MAC FORENSICS - STEP BY STEP
Disclaimer: As with every new procedure, hardware and software you must do your own validation and testing before working on true evidence.
These best practices are summarized from SUMURI’s Macintosh Forensic Survival Course - Level 1 which is a vendor-neutral training course taught to law enforcement, government and corporate examiners worldwide.
More information about SUMURI can be found at - www.SUMURI.com
Find out as much as you can about your target:
• Number and types of Macs (Macbook, iMac or Mac Pro).
• Operating System Versions.
Assign one trained Digital Evidence Collection Specialst to handle the computers. Prohibit anyone else from handling the devices.
IF COMPUTER IS ON - SCREEN SAVER PASSWORD ACTIVE
COMPUTER IS OFF
Collect the computer using best practices for collection of electronic evidence. Prepare for imaging (refer to Step-11).
COMPUTER IS ON - DESKTOP IS ASSESSABLE - DESTRUCTIVE PROCESSES
Look for signs of destructive processes such as wiping utilities, erasing free space, etc. If destructive processes are running, options are:
• Attempt to stop the destructive process.
• Hard Shutdown.
COMPUTER IS ON - DESKTOP IS ASSESSABLE - IMAGE RAM
Image RAM using a tool that supports the running Mac OS X version.
COMPUTER IS ON - DESKTOP IS ASSESSABLE - COLLECT VOLTALE INFORMATION
Using YOUR trusted and validated tools (not the live computer’s tools) collect Volatile Data such as running processes, network connections, unsaved documents.
COMPUTER IS ON - DESKTOP IS ASSESSABLE - CHECK FOR HIDDEN DESKTOPS
Check for running virtual machines and multiple desktops.
If a Virtual Machine is found running, follow the best practices for responding to a live system.
COMPUTER IS ON - DESKTOP IS ASSESSABLE - CHECK FOR ENCRYPTION
When the user is logged in - mounted encrypted volumes are accessible.
Check to see if mounted volumes are encrypted. If encrypted, copy the data from the encrypted volumes to an HFS formatted volume to preserve metadata.
Using System Preferences -> Security and Privacy -> FileVault, check to see if FileVault is ON or OFF. If found ON, copy the data from the encrypted home directory to an HFS formatted volume to preserve metadata.
COMPUTER IS ON - DESKTOP IS ASSESSABLE - SHUTDOWN
Once you have completed collecting your data, perform a hard shutdown.
OBTAINING SYSTEM DATE AND TIME
With the system OFF, power on the system holding down the Option/ALT key to check for the presence of a Firmware Password (boot level password). If you do not see a lock, power off the system by holding down the power key.
Power on the system again this time holding the (Command + S) keys. Once you see text you can let go. This is Single User Mode.
At the command prompt type: date
IMAGING - NON-FUSION DRIVE
Image the Mac using PALADIN or other tool of choice.
• DMG format - for mounting on an Mac
IMAGING - FUSION DRIVE
Fusion Drives are seen by most tools as two separate drives. Fusion drives must be imaged using a Mac to see the two separate disks as single disk.
• Image manually by turning off Disk Arbitration on your forensic Mac.
• Put the Suspect Mac into Target Disk Mode (Command + T).
MOUNTING FORENSIC IMAGE (DMG) - LOCK IMAGE
Using (Command + I) “lock” the forensic image.
MOUNTING FORENSIC IMAGE (DMG) - MOUNTING
Locked forensic images on the Mac must be mounted using a shadow file. Example: hdiutil attach -noverify -noautofsck IMAGE.DMG -shadow
To use Spotlight to search the forensic image you must enable indexing of the mounted volume.
Example: mdutil -i on replace_with_volume_name
Navigate with the Finder to the directory or volume you would like to search. Begin searching using the Spotlight Search Bar in the Finder window.
Isolate the search to the directory you are interested in and use filters to find data.
REPORTING OPTIONS - SCREEN CAPTURES
• Full Screen Capture - (Command + Shift + 3)
REPORTING OPTIONS - PRINT TO PDF
Use (Command + P) to print. Use the Option “Save to PDF”.
REPORTING OPTIONS - COPY OVER PROCEDURE
For an All-In-One Automated Mac Forensic Solution to analyze both forensic images and Live Systems, please contact
SUMURI about RECON for Mac OS X.
Designed by sketchbooks.co.kr / sketchbook5 board skin