Category Archives: Blog

Mac Forensic Artifacts

Below are a list of forensic artifacts for Mac devices, categorized by file location

*This is a running list of notes gathered based on experience investigating devices. This is very much an incomplete collection of artifacts*

Epoch Time = seconds since 1/1/1970

Mac Epoch Time = seconds since 1/1/2001

Difference = 978307200 seconds

mac time + 978307200 = epoch time

  • ~/System/Library/CoreServices/
    • SystemVersion.plist
      • ProductVersion: Operating System version.
        • 10.10.x  = Yosemite
        • 10.9.x = Mavericks
        • 10.8.x = Mountain Lion
        • 10.7.x = Lion
        • 10.6.x = Snow Leopard
  •  ~/Users/user/Library/Preferences
    • com.apple.finder.plist
      • FXDesktopVolumePositions – list of volume names
      • FXRecentFolders – string name for 10 most recent folders
    • com.apple.recentitems.plist
      • RecentApplications: CustomListItems contains 10 most recent applications
        • Application names
      • RecentDocuments: CustomListItems contains 10 most recent Documents
        • File names
      • RecentServers: CustomListItems contains 10 most recent connected servers
        • Server names
    • com.apple.sidebarlists.plist
      • FavoriteItems: Shares/Folders/Drives listed in “Favorites” in Finder
        • Names of items
      • FinderProjects: Tag colors
        • Red, Orange, Yellow, Green, Blue, Purple, Gray, Work, Home, Important
      • SystemItems > VolumesList: Mounted volumes
        • Volume names
    • com.apple.Safari.plist
      • DownloadsPath: Default location of downloaded files
      • HomePage: Default homepage settings
      • LastOSVersionSafariWasLaunchedOn: Version number
      • RecentSearchedStrings: recent strings searched in Address Bar
      • SuccessfulLaunchTimestamp: Last time Safari was launched successfully in Epoch time
  • ~/Users/user/Library/Safari
    • Browsing History
      • History.plist (10.9 and below)
      • History.db (10.10 and later)
        • Opened in a SQLite browser
        • History_items: Each URL visited, domain, and its associated ID #
        • History_Visits: Mac Epoch time associated with with history_item ID #
          • Need to associate history_item ID number in this table with the entry in History_items table to determine timestamps of visits
  • ~/.fseventsd
    • File system events daemon
    • System process that is responsible for handling changes to the file system
    • Writes file system event log files and monitors file system changes
    • /.fseventsd is a staging or buffer area
    • http://techblog.willshouse.com/2011/05/05/what-is-fseventsd/
  • ~/private/var/log
    • system.log
      • Logs all kernel related messages
      • Archives to compressed folders – .bx2 extensions
      • Old system log archived 12:30am local time if machine is left on at that time
      • Not comprehensive log
    • fsck_hfs.log
      • Shows disks/partitions mounted (no volume names)
      • Timestamps available (not Epoch in Plist Editor Pro)
      • i.e. /dev/rdisk3s2
    • hdieject.log
      • Limited eject notices for drives
      • can tie disks/partitions to volume names, but not for all instances
      • Timestamps available
  • ~/Library/Logs
    • DiskUtility.log
      • Individual user records for Disk Utility
      • Does not show every mount
      • Times of drives erased/renamed etc. in Disk Utility
      • Occasionally shows Volume names if logging the drive being renamed

Bit Rap

As a stress relief, a coworker of mine and I created our own parody to “99 Problems” by Jay-Z. Enjoy.

If you’re having parity problems I feel bad for you son
I got 99 problems but a bit aint one
PING ME
 
I’ve got the right controls, on the host patrol
Those that wanna make sure my ports are closed
Bad critics find those “honeypot holes”
I’m from the web, stupid, what type of ACKs are those
I’ll throw stuff at you like my zapatos
You’ll celebrate the minute you’re DDOS’n those
I’m like “f*** APT you can kiss my whole a**hole”
If you don’t like my proxy you can just fast forward
Got beef with UDP If I don’t hear, they slow
They don’t send my data, well I don’t give a sh*t SO
You cracks can kiss my missing ACKs
Maybe I’ll acknowledge your packets for cash…hackers
I don’t know what you install me  as
Or understand the intelligence that Kazy has
I went from rags to riches like a 0 to 1
I’ve got 99 problems but a bit aint one
PING ME
 
The year is 1974 the unix epoch plus four
in my voip system the encoding… ULAW
I’ve got binary 10 choices ya’ll rate limit some or
Push all the packets with the pedal to the floor
Now I aint trying to see no bandwith chase with AT&T
plus I gotta few routers I can fight the case
So I, talk to the provider after putting them on hold 
and I heard “son do you know what we’re blocking you for?”
“Cuz I’m young and I’m torrenting an album by All Time Low?
“Do I look like I sniff your packets sir, I don’t know”
“Am I getting a cease and desist or should I get some mo’”
“Well you was pulling down 5MB when you were only provisioned for 4
Username and password, now tell me what they are
Are you TORing your IP I know alotta you are”
“I aint stopping sh*t all my downloads legit”
“Well do you mind if I look around your drive a little bit?”
“Well my true crypt is intact and my executables are packed
and I know my rights, you’d be violating the computer abuse act”
“Well we don’t want that, you some kind of blogger or something?
Or somebody always writing about important somethings?”
“I ain’t got a wordpress but I know a little bit
enough that I’d go public with this shit”
“We’ll see how much you say when the FBI comes”
I’ve got 99 problems and now the feds are one
FIN

Gone Phishin’

No, not the band. And yes, I did spell it right. I’m talking about phishing emails. I’m sure everyone’s come across at least one. Phishing emails are the type use social engineering to try and get users to reveal personal information, such as usernames, passwords, credit card numbers, social security numbers, and other information. Releasing this information allows the bad guy to use that information against you, by means of logging into your accounts, using your credit card information to make transactions, or maybe even stealing your identity.

Identifying Phishing Emails

There are numerous factors that can help identify phishing emails; a sense of urgency, a suspicious link, poor branding, unknown senders, and also generalized referencing to the intended recipient(s). Lets look at the sample below

PhishingEmail

1. Unknown Sender: Lets first look at the “From” message header. It looks like this email is from Fidelity, but the email address associated with does not associate at all with the company it is supposedly being sent from. Nonetheless, the email address in general is someone who is unknown. This causes suspicion.

*Occasionally, phishing emails with be “spoofed” This means that it looks like it was sent from a sender whom you know, although it was actually sent from the bad guy to trick you into trusting the email if it is sent from someone you know

2. Sense of Urgency: Did you see the subject? “Alert! Urgent Action Required” Phishing emails want you to feel like you have to respond right now, and that it is a higher priority. Many times, phishing sites will only be up for a day, maybe even a few hours. By making the user feel like it’s important, the user is more likely to comply sooner rather than later.

3. Generalization: Normally, legitimate emails sent to a user will include the recipients name, whether it’s in the form of “Hey Corrie!” from a friend, or even “Dear Corrie” (or something along those lines).  Phishing emails are usually sent to numerous people all at once, making it difficult to personalize the email. Be suspicious of emails that are not addressed to you personally, but addressed to a general customer, user, or group of people.

4. The Link: At first glance, the link looks legitimate, right? Look closer. Fidelity is spelt with an e instead of an i after the F. Fidelity.com would be the legitimate site, but the link to fedelity.com is definitely suspicious. In this circumstance, the link is clearly presented within the email, making it easier for the user to know where they are heading when they click the link. Although, many phishing emails will have hyperlinks saying “CLICK HERE”  in blue, underlined font, for example, and when the user clicks the button they are led to a site. Hovering your mouse over that hyperlink will display a pop-up revealing where the hyperlink is actually going, as opposed to where it looks like it might lead.

5. Poor Branding: Phishing emails pretending to be sent form a company, or other entity often have poor branding. Legitimate emails may have logos, contact information, or other unique identifiers to validate their emails. Phishing emails often times won’t contain that type of branding.

Another thing to note — phishing emails may also contain attachments asking you to reply to the email with your contact information because you suddenly inherited $1,000,000 from a far distant relative in Nigeria. If a suspicious email has any attachments, don’t open them

Stay tuned for how to deal with phishing emails

Mac OS X Internet History

As most forensicators would agree, index.dat files are an extremely valuable Windows artifact to an investigation. These files store all sorts of internet browsing history from Internet Explorer, as well as where a user browsed to within directories on the device using Windows Explorer. Even after clearing the internet history, emptying your cache, and removing cookies in Internet Explorer, the logs of where a user surfed on the internet remains stored within the file.

Even though Windows operating systems are still the most prevalent, what is the equivalent to Mac operating systems, which are quickly becoming just as popular? The sad revelation (in my mind) is that there is no exact equivalent of an index.dat file on a Mac. For Safari, internet browsing history is stored in a plist (property list file which stores application information) within the system library. This plist is located at:

/username/Library/Safari/History.plist

*One commonality between index.dat files and history.plist is that they are both stored locally under the user’s profile

To view plist files, I use a program called PlistEditor Pro which is a standalone version of the tool that is integrated with the Xcode 4 developer application. 

One Xcode4 is installed, navigating to the history.plist file and double-clicking it will automatically open the file in the PlistEditor. Under “WebHistoryDates” will be each entry in the browser history.

Screen Shot 2013-04-05 at 6.33.24 PM

 

The history.plist files are read in chronological order from the bottom to the top, meaning that the top entry (Item 0) is the most recently visited website.

Expanding each item in the history will show its contents

Screen Shot 2013-04-05 at 6.33.52 PMAs you can see, the browsing history is displayed. Although, by default the LastVisitedDate is displayed as a string. This can be changed by clicking “String” next to the value and selecting “Date”

Screen Shot 2013-04-05 at 6.34.13 PM

By doing this for the logs, the timestamps will be converted into date/time format.Screen Shot 2013-04-05 at 6.34.18 PM

Although, one flaw (forensically speaking) of this plist file is that unlike the index.dat files, the history.plist file gets cleared when the browsing history is cleared from Safari. Because of this, a lot of valuable data can become lost. When a user is in Safari and goes to History > Clear History (which is the easy way to clear browsing history) there are still some artifacts left behind that investigators can use to determine other sites that were browsed before history was cleared. One of these artifacts is the Cache.

The first method is to carve deleted browsing history from unallocated space. More details on this methodology can be found on Richard Drinkwater’s blog.

Cached entries are located at /username/Library/Caches/com.apple.Safari where there is a Cache.db (SQL Database file) and a folder called “Webpage Previews” The Webpage Previews folder will contain snapshots of webpages that were previewed even before the browser history was clearedScreen Shot 2013-04-05 at 6.50.54 PM Screen Shot 2013-04-05 at 6.51.28 PM

Opening the cache.db file is a bit different. A program I like best for opening these on a Mac is called File Juicer which will parse this database file and display its contents, including a range of image files, html files, javascripts, and text files

Screen Shot 2013-04-05 at 7.04.45 PM

In my opinion, analyzing the web browsing history on a Mac operating system can be much more work intensive than analyzing an index.dat file, seeing as an investigator has to look in multiple places on a Mac device to find the same information that can be found in the index.dat. Learning forensics on a Windows device, I was surprised when I found out that deleted browsing history is not kept on the device normally. On the other hand, when I mentioned this topic to a coworker, he was surprised that Windows actually kept that information.

If anyone has any further guidance or comments, please feel free to post. Mac analysis is extremely new to me, but what I’ve found so far is extremely interesting

Mandiant’s APT1 Report – Real or Fake?

Anyone in the malware/forensic/security industry has probably heard about the report released by Mandiant titled  APT1: Exposing One of China’s Cyber Espionage Units. This paper (which is incredible by the way) outlines several years of research on APT1, including their attack methods, targets, and general goals. It was only a matter of time before Mandiant’s report was a target for a new attack.

Now, we are seeing spear phishing emails taking advantage of the widespread, highly intriguing news. What a better way to attack those who are interested in the topic, right? The emails identified appear to be someone (particularly from the media) recommending the report to the user, and even attaching the document for their convenience (file names such as Mandiant.pdf and Mandiant_APT1_Report.pdf). Unfortunately, the report attached is not the actual report (gotcha!) but is a malicious pdf. When a user opens this pdf, the malicious code embedded exploits the recent Adobe vulnerability (CVE-2013-0641) in order for malicious actors to execute remote code on a system. In the end, the PDF drops malware. The type of malware installed depends on the version of the malicious PDF, and is classified differently by each security vendor, but either way it’s not good.

Moral of the Story

1. Do not open email attachments titled Mandiant.pdf or Mandiant_APT1_Report.pdf, or any other variation

2. Do not trust email attachments, period. Always verify the attachment is legitimate, even from a trusted sender (emails can easily be spoofed, and the amount of phishing emails these days can lead to many compromised IDs)

3. Update your Adobe software ASAP. CVE-2013-0641 is now patched with their most recent update.

4. Always keep your Anti-Virus updated (even you Mac users!). I’ve been working with SUPERAntiSpyware lately, and it’s done a wonderful job at detecting most of these recent infections.

5. Always hover. If there’s a link within the email, hover your mouse over the link before clicking it. The email may show that the link goes to www.goodsite.com, but hovering your mouse may reveal that it actually leads to www.badsite.com.

6. If you want to read the real report from Mandiant, I have linked the report within my paragraph above. If you do download any reports, check the MD5 hashes that Mandiant provided for it:

Mandiant_APT1_Report.pdf

MD5: 936FEB234F60CFBF6916BA61FBAB2781

SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84

Mandiant_APT1_Report_Appendix.zip

MD5: FD103F16BBBB28162C23BE3A47371AA9

SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154

References: Symantec’s Blog Post

Calling all expertise

Being a good student, I have learned that while a tool is designed to automate a portion of an analysis, it’s always good to have a general understanding as to how the tool is able to accomplish this. One feature of FTK that has me questioning is the fact that given a pst, the tool is able to determine which emails were read vs. which were unread. One thing I cannot find solid research on is how FTK is able to parse this information. A friend has conducted experiments around this by viewing an unread message, a read message, and a message marked as unread forensically. There are slight differences in the hex, but what does that mean?

Is there a bit somewhere in the message headers that determines this? (True/False?)

Is it a hidden setting in message headers?

Is it determined based on timestamps? (Modified/Accessed dates)

Is there a way to forensically distinguish between a message that was truly unread, or that was “mark as unread”?

 

If anyone has any resources or ideas, please let me know. I’d love to learn about it.

 

HTCIA Conference Recap

I know it’s been almost a month since the HTCIA Conference that was hosted in Hershey, PA, but life’s been busy lately. Anyways, to cut to the chase…

The HTCIA Conference was absolutely incredible. Great people, great food, great knowledge, and LOTS of chocolate!

I flew into Harrisburg Airport Sunday night, and stayed at a hotel across the street from the Hershey Lodge (where the conference was held).

Sunday night I decided to wander over to the lodge to find where I had to go to avoid confusion the following morning. Wandering the halls of the hotel, I ran into the second VP of the association, who gave me a tour of the location. He showed me where to register, where to get lab tickets, and where the lectures were generally going to be held. Either way, I say thank you to him, because he saved me a lot of stress.

So I know that I posted the lectures and labs that I signed up for (that I planned on attending), but some of those changed. They opened up additional labs as a first-come-first-serve, so I was able to attend a couple more labs in replacement for lectures.

Lectures & Labs & Notes — if you can decipher my notes, bonus points for you.

Monday’s Schedule:

  • Lecture: Solid State Drives – A true game changer in computer forensics!
  • Lab: iOS Forensics in a BYOD World
  • Lab: Network Forensics – The Final Frontier (Until the Next One)

 

Tuesday’s Schedule
  • Lecture: Finding Evidence in a Brave New World
  • Lab: Cerberus – Malware Triage and Analysis without the Sandbox
  • Lecture: Forensic Analysis of Malware and Intrusion Artifacts
  • Lecture: Best Practices to Smartphone Forensics

Wednesday’s Schedule

  • Lecture: Challenges in Analyzing Full Communication Information from Mobile Devices
  • Lab: HB Gary Memory Analysis

Overall it was a great experience. Learned a lot of cool stuff that I was able to bring back to the table at home base, and got some pretty neat swag!

Cya at the HTCIA Conference

Getting ready and packing up! Headed off to Hershey PA for the International HTCIA Conference! Here’s my schedule:

LEC – Sept 17 – Cocoa 1 – 2: LECTURE – Solid State Drives — a true Game Changer in computer forensics! (1.5 hours) – Monday 10:30 AM

LAB – Sept 17 – Crystal A – 3: LAB – iOS Forensics in a BYOD World (1.5 hours) – Monday 1:30 PM
LEC – Sept 17 – Cocoa 3 – 4: LECTURE – Emerging Threats; is Technology the Problem or the Solution? (1.5 hours) – Monday 3:30 PM

LEC – Sept 18 – Cocoa 1 – 1: LECTURE – Finding the Evidence in a Brave New World (1.5 hours) – Tuesday 08:30 AM
LAB – Sept 18 – Cocoa 4 – 2: LAB – Cerberus: Malware Triage and Analysis without the Sandbox (1.5 hours) – Tuesday 10:30 AM
LEC – Sept 18 – Cocoa 3 – 3: LECTURE – Forensic Analysis of Malware and Intrusion Artifacts (1.5 hours) – Tuesday 1:30 PM
LEC – Sept 18 – Cocoa 1 – 4: LECTURE – Best Practices to SmartPhone Forensics (1.5 hours) – Tuesday 3:30 PM

LEC – Sept 19 – Cocoa Suite Terrace -1: LECTURE – Challenges in Analyzing Full Communication Information from Mobile Devices (1.5 hours) – Wednesday 08:30 AM
LEC – Sept 19 – Cocoa 2 – 2: LECTURE – Wireless Security: Attack, Penetration & Defense (1.5 hours) – Wednesday 10:30 AM
LEC – Sept 19 – Cocoa Suite Terrace – 3: LECTURE – Investigating Internet-related digital artifacts (1.5 hours) – Wednesday 1:30 PM
LAB – Sept 19 – Cocoa 6 – 4: LAB – HB Gary Memory Analysis Lab – (BYOL) (1.5 hours) – Wednesday 3:30 PM

I’ll be updating with cool stuff I learned =)

MoVP

Volatility (in chemistry) — the property of changing readily from a solid to a vapor
Volatility (in finance) — a measure of price variation over time
Volatility (in technology field) — when memory loses its contents when the device is turned off
Volatility (in computer forensics) — an open source set of forensic tools used to extract artifacts from memory used for incident response and malware analysis
Volatility (in Corrie’s world) — being easily excited and excitable…about the next 4 weeks

This month, Volatility (the forensic kind) is starting the Month of Volatility Plugins (MoVP) where they are releasing new plug-ins every day in anticipation for the new release of Volatility 2.2. According to the blog, “Each plugin will describe a brand new capability exclusive to Volatility that deals with analyzing Windows or Linux RAM dumps for malware infections or compromises.”

Sound pretty neat. They’ve only released three new plugins, and already it looks pretty neat. Take a look!

http://volatility-labs.blogspot.com/2012/09/month-of-volatility-plugins-movp.html