본문 바로가기
2014.11.15 03:49

MAC FORENSICS - STEP BY STEP

조회 수 2005 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print

http://sumuri.com/wp-content/uploads/2014/08/SUMURI-Macintosh-Forensics-Best-Practices.pdf?69e6e2


MAC FORENSICS - STEP BY STEP


Disclaimer: As with every new procedure, hardware and software you must do your own validation and testing before working on true evidence.


These best practices are summarized from SUMURI’s Macintosh Forensic Survival Course - Level 1 which is a vendor-neutral training course taught to law enforcement, government and corporate examiners worldwide.


More information about SUMURI can be found at - www.SUMURI.com


 STEP-1: 

 PRE-SEARCH INTELLIGENCE


Find out as much as you can about your target:

• Number and types of Macs (Macbook, iMac or Mac Pro). 

• Operating System Versions. 

 STEP-2:

 ISOLATE


Assign one trained Digital Evidence Collection Specialst to handle the computers. Prohibit anyone else from handling the devices.

 STEP-3:

 IF COMPUTER IS ON - SCREEN SAVER PASSWORD ACTIVE


Options are:

  • Ask for the Password - Attempt password and proceed to Step-5.

  • Hard Shutdown - Hold the power button down until the system turns off. Hope that the hard drive is not encrypted. Proceed to Step-11.

  • Restart to Image RAM - Connect a RAM Imaging Utility to the Mac. Power off the system and restart as fast as possible and image the RAM. Hard Shutdown the system once RAM Imaging is complete.

 STEP-4:

 COMPUTER IS OFF


Collect the computer using best practices for collection of electronic evidence. Prepare for imaging (refer to Step-11).

 STEP-5:

 COMPUTER IS ON - DESKTOP IS ASSESSABLE - DESTRUCTIVE PROCESSES


Look for signs of destructive processes such as wiping utilities, erasing free space, etc. If destructive processes are running, options are:

• Attempt to stop the destructive process. 

• Hard Shutdown.

 STEP-6:

 COMPUTER IS ON - DESKTOP IS ASSESSABLE - IMAGE RAM


Image RAM using a tool that supports the running Mac OS X version.

 STEP-7:

 COMPUTER IS ON - DESKTOP IS ASSESSABLE - COLLECT VOLTALE INFORMATION


Using YOUR trusted and validated tools (not the live computer’s tools) collect Volatile Data such as running processes, network connections, unsaved documents.

 STEP-8:

 COMPUTER IS ON - DESKTOP IS ASSESSABLE - CHECK FOR HIDDEN DESKTOPS


Check for running virtual machines and multiple desktops.

If a Virtual Machine is found running, follow the best practices for responding to a live system.

 STEP-9:

 COMPUTER IS ON - DESKTOP IS ASSESSABLE - CHECK FOR ENCRYPTION


When the user is logged in - mounted encrypted volumes are accessible.

Check to see if mounted volumes are encrypted. If encrypted, copy the data from the encrypted volumes to an HFS formatted volume to preserve metadata.

Using System Preferences -> Security and Privacy -> FileVault, check to see if FileVault is ON or OFF. If found ON, copy the data from the encrypted home directory to an HFS formatted volume to preserve metadata.

 STEP-10:

 COMPUTER IS ON - DESKTOP IS ASSESSABLE - SHUTDOWN


Once you have completed collecting your data, perform a hard shutdown.

 STEP-11:

 OBTAINING SYSTEM DATE AND TIME


With the system OFF, power on the system holding down the Option/ALT key to check for the presence of a Firmware Password (boot level password). If you do not see a lock, power off the system by holding down the power key.

Power on the system again this time holding the (Command + S) keys. Once you see text you can let go. This is Single User Mode.

At the command prompt type: date
Power o
ff the system by holding down the power key until the system turns off.

 STEP-12:

 IMAGING - NON-FUSION DRIVE


Image the Mac using PALADIN or other tool of choice.

• DMG format - for mounting on an Mac
• Ex01 format - for Windows forensic tools.

 STEP-13:

 IMAGING - FUSION DRIVE


Fusion Drives are seen by most tools as two separate drives. Fusion drives must be imaged using a Mac to see the two separate disks as single disk.

• Image manually by turning off Disk Arbitration on your forensic Mac. 

• Put the Suspect Mac into Target Disk Mode (Command + T).
• Connect to the Forensic Mac with a Thunderbolt cable.
• Image using command line tools such as DC3DD or DCFLDD.

 STEP-14:

 MOUNTING FORENSIC IMAGE (DMG) - LOCK IMAGE


Using (Command + I) “lock” the forensic image.

 STEP-15:

 MOUNTING FORENSIC IMAGE (DMG) - MOUNTING


Locked forensic images on the Mac must be mounted using a shadow file. Example: hdiutil attach -noverify -noautofsck IMAGE.DMG -shadow

 STEP-16:

 INDEXING


To use Spotlight to search the forensic image you must enable indexing of the mounted volume.

Example: mdutil -i on replace_with_volume_name

 STEP-17:

 INDEX SEARCHES


Navigate with the Finder to the directory or volume you would like to search. Begin searching using the Spotlight Search Bar in the Finder window.

Isolate the search to the directory you are interested in and use filters to find data.

 STEP-18:

 REPORTING OPTIONS - SCREEN CAPTURES


• Full Screen Capture - (Command + Shift + 3)
• Area Screen Capture - (Command + Shift + 4)
• Window Screen Capture - (Command + Shift + 4 + Spacebar)

 STEP-19:

 REPORTING OPTIONS - PRINT TO PDF


Use (Command + P) to print. Use the Option “Save to PDF”.

 STEP-20:

 REPORTING OPTIONS - COPY OVER PROCEDURE

  • Must use same version of Mac OS X as the forensic image. Allows the user to view the data in a native format.

  • Create a new user account on your Forensic Mac (needs to be an Admin user).

  • Copy out suspect Application artifacts to an external drive.

  • Switch to the new user account. Replace the new user Application data with the suspect’s Application artifacts.

  • Launch each application of interest and document via PDF printing or screen captures.

  • When native reporting is complete, log out of the new user account and log into your forensic account.

  • Remove the new user account via System Preferences. You have the option to Archive the new user account or delete using Secure Erase.


For an All-In-One Automated Mac Forensic Solution to analyze both forensic images and Live Systems, please contact SUMURI about RECON for Mac OS X






Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5