Unit - 5 - Mac Forensics
Unit - 5 - Mac Forensics
The macOS architecture consists of several key components that work together to provide a
stable, secure, and user-friendly operating system:
1. Darwin Core:
o The foundation of macOS, combining the XNU (X is Not Unix) kernel and
basic UNIX services.
o Handles memory management, process scheduling, and inter-process
communication.
2. File System:
o Supports multiple file systems, including HFS+ and APFS (the current
default).
o Facilitates data storage, retrieval, and management.
3. Frameworks:
o Software libraries providing reusable components for developers.
o Examples: Cocoa (used for macOS applications), Core Foundation, and Core
Graphics.
4. Application Layer:
o User-visible components, such as Finder, Safari, and third-party apps.
o Utilizes frameworks for graphical interfaces and services.
5. User Interface:
o Provides the desktop, Dock, and menu bar.
o Based on the Aqua graphical interface.
Introduction: Introduced and replacing HFS, and used until the introduction of
APFS.
Features:
o Journaling: Keeps a log of changes, improving reliability and recovery.
o Unicode Support: Allows filenames in various languages.
o Large File Support: Supports larger file sizes and volumes.
Structure:
o Uses a Volume Header (instead of MDB).
o File metadata is managed using Catalog Files and Extents Overflow Files.
1. Sectors 0 and 1 include boot blocks similar to the HFS boot blocks.
2. Sector 2 contains Drive Header, similar to the Master Directory Block in an HFS
volume. The size of the assignment blocks, timestamps, and the locations of additional
volume structures like the Catalog File or Extent Overflow File are among the
information about the volume stored in this file. It can always be located there.
3. Free blocks and those being used are recorded in the allocation file. Each allocation
block in HFS is represented by one bit, much as in the Volume Bitmap. If the bit is
zero, the block is free, and if it is one, it is in use. In contrast to the HFS Disk Bitmap,
the Allocation File is saved as a regular file and does not take up any specific reserved
space at the beginning of the volume. Therefore, it is not required to be kept
consecutively inside a volume, and its size may alter.
4. Similar to the HFS Catalog file, the Catalog File is a B-tree containing entries for every
file and directory stored on the disk. The primary difference between them is the size of
the records with HFS+, which are bigger to accommodate more and larger fields. This
may be observed in the fact that the HFS Catalog File is just 512 bytes in size, but the
HFS+ Catalog File is 4 KB in Mac OS and 8 KB in Mac OS X. In HFS+, unlike HFS,
where the fields are fixed, the fields are also variable based on the data they hold.
5. A B-tree called the Extents Overflow File keeps track of the allocation blocks given to
each file as extents. Up to eight extents may be stored for each fork in a file in the
Catalog File record; extra extents are kept in the Extents Overflow File. Here, bad
blocks are also counted as extents. This file's default sizes are 1 KB and 4 KB in Mac
OS and Mac OS X, respectively.
6. Only the HFS+ file system has the B-tree known as Attributes File. Inline Data
Attribute records, Fork Data Attribute records, and Extension Attribute records are the
three different sorts of 4 KB records that it may hold. The table below lists each of their
objectives.
7. Like the HFS volume Boot Blocks, Startup File is intended for non-Mac OS systems
without HFS or HFS+ compatibility.
8. The HFS+ volume's Alternate Volume Header, similar to the HFS Alternate Master
Directory Block, may be found in the second-to-last sector.
9. The last sector is set aside for Apple to utilize when making computers.
Recreating HFS Partitions
1. Unallocated Partition:
o A space on the disk not assigned to any file system.
o Commonly appears after accidental deletion or corruption of partitions.
2. Analysis Process:
o Disk Imaging: Create a raw image of the unallocated space using tools like
dd.
o Signature Search: Look for file headers or known structures to identify data
remnants.
o File Carving: Extract files without relying on the file system.
1. System Logs:
o Contain information about system-level events and kernel messages.
o Found in /var/log or accessed through the Console app.
2. Application Logs:
o Generated by individual applications.
o Stored in application-specific directories.
3. Security Logs:
o Record security-related events, such as user authentications.
o Managed by the syslog and unified logging system.
Key Artefacts:
1. User Activities:
o Login/logout events.
o File and application accesses.
2. User/Application Configurations:
o Preference files (.plist) in ~/Library/Preferences/.
3. Attached Devices:
o Connection history of external devices like USB drives.
o Found in logs such as system.log.
4. Shared Locations:
o Access records for network drives and shared folders.
5. Recently Accessed Documents and Programs:
o Tracked in Recent Items (~/Library/Application Support/).
6. Installed Applications:
o Metadata and installation history located in ~/Applications/ or /Applications/.
1. Forensic Tools:
o Autopsy: Open-source tool for file system and log analysis.
o BlackBag: Specialized macOS forensic suite.
o Digital collector
o FTK Imager
2. Command Line:
o log show: View macOS unified logs.
o fsck_hfs: Check and repair HFS+ volumes.
3. Visualization:
o Use graphical log analyzers to correlate events across time.
Application Logs:
\Users\<username>\Library\Application Support\
<application name>; this stores configuration, logs, and preference files for an application
CrashReporter; this is the directory where crash logs are stored, and keeps track of when
an application has crashed and why (although, sometimes, the errors are quite generic —
who’s surprised?).
A quick note: CrashReporter logs (and many other artefacts) are most likely going to have the
extension .plist, which are also known as property lists. Sometimes they are binary files, so a
neat way to view these on a Mac is to select the file and hit the spacebar.
\Users\<username>\Library\Launch Agents\
Applications listed in this directory are launched each time the computer boots, similar to
\Users\<username>\Library\Safari\
History.db; this can be viewed with the free version of “DB Browser for SQLite”, as
shown below. The main table you want to look at here is history_items, which the URLs
viewed within this browser, and how many times it was visited. ‘History_visits’ only
shows the title of the webpage, and the time it was accessed.
\Users\<username>\Caches\Metadata\Safari\
History; this directory is full of .webhistory and .bplist files, of which I use the ‘cat’
command to view their contents; you might find some URLs here that could be useful in
an investigation.
Bookmarks; much the same as History, however these are .webbookmark files.
\Users\<username>\Library\Application Support\Firefox\Profiles
places.sqlite; this is a database file that can be viewed with DB Browser. Tables of
interest include -
‘moz_places’ are the list of viewed URLs from the Firefox browser.
\Users\<username>\Library\Application Support\Google\Chrome\Default
‘urls’ is the user’s browser history with the url and title of the site visited
‘visits’ also shows you the number of times the user visited a particular URL, and how
\Users\<username>\Library\Internet Plug-Ins
Profiles\*\extensions.json.
Extensions.
System Logs:
\private\var\log\asl
These are Apple System Logs, and are generally thought of as a replacement to syslog. You
\private\var\log\install.log
This log contains a list of applications that have been installed onto the machine.
For networking:
Library\Preferences\SystemConfiguration
com.apple.airport.preferences.plist contains all of the remembered wireless networks for
the machine
NetworkInterfaces.plist.