Documentation - jjarava/mac-osx-forensics GitHub Wiki

Mac OS X Forensics tools

These parsers are from my MSc Project in Royal Holloway, University of London (2013-2014).

The goal of these tools is only for developing purpose. The full documented and well implemented version is going to be in PLASO:

Web Project: http://plaso.kiddaland.net/
Plaso Source Code: https://code.google.com/p/plaso/

Installation

To parse the binaries struct I have used the Python library Construct and for the binary Plist the librari binplist. By default it is not installed (Mac OS X or Linux):
$ sudo easy_install construct

$ sudo easy_install binplist

Binary files

  • asl.py: Apple System Log parsers (/private/var/log/asl).
  • bsm.py: Basic Security Module (/private/var/audit/).
  • kcpass.py: Decrypt the password store in "/etc/kcpassword" when autologin session is enabled.
  • utmpx.py: UTMPX session file (/private/var/run/utmpx).
  • cups_ipp.py: CUPS IPP Control files parser.
  • plist_artifacts.py: Parsing a group of Plist files that contain timestamp values.
  • plist_user.py: Mac OS X 10.8 and 10.9 users Plist file.

Checking the tools

Using the tools.


UTMPX

In a live systems:

$ python utmpx.py

In a no live systems:

$ python utmpx.py utmpx utmpx_file

Output example:

   UTMPX File: [utmpx]



   Header:

	ID: 10

	UptimeTime: Wed, 13 Nov 2013 17:52:34 +0000 (1384365154)



	Entry: 1

	* User: moxilo

	* Terminal: console

	* Hostname: localhost

	* Status: USER_PROCESS (0x07)

	* Timestamp: Wed, 13 Nov 2013 17:52:41 +0000 (1384365161)

	------------------------------

	Entry: 2

	* User: moxilo

	* Terminal: ttys000

	* Hostname: localhost

	* Status: USER_PROCESS (0x07)

	* Timestamp: Thu, 14 Nov 2013 03:47:22 +0000 (1384400842)

	------------------------------

	Entry: 3

	* User: moxilo

	* Terminal: ttys003

	* Hostname: localhost

	* Status: DEAD_PROCESS (0x08)

	* Timestamp: Thu, 14 Nov 2013 03:37:14 +0000 (1384400234)

	------------------------------

Basic security module

Parsing all the files:

$ for i in `ls logs`; do python bsm.py logs/$i; done

Output example:

Parsing BSM file [logs/20131102040419.20131103031511].



        Event: 1

        * ID: 59

        * Event Type: audit startup (45000)

        * Modifier: 0

        * Time: 2013-11-02 04:04:19 (1383365059.132)

        * Text: launchctl::Audit startup

        * Exit SUCCESS(0), Return value 0

        * Trailer: 59

        -------------------------------

        Event: 2

        * ID: 88

        * Event Type: SecSrvr AuthEngine (45025)

        * Modifier: 0

        * Time: 2013-11-02 04:04:23 (1383365063.743)

        * Subject: aid(4294967295), euid(0), egid(0), uid(0), gid(0), pid(11), session_id(100000)

        * Text: begin evaluation

        * Exit SUCCESS(0), Return value 0

        * Trailer: 88

        -------------------------------

        Event: 3

        * ID: 160

        * Event Type: SecSrvr AuthEngine (45025)

        * Modifier: 0

        * Time: 2013-11-02 04:04:23 (1383365063.745)

        * Subject: aid(4294967295), euid(0), egid(0), uid(0), gid(0), pid(11), session_id(100000)

        * Text: com.apple.ServiceManagement.daemons.modify

        * Text: com.apple.ServiceManagement.daemons.modify

...

Search for parsing error, I really appreciate if you can report to me this errors:

$ for i in `ls logs`; do python bsm.py logs/$i | grep "ERROR\|WARNING"; done | more

Binary Apple System Log

You need to copy the ASL files:

$ mkdir logs

$ sudo cp /private/var/log/asl/* logs/

$ chown your_user logs/*

Parsing all ASL files:

$ for i in `ls logs`; do python asl.py logs/$i; done

Output example:

ASL Header:

 Version: 2

 Timestamp: 1385252161

 FirstRecord: 0xd3

 LastRecord: 0x611be



         Record in: 0xd3

         * Next record in: 0x1c4

         * ASLMessageID: 95820

         * Timestamp: 2013-11-24 00:16:00 (1385252160)

         * Level: NOTICE (5), PID: 72

         * UID: 0, GID: 0, Read_GID: 80

         * Host: DarkTemplar-2.local

         * Sender: hidd

         * Facility: user

         * Message: MultitouchHID: device bootloaded

         * Sender_Mach_UUID: E1D2C14B-1147-3219-9D2D-E4699F159A2F

        ------------------------------------------------------

         Record in: 0x1c4

         * Next record in: 0x2bb

         * ASLMessageID: 95828

         * Timestamp: 2013-11-24 00:16:00 (1385252160)

         * Level: NOTICE (5), PID: 18

         * UID: 0, GID: 0, Read_GID: 80

...

CUPS IPP Control Files

Parsing all the files:

for i in `ls /private/var/spool/cups/c0*`; do python cups_ipp.py $i; done

Output example:

Creation time: 2013-11-03 18:07:21 (1383502041).

Process time: 2013-11-03 18:07:21 (1383502041).

Completed time: 2013-11-03 18:07:32 (1383502052).

URI: ipp://localhost:631/printers/RHULBWB

User: moxilo

Job name: Assignament 1

Application: LibreOffice

Owner: Joaquin Moreno Garijo

Copies: 1

Printer ID: RHULBWD

Job ID: urn:uuid:d51116d9-143c-3863-62aa-6ef0202de49aB

Computer name: localhost

Document format: application/pdf

------------------------

KCPassword

Output example:
# xxd /etc/kcpassword

0000000: 1ceb 3147 d217 2f11 40ff 63bf       ..1G../[email protected].

# python kcpass.py 1ceb3147d2172f1140ff63bf



         Kcpasswd: 0x1ceb3147d2172f1140ff63bf.

         Magic Xor: 0x7d895223d2bcddeaa3b91f.

         The password is: "abcd".

#

User Accounts

Output example:

# python plist_user.py /private/var/db//dslocal/nodes/Default/users/sexyuser.plist 

User: sexyuser

UID: 501

GID: 20

Shell: /bin/bash

Policy:

  failedLoginTimestamp at 2001-01-01T00:00:00Z.

  lastLoginTimestamp at 2001-01-01T00:00:00Z.

  passwordLastSetTime at 2013-06-24T20:47:32Z.

Available Passwords:

 Mac OS X user password:

  Iterations: 12345

  Salt: AAAAAA......AAAAAAA

  Entropy: BBBBBBB......BBBBBBBBB

 Kerberos:

  Version: Kerberosv5

  Hash: LKDC:SHA1.ABCDE...ABCDE

Plist Artifacts

  • Airport
  • Apple Account
  • Bluetooth
  • Mac OS X Update
  • Spotlight
  • Timemachine

Output example:

# python plist_artifacts.py /Library/Preferences/com.apple.TimeMachine.plist

File: /Library/Preferences/com.apple.TimeMachine.plist

TimeMachine Device: ['8E30XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX']

Backup at 2013-09-14 13:24:11+00:00

Backup at 2013-09-25 08:40:55+00:00

Backup at 2013-10-03 14:24:36+00:00

Backup at 2013-10-16 00:32:18+00:00

Backup at 2013-10-24 20:51:30+00:00

Backup at 2013-11-02 00:22:19+00:00

Backup at 2013-11-10 13:27:00+00:00

Backup at 2013-11-22 14:35:14+00:00

Backup at 2013-12-05 17:51:51+00:00

Backup at 2013-12-10 15:37:32+00:00

Backup at 2013-12-22 14:38:11+00:00

Backup at 2014-01-04 13:09:10+00:00

Backup at 2014-01-04 13:38:38+00:00

Recent Files

Output example:

$ python mac_recent.py com.apple.recentitems.plist 

Recent applications in com.apple.recentitems: Terminal.app

	Path: /Applications/Utilities/Terminal.app

	Inode Path: /6380731/6380732/6391024

	HD Partition Root Name: Macintosh HD

	HD Root UUID: 43B7DEF7-8F02-3A55-820A-2F4DE404F33A

	HD Root mount in: /

	Sandbox ID: 1a7ea0277c27df5d5ddba1c0a1d927a92614e84b

	Sandbox Path: /applications/utilities/terminal.app

Recent applications in com.apple.recentitems: Console.app

	Path: /Applications/Utilities/Console.app

	Inode Path: /6380731/6380732/6762361

	HD Partition Root Name: Macintosh HD

	HD Root UUID: 43B7DEF7-8F02-3A55-820A-2F4DE404F33A

	HD Root mount in: /

	Sandbox ID: d55e75bc98e594f2affd6f2a91cd51feeea0e297

	Sandbox Path: /applications/utilities/console.app

...

Anti forensics

With the code show here you can be allowed to delete entries in all these binaries files without any problem.
Indeed, I have a script called "manzanita" (small apple) that already do it, but I don't know if I am going to publish the source code. I used it only to try to detect the delete entries.

⚠️ **GitHub.com Fallback** ⚠️