Wylie, Texas
lee@forensic4cast.com

Mac Forensics

Last Thursday I had the pleasure of attending the Mac Forensics F3 training day.  For those of you that do not know what F3 is, it is the ‘First Forensic Forum’.  Most digital forensic investigators in the UK are linked to this organisation in some way and they offer training days every few months.

I thought that I would quickly note some items that were shared with us before I either forget about it or lose my notes.

Imaging

This can be accomplished on either a Mac or a PC. If you’re looking to image with a Mac there are a few options to choose from but one of the best is offered by the guys over at http://macosxforensics.com.  Their Mac OS X Forensics Imager is based on libewf and offers a graphical interface to the console-driven acquisition tool.

Obviously there are the common everyday items such as DD and DCFLDD that are easily run on the Mac.

Although a write blocker is always recommended it is possible to image a drive without.  In order to do this you need to turn off ‘Disk Arbitration’. This is the process that automounts drives when they are connected to the computer.  After turning this off any newly connected drives will not be mounted. Just don’t forget to turn it back on once you’re finished otherwise you may run into some difficulty.  In order to turn this off just open Terminal and type:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitration.plist

To turn it back on type:

sudo launchctl load /System/Library/LaunchDaemons/com.apple.diskarbitration.plist

Artefacts

Spotlight Files – These maintain an index of the volume from which the file is taken.

Swap File – /private/var/vm/swapfile0

Sleepimage – This file is like the hiberfile on Windows.

Log Files – /var/log – can be opened with the Mac ‘Console’

Property Lists – Two main types: XML and Binary – plists are like the Windows registry. A plist editor is available on the Mac Developer Tools provided with a new Mac. There is also ‘Pref Setter’ (which has a nice search feature) and iPod Robot offers a plist reader for Windows.

Printing – The Mac has an inbuilt PDF printer. This doubles up as a printer spool. This means that, regardless of the printer used, a PDF is created of anything that is printed from a Mac. Once the printing is finished the PDF is released into unallocated clusters. A file carve for PDFs in unallocated space will return items printed with the Mac. These PDFs will also contain metadata providing the application used to print.  I thought that this was the most interesting part of the day. This may be worth some more investigation and a full article written.

Useful Software

PeekIt, iBored, Hex Fiend, File Juicer, Mactracker, and Firefox Add-ons – CacheViewer and SQLiteManager.

4 Responses

  1. Cybex says:

    Can you please provide a bit more detail on the PDF creation during printing? I am intrigued by the prospect, but it seems a bit outlandish to think that Mac would waste the CPU cycles on such a pointless process. Unless Mac only send PDF’s to the printer spool. If this were the case then I could see it, but it doesn’t seem like an efficient way to process print jobs. By “released into unallocated clusters”, do you mean it simply deletes the PDF? Any additional information you can provide would be greatly appreciated.

  2. lee says:

    Its just something they glossed over unfortunately. I’m trying to find the time to experiment with this a little and confirm these findings.

  3. Mike Harrison says:

    The day was meant to be a workshop instead of an in depth training day and the points I was trying to cover were about recovering deleted material not printing processes.

    I have had success with recovering printed documents and from the testing I did the OS does create a PDF of documents printed before deleting it, I am not sure at which part of the process it does this but I wanted to let people know to look for it.
    I will be doing more work on this and will try to publish my findings.
    This may seem outlandish but some simple testing will show it does happen.

    I would like to think that the day was put on to give forensic practitioners an insight in to Apple Mac forensics and show them areas to look into and allow them to then do their own research from there.

  4. lee says:

    Mike, my apologies, I didn’t mean it to come off that way at all. It is definately something I want to look into in the future. Thanks for the heads up, I’m sure many people will find it invaluable.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.