π MAC Device Forensics
Forensics on macOS devices involves understanding macOS-specific artifacts, retrieving deleted data, and analyzing system logs. Below is a detailed guide covering tools, techniques, and methodologies for conducting MAC device forensics.
π₯οΈ Key Analysis Areas
- macOS Logs: Logs related to user activities and system behavior.
- Browser History: Accessed sites, cached data, and downloads.
- OS Update History: Tracking updates and system changes.
- Installed Applications: Programs and associated artifacts.
- Plist Files: Configuration files containing user and system data.
- Browser Extensions: Potential malware through extensions.
- Email Artifacts: Stored emails and attachments.
ποΈ macOS Forensic Artifacts
TCC Database
The TCC database contains user consent records for applications accessing privacy-protected data:
/Library/Application Support/com.apple.TCC/TCC.db~/Library/Application Support/com.apple.TCC/TCC.db
Plist Files
Plist files store preferences and settings:
~/Library/Preferences/com.apple.universalaccessAuthWarning.plist
Application Directories
- Installed applications:
~/Applications/Applications
Persistence Mechanisms
Cron Jobs:
/etc/crontab/usr/lib/cron/tabs/private/etc/crontab
Launch Daemons:
$HOME/Library/LaunchAgents/Library/LaunchDaemons/Library/LaunchAgents
Unix Startup Configurations:
/etc/rc.*.bashrc.profile
Kernel Extensions
/System/Library/Extensions/Library/Extensions
π Browser Artifacts
Chrome
- Profile directories:
~/Library/Application Support/Google/Chrome/Default~/Library/Application Support/Google/Chrome/Profile N(N = Profile Number)
- Extensions:
~/Library/Application Support/Google/Chrome/Default/Extensions
Tools:
Use Liya for analyzing SQLite files.
Safari
- Relevant files:
/Users/<username>/Library/Safari
βοΈ Email Artifacts
Apple Mail stores emails and attachments in:
/Library/Mail~/Library/Mail
π Useful Scripts for Forensics
Search Encrypted Archives
#!/bin/bash
root_dir="/path/to/folder"
find $root_dir -name "*.zip" | while read x
do
echo $x
7z l -slt "$x" | grep "Encrypted"
done
Detect Macros in Excel Files
#!/bin/bash
root_dir="/path/to/folder"
i=0
find $root_dir -name "*.xls*" | while read x
do
echo $x
unzip "$x" -d "out_dir/dir_$i"
((i++))
done
Run: find out_dir -name "vbaProject.bin"
𧩠User Activity Analysis
Active Users
- Use Activity Monitor:
/Applications/Utilities/Activity Monitor
Command-Line Options
-
List logged-in users:
last -
Filter specific users:
last | grep USERNAME -
Currently logged-in users:
who
Forensics Tools
π Malware Blocking with DNS
Malware-Blocking DNS
1.1.1.21.0.0.2
Malware and Adult Content Blocking DNS
1.1.1.31.0.0.3
π οΈ Forensic Tools for macOS
Essential Tools
| Tool | Purpose |
|---|---|
| Malwarebytes | Malware detection and removal. |
| VeraCrypt | Disk encryption for securing sensitive files. |
| GNU Privacy Guard | Encryption for files and emails. |
π§ Uninstall Scripts
Remove Visual Studio
sudo rm -rf "/Applications/Visual Studio.app"
rm -rf ~/Library/Caches/VisualStudio
rm -rf ~/Library/Preferences/VisualStudio
rm -rf "~/Library/Preferences/Visual Studio"
rm -rf ~/Library/Logs/VisualStudio
Remove Xamarin
sudo rm -rf /Developer/MonoDroid
rm -rf ~/Library/MonoAndroid
sudo pkgutil --forget com.xamarin.android.pkg
π Additional Resources
π Advanced Forensic Techniques for macOS
To extract and analyze macOS artifacts, advanced techniques often require specialized tools and in-depth knowledge of the file system.
π Time Machine Backups
Time Machine maintains a history of files, which can be invaluable for forensic analysis.
- Default location:
/Volumes/<backup_drive>/Backups.backupdb/
Use the tmutil command to manage Time Machine backups:
tmutil listbackups
tmutil compare /path/to/file
π Spotlight Database
Spotlight indexes files and metadata, which can provide information about user activity.
- Spotlight database location:
/private/var/db/Spotlight-V100/~/.Spotlight-V100/
Use mdls to query metadata:
mdls /path/to/file
π Keychain Analysis
The macOS Keychain securely stores user credentials and passwords. Forensic tools like Keychain Dumper can extract this data (requires root access).
Keychain files are located at:
~/Library/Keychains//Library/Keychains/
π Network Forensics on macOS
Monitoring network activity and identifying connections can help trace unauthorized access or data exfiltration.
π Useful Commands
| Command | Description |
|---|---|
nettop | Real-time network activity monitoring. |
tcpdump | Packet capture for network analysis. |
lsof -i | List open files associated with network sockets. |
iftop | Monitor bandwidth usage in real time. |
Example: Capture all HTTP traffic using tcpdump:
sudo tcpdump -i en0 -nn port 80
π macOS Log Files
Log files contain critical information about system events, errors, and user activities.
| Log File Location | Description |
|---|---|
/var/log/system.log | System-wide logs. |
/var/log/install.log | Software installation history. |
~/Library/Logs/ | User-specific logs. |
/private/var/log/asl/ | Apple System Logger logs. |
Use the log command to query logs:
log show --predicate 'eventMessage contains "login"' --info
π‘οΈ Securing Evidence
Write-Blocker
Always use a write-blocker to ensure forensic integrity when analyzing storage devices.
File Hashing
Generate hashes to verify the integrity of copied files:
shasum -a 256 /path/to/file
π§ macOS-Specific Forensic Tools
| Tool | Purpose |
|---|---|
| BlackLight | Comprehensive macOS forensic analysis. |
| Recon LAB | Automated macOS artifact extraction. |
| MacQuisition | Imaging and analyzing macOS devices. |
π‘ Forensic Best Practices
- Preserve Evidence: Use write-blockers and document all actions.
- Analyze Backups: Donβt overlook Time Machine and iCloud backups.
- Verify Timestamps: Cross-reference file timestamps with log files.
- Leverage Automation: Use scripts and tools for consistent analysis.
π Further Learning and Resources
Unlock the full potential of macOS forensics with a blend of tools, scripts, and best practices. ππ₯οΈβ¨
