Wed, 23 December 2009
This is our holiday special episode. We gather around the Christmas tree with the kids and read our version of The Night Before Christmas.
We want to thank all of you for taking the time to listen to the podcast and provide us feedback to help make the show better. We try our best to provide information that will help you in your Mac exams or at least point you in the direction where your questions can be answered.
We would especially like to thank our own MacDudette, KK, for writing the MacMas version and for her on the fly editing while Chris and Dave were totally clueless on how to make two words rhyme.
We hope that you have a Merry Christmas, Happy Chanukah or whatever you are celebrating!
Be safe and we hope to see you in the new year!
Sun, 22 November 2009
In Episode 9, The MacDudes talk about hardening your Mac using native security applications and processes.
Following in the security theme, the Plist of the Week (PLoW) covers com.apple.loginwindow.plist and com.apple.loginitems.plist.
We have a great interview with Joe Duke of AccessData. Joe will discuss the use of FTK in analyzing Macintosh and the new FTK Mac Forensics course.
The following are some of the websites we talk about concerning Mac Security & anti-virus
The show note to follow, honest!
Sun, 15 November 2009
In Episode 8, we cover preparing a Mac for use as an analysis system. We also go over a lot of tools that are useful in analysis of a Mac. We have an interview with Ben Charnota of BlackBag Technologies about their new software write block (beware: Ryan's mic will be found lacking).
Google is providing free internet access in a number of airports this holiday season. Here is a link to an article about it: http://tiny.cc//Free_Google312
Plist of the Week: com.apple.recentitems.plist
No Website of the Week this episode, the show was getting a little too long so I pulled it out. We will include it in the next show.
Show notes to follow!
Sun, 25 October 2009
There was a problem with the sound quality of the Episode 7 interview. Yes, sound quality issues, imagine that. I corrected the problem and uploaded a new version yesterday afternoon. Still trying to get it right. Sorry for the inconvenience it is causing while listening. Be safe, Dave
Category:general -- posted at: 2:25pm PDT
Fri, 23 October 2009
This episode, the MacDudes have an interview with Lee Whitfield of the Forensic 4cast Podcast, talk about features in Snow Leopard that are of interest to examiners, and the Plist of the Week.
Problems with Time Capsule
Twitter's Computer Forensic Information
Snow Leopard's Problems with Guest Accounts
Look for show notes soon.
Mon, 5 October 2009
In this Episode, Ryan interviews Al Lewis of SubRosaSoft, Chris talks with Social Media & Communications expert, Christ M. Miller about her website, Cops2Point0.com.
The MacDudes also discuss:
HFS+ read support in BootCamp 3.0
Mac OS's native screenshot capabilities
Plist of the Week: com.apple.sidebarlists.plist
We're still struggling with some sound quality issues, hopefully we will have this worked out with the next round of interviews.
Show notes will be posted shortly.
Sun, 9 August 2009
In this episode, the MacDudes talk about iPhone backup files and tools to parse them, imaging iPods, how to extract a dictionary file from swap files over 2GB in size and the Plist of the Week.
Sat, 4 July 2009
This episode covers why we point everyone to the user's Home folder first. Ryan talks about Diskarbitration for Leopard and Tiger. Chris showcases the Plists of the Week, Safari bookmarks, history, downloads, TopSites & Last Session.
Websites of the Week: MacTracker & EveryMac
Podcasts to listen to: CyberSpeak & Forensic 4Cast
Show notes are available for download. They are more detailed than the synopsis below:
Click here to Download
Show notes synopsis:
-Most of the evidence is located in the Userʼs Home Folder
-Majority of the Preference PLists with user-speciﬁc settings are in
-Indicative of the userʼs activity
-Not system activity, but user speciﬁc logs
-PLists ﬁles or proprietary format ﬁles for the User
-Contains conﬁgurations and settings for the User
-I.E. Online activity, buddy lists, email, logins, etc.
-Mozilla Cache, iPhone backup ﬁles from MobileSync folder -Application PLists with information
-Disk Arbitration looks at devices and mounts the device and makes icon
to access this device available to the user
-On Boot, Disk Arbitration recognizes the internal hard drive. Recognizes
ﬁle system. Mounts partitions on desktop.
-In order to prevent writes, we must prevent the mount.
-To turn off Disk Arbitration, enter Terminal and type:
sudo launchctl unload System/Library/LaunchDaemon/com.apple.diskarbitrationd.plist
-Now when you connect a disk, the disk will not mount
-To turn back on, enter Terminal and type:
sudo launchctl load System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
or Reboot system and diskarbitration will become active again
-Not controlled by LaunchCtl process
-Need to move the PList from one location to another
1. Make copy of the diskarbitrationd.plist
2.Once the copy is made, use the remove command in Terminal to delete
the com.apple.diskarbitrationd.plist from the /etc/mach_init.d folder
4.Only OS Boot partition will mount.
To UNDO, Copy the diskarbitrationd.plist back to the /etc/mach_init.d
folder and reboot the system.
PList(s) of the Week(PLOW):
-User created/maintained bookmarks
-Any downloads speciﬁc to Safari
-History from Safari if not cleared
-Came with Safari 4
-When a New Tab is opened, it opens thumbnails of most visited sites
-Instead of typing URL, just click on thumbnail and it opens the site.
-Indicates what was open on last Safari session
-If multiple windows opened, it will indicate each as a different Item
Sat, 27 June 2009
Sorry it took so long but the show notes for Episode 3 are ready. You can either read a shortened version below or download the PDF. The PDF has images that help explain some of the locations and other aspects of what was discussed.
Download Show Notes
Safari Internet Cache:
Original location for Safari 2 and early 3:
- Files were given Unique ID and extension of .cache
Version 3: switched to a sqlite database ﬁle and moved the cache to /var/folders
-If in Windows environment, ie. Encase, you will not see “/var/folders”, instead it will be:
-var/folders view on Mac is called “soft link” as Private is implied
Latest Safari Ver 3 & Version 4 moves the cache back to:
- The Cache.db ﬁle resides here. Probable change was security based as it placed te ﬁle back in the users folder.
Viewing Safari Cache:
SQLite DB Browser 1.3:
Database: can use SQLite DB browser 1.3 from Sourceforge
-Displays the .db tables
-Example: “Response Table”: has website URL and Date/Time Stamp in GMT
-Drop the Cache.db on Filejuicer and it will parse the data out
-Images, HTML, TXT, etc.
Incident Response/Trusted Utilities:
-Often times, whenever out on scene, it is an unknown environment
-Must consider all machines to be unknown and applications possibly
-Best way to prepare is to have our own trusted utilities disk
-Recommend a ﬂash drive, minimum 4 GB to use
-If PowerPC: recommend Firewire, if Intel: recommend USB
Trusted Utilities Drive:
1. Disk Initialization (formatting for you Microsofties): Use Disk Utility
to initialize the drive and wipe it prior to placing tools on it.
2. Put on utilities: i.e. Terminal, System Proﬁler, etc.
3. Rule of thumb: Command Line Tools/GUI Tools/Evidence Collection.
4. Name the Volume/Disk something you will recognize i.e.
“RyansTrusted Utilities" This eliminates confusion on Suspectʼs
5. Run Trusted Utilities: Date, System Proﬁler and export information to
6. Keep record of the commands run for later review and reporting, i.e.
use PDF printout from Mac builtin utilities.
7. Remember to direct your path to the Trusted Utilities Disk as you are
never sure what the suspect has done to their machine. Control your
PList(s) of the Week(PLOW):
-This PList originates information entered at Registration
-Can contain: First Name, Last Name, Local Phone #, Street Address 1
and 2, City, State, Zip, Area Code, Local Phone#, Company, Existing
-Covers the settings for the address book entries
-Print Dialog Setting
-Unique User ID # for each “address book entry”
-File saved as “UUID/ABPerson.abcdp
-Viewable with Plist Editor or by copying out and dropping in
UUID matches the Metadata UUID
-This is the image that represents the corresponding address book entry
To View in Address Book:
1. Create a clean User account.
2. Copy the suspect com.apple.AddressBook folder and drop into the
corresponding location in the new account. Also, copy and drop
3. Open Address Book and then you can view and print out the entries.
Host at Large Reggie “Good Stuff” Chapman:
Part One of his series on the Terminal & Commands
-Darwin: Open Source Unix Core of MacOSX
-Terminal located in /Applications/Utilities
-Drag and place on your dock for quick access
-Change the Terminal to ﬁt your settings, color, size
-Click on “Terminal --> Preferences” (LEOPARD)
-”Settings” box allows to change:
-Text, Window, Shell, Keyboard, and other Advanced Changes
-RYANʼs TEMPLATE OF CHOICE: OCEAN is a good setting for Court Presentation
Websites of the Week
-Site that has a blog theme
-People post ideas/ways to solve problems
-Has Forum to help research issues and ﬁnd answers
-Good App and Scripting resource
-Has the technical notes for Macs
-Tech Note 1150: HFS File System
-Free Utilities and information
Category:general -- posted at: 7:35am PDT
Sun, 21 June 2009
Episode 3 is uploaded and ready for your listening pleasure. We cover Safari Internet cache, the Trusted Utilities Disk and the Plist of the Week. We also have our Host at Large, Reggy, with part one of his series on the Terminal.
Show notes should be posted tomorrow.
Thanks for listening and keep those emails coming in!