application of course:
strings /Applications/[Application].app/Contents/_MASReceipt/receipt
Previously in OS X Live Forensics, I had mentioned how awesome plists were on OS X for configuration details, similar to the registry hive on Windows. However, on OS X the plists are scattered across the system, unlike the registry hive. Fortunately, we can use the Mac Intrusion Detection Analysis System aka MIDAS, to quickly assemble all of the plist locations for us. Simply download MIDAS, and run the main process as such: python ./midas/launcher.py; Next we can view all of the plists by reading the ./log/example_analyzeplist.log. This will also give us a hash for each plist, and will log if this hash changes in the future. This file integrity feature for plists and kexts will serve as invaluable for catching malicious system changes. There are also some good existing modules out there for this framework, such as this one which will give you detailed information on the users of the system. First, you will need to add a users table to the db: sqlite3 ./midas_hids.sqlite 'CREATE TABLE users(id, name, date)'; Then rerun the launcher.py script, and follow it up by reading out the ./log/analyzeusers.log. This log file shows us all users who have accessed the system at one point or another. Overall, this can be a really handy tool for seeing what has changed in a system over time, and I plan on writing some of my own modules for different IR capabilities. There is also a good article on hooking this up with OSSIM (Open Source SIEM) to run this remotely on clients and aggregate all of the logs.
Another powerful set of files for any forensics investigation are the local TimeMachine backups. TimeMachine will make local backups per day on a machine, even if the backup disk isn’t present. These are available in /.Mobilebackups/Computer/[date]/Volume/ and can provide a wealth of information about a system’s state, captured on a specific date. Often these aren't kept for more than 5 days, however there are usually many snapshots the day of, enabling more fine grained history if you can respond quick enough.
Further, while OSX let’s you secure delete out of the trash, by default TimeMachine does not secure delete when removing files, you have to “Erase Free Space” using the disk utility, after having specified to delete file backups in finder. This means you can get all kinds of things out of local backups the user may have tried to remove.
Moving forward, if you plan to run any OS X malware (which we will be getting into soon), or even really handle any at all, you should download a copy of Mavericks and run it in a virtual machine, although there are some reported difficulties in obtaining a copy if you aren't already running it. This way you won't accidentally pop or brick yourself, (which is honestly way easier to do on a Mac than on Windows), and can still dig into all of the nasty tricks and malware.
Until next time!
Speaking of watching key files, I've recently come across some epic files for incident response / forensic investigation. Aside from the typical history and ~/.bash_history commands, there are some really great logs OS X keeps to help with an investigation:
To get timestamps for when software is installed or updated: /var/log/install.log
To get timestamps for when the app store agent is triggered: /var/log/appstore.log
To get timestamps for connections to a specific wireless network: /var/log/wifi.log
To get timestamps for what and when things were printed: /var/log/cups/page_log
OS X’s Quarantine feature keeps a list of everything that has a quarantine bit that the user has downloaded, whether or not these files have since been removed from the system, view it with:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'
But Quarantine shouldn't be relied on as all inclusive, according to a comment on a helpful macworld post: “some applications opt-in to quarantining via a key in their Info.plist, but Apple also includes in the OS a plist containing bundle identifiers of some applications (just common web browsers, last I checked) whose downloads the quarantine system automatically quarantines regardless of whether the application has opted-in itself. So if you download files with command-line tools like curl or wget or a with third-party application that isn't on Apple's list and hasn't opted-in to quarantining, then those files won't be quarantined (and won't be included in this database).”
To get epoch timestamps for download times, and also shows other things like the application that downloaded the item:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select * from LSQuarantineEvent'
Things that come from the Apple AppStore aren't Quarantined or stopped by GateKeeper due to the innate trust Apple puts into their AppStore. However, if the Application comes from the App Store, it will also come with a receipt that includes a timestamp of when it was downloaded. You can view this with the following command, specific to the application of course:
strings /Applications/[Application].app/Contents/_MASReceipt/receipt
Previously in OS X Live Forensics, I had mentioned how awesome plists were on OS X for configuration details, similar to the registry hive on Windows. However, on OS X the plists are scattered across the system, unlike the registry hive. Fortunately, we can use the Mac Intrusion Detection Analysis System aka MIDAS, to quickly assemble all of the plist locations for us. Simply download MIDAS, and run the main process as such: python ./midas/launcher.py; Next we can view all of the plists by reading the ./log/example_analyzeplist.log. This will also give us a hash for each plist, and will log if this hash changes in the future. This file integrity feature for plists and kexts will serve as invaluable for catching malicious system changes. There are also some good existing modules out there for this framework, such as this one which will give you detailed information on the users of the system. First, you will need to add a users table to the db: sqlite3 ./midas_hids.sqlite 'CREATE TABLE users(id, name, date)'; Then rerun the launcher.py script, and follow it up by reading out the ./log/analyzeusers.log. This log file shows us all users who have accessed the system at one point or another. Overall, this can be a really handy tool for seeing what has changed in a system over time, and I plan on writing some of my own modules for different IR capabilities. There is also a good article on hooking this up with OSSIM (Open Source SIEM) to run this remotely on clients and aggregate all of the logs.
Another powerful set of files for any forensics investigation are the local TimeMachine backups. TimeMachine will make local backups per day on a machine, even if the backup disk isn’t present. These are available in /.Mobilebackups/Computer/[date]/Volume/ and can provide a wealth of information about a system’s state, captured on a specific date. Often these aren't kept for more than 5 days, however there are usually many snapshots the day of, enabling more fine grained history if you can respond quick enough.
Further, while OSX let’s you secure delete out of the trash, by default TimeMachine does not secure delete when removing files, you have to “Erase Free Space” using the disk utility, after having specified to delete file backups in finder. This means you can get all kinds of things out of local backups the user may have tried to remove.
Moving forward, if you plan to run any OS X malware (which we will be getting into soon), or even really handle any at all, you should download a copy of Mavericks and run it in a virtual machine, although there are some reported difficulties in obtaining a copy if you aren't already running it. This way you won't accidentally pop or brick yourself, (which is honestly way easier to do on a Mac than on Windows), and can still dig into all of the nasty tricks and malware.
Until next time!