Inside the Core
The Macintosh Forensic Podcast


Follow Us

Categories

general
podcasts

Archives

2011
November
June

2010
December
July
June
March

2009
December
November
October
August
July
June
May

June 2009
S M T W T F S
     
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

Syndication

iTunes Enhanced Mp3 Version

Disclaimer:
The Inside the Core podcast is provided for entertainment only. Any information, techniques, software or equipment that is discussed should be researched, tested and validated prior to use. This podcast is not a substitute for specialized training that is required for computer forensics. The topics of discussion and/or opinions are those of the host(s) and do not reflect the views of the hosts employers or former employers. Discussion of content, goods, or services provided by outside entities does not imply endorsement. Nothing in the podcast should be construed as an offer, solicitation or recommendation to buy or sell any specific products or training.

Episode 3 Show Notes Sorry it took so long but the show notes for Episode 3 are ready. You can either read a shortened version below or download the PDF. The PDF has images that help explain some of the locations and other aspects of what was discussed.

Download Show Notes

Safari Internet Cache:

Original location for Safari 2 and early 3:
     - Users/USERNAME/Library/Caches/Safari/
     - Files were given Unique ID and extension of .cache 

Version 3: switched to a sqlite database file and moved the cache to /var/folders

-Location: /var/folders/(UniqueID)/(UniqueID)/caches/com.apple.Safari
-Cache.db file

-If in Windows environment, ie. Encase, you will not see “/var/folders”, instead it will be:
      -/private/var/folders/(UniqueID)/(UniqueID)/caches/com.apple.Safari

-var/folders view on Mac is called “soft link” as Private is implied

Latest Safari Ver 3 & Version 4 moves the cache back to:

Users/USERNAME/Library/Caches\com.apple.safari

- The Cache.db file resides here. Probable change was security based as it placed te file back in the users folder.

Viewing Safari Cache:

SQLite DB Browser 1.3:

Database: can use SQLite DB browser 1.3 from Sourceforge
-Displays the .db tables
-Example: “Response Table”: has website URL and Date/Time Stamp in GMT

Filejuicer:
-Drop the Cache.db on Filejuicer and it will parse the data out
-Images, HTML, TXT, etc.

Incident Response/Trusted Utilities:
-Often times, whenever out on scene, it is an unknown environment
-Must consider all machines to be unknown and applications possibly  
  altered
-Best way to prepare is to have our own trusted utilities disk
-Recommend a flash drive, minimum 4 GB to use
-If PowerPC: recommend Firewire, if Intel: recommend USB

Trusted Utilities Drive:

1. Disk Initialization (formatting for you Microsofties): Use Disk Utility
    to initialize the drive and wipe it prior to placing tools on it.
2. Put on utilities: i.e. Terminal, System Profiler, etc.
3. Rule of thumb: Command Line Tools/GUI Tools/Evidence Collection.
4. Name the Volume/Disk something you will recognize i.e.
    “RyansTrusted Utilities" This eliminates confusion on Suspectʼs
    desktop
5. Run Trusted Utilities: Date, System Profiler and export information to
   Evidence Collection.
6. Keep record of the commands run for later review and reporting, i.e.
    use PDF printout from Mac builtin utilities.
7. Remember to direct your path to the Trusted Utilities Disk as you are
    never sure what the suspect has done to their machine. Control your 
    environment.


PList(s) of the Week(PLOW):

Address Book:

/Users/USERNAME/Library/Preferences/addressbookme.plist:
-This PList originates information entered at Registration
-Can contain: First Name, Last Name, Local Phone #, Street Address 1     
  and 2, City, State, Zip, Area Code, Local Phone#, Company, Existing  
  email address

/Users/USERNAME/Library/Preferences/com.apple.addressbook.plist:
-Covers the settings for the address book entries
-Print Dialog Setting

/Users/USERNAME/Library/ApplicationSupport/addressbook/metadata:
-Unique User ID # for each “address book entry”
-File saved as “UUID/ABPerson.abcdp
-Viewable with Plist Editor or by copying out and dropping in  
  AddressBook

Users/USERNAME/Library/ApplicationSupport/AddressBook/images:
UUID matches the Metadata UUID
-This is the image that represents the corresponding address book entry
 
To View in Address Book:
1. Create a clean User account.
2. Copy the suspect com.apple.AddressBook folder and drop into the
    corresponding location in the new account. Also, copy and drop 
    AddressBookMe.plist
3. Open Address Book and then you can view and print out the entries.

Host at Large Reggie “Good Stuff” Chapman:

Part One of his series on the Terminal & Commands

Terminal:
-Darwin: Open Source Unix Core of MacOSX
-Terminal located in /Applications/Utilities
-Drag and place on your dock for quick access
-Change the Terminal to fit your settings, color, size
-Click on “Terminal --> Preferences” (LEOPARD)
-”Settings” box allows to change:
-Text, Window, Shell, Keyboard, and other Advanced Changes

 -RYANʼs TEMPLATE OF CHOICE: OCEAN is a good setting for Court Presentation

Websites of the Week

MACOSXHINTS.com:
-Site that has a blog theme
-People post ideas/ways to solve problems
-Has Forum to help research issues and find answers
-Good App and Scripting resource

Developer.Apple.Com:
-Has the technical notes for Macs
-Tech Note 1150: HFS File System
-Free Utilities and information 
Category:general -- posted at: 7:35am PST

Inside the Core Episode 3 Hey,

Episode 3 is uploaded and ready for your listening pleasure. We cover Safari Internet cache, the Trusted Utilities Disk and the Plist of the Week. We also have our Host at Large, Reggy, with part one of his series on the Terminal.

Show notes should be posted tomorrow.

Thanks for listening and keep those emails coming in!

Be Safe,
The MacDudes

Direct download: Inside_the_Core_Episode_3.m4a
Category:podcasts -- posted at: 7:44pm PST

Look for Episode 3 This Weekend Look for ITC Episode 3 sometime this weekend. We are just finishing it up and should have it uploaded by Sunday, if work, wives, chores, & injuries don't get the in the way.

We will be talking about:

Safari's Internet cache file
Trusted Utility Disk
Plist of the Week

We will also have a visit from our Host at Large, Reggy Chapman, who will be discussing the first part of his series on the Terminal.

We are trying to catch up on responding to emails that listeners have sent us. If we haven't responded yet, we apologize. We will get to your questions and comments as soon as possible. We are already integrating some of them into future podcasts.

Be safe,
The MacDudes
Category:general -- posted at: 4:45pm PST

Inside the Core Episode 2 Episode 2 is uploaded! The sound quality is a bit better but still working on that. In this episode we cover: Defeating the Open Firmware password, Mobile Forensics World's iPhone Forensics panel discussion, the Plist of the Week and a few Mac websites.

You can send any comments or questions to:
Click here to send The MacDudes an e-mail


Episode 1 Show Notes (Download at: Show Notes)


GOLDEN RULE: Use OPTION key to boot first and confirm no Firmware Password

OFP: Prevents any other startup option other than "option" or "startup disk".

If OFP is active and you attempt alternative boot sequence, the system will default to  the normal “Startup Disk” and possible writes will be made.
-Dont want to make writes....

1. Boot with option key to confirm Open Firmware Password exist
2. To get around:
    A. Pull hard drive and image via write block (24 screws or less)

    B. Reconfigure the RAM:
        1) Shut down
        2) Disconnect power (if laptop remove battery)
        3) Remove stick or add stick of RAM to reconfigure
        4) Close up, connect battery/power
        5) Command+Option+P+R key all at once "Vulcan Death Grip"
        6) Listen for 3 Chimes-Indicates reset
        7) Restart and use Option key to check

NOTE: Time will be reset. The clock will possibly be off.
             Logs may be important.

Mobile Forensics World iPhone Forensics Panel

iPhone Panel:
-Ryan Kubasiak: Macosxforensics.com
-Jonathan Zdziarski : iPhone Forensics author
-Sean Morrissey :Dept. of Defense
-Andrew Hoag : Moderator

-Took questions from audience after moderated question session.

Different ways to get data:
Hardware/Software Suites:

Wolf: Good for unlocked phone, and if you unlock can use.

Cellebrite

Different Methods:
Raw Disk info: Jonathan Zdziarski and Sean Morrissey
                          -Concerns as to what is being changed from data 
                            standpoint

Dont forget about the iPhone backups on the Mac: a wealth of information

PList(s) of the Week(PLOW):

Plist: Registry like files but corruption of one file doesnʼt corrupt the entire system.

Application plists:

Quicktime:
Global: Library--> Preferences--> com.apple.quicktime.plist
-Shows Registered User and Registered Key
-Can indicate the key for verififcation of legal software

iWork (Mac Office Suite):
Global-->Library-->Preferences->
iWork08: com.apple.iwork08.plist
iWork09: com.apple.iwork09.plist


Google Gears:
Global--Library-->Preferences-> com.google.gears.plist 
User-->Library-->Preferences-> com.google.gmailnotifier.plist

Websites to Check Out:
Mac Shadows:  www.macshadows.com

Macenstein:  www.macenstein.com
Direct download: Inside_the_Core_Episode_2.m4a
Category:podcasts -- posted at: 4:22pm PST

BootCamp & Single User Mode Listener Jay pointed out that when the selected startup disk is BootCamp, you will not be able to boot into Single User Mode.

You will also not be able to boot using any other startup option except for Startup Manager (Option Key) and Terminal Disk Mode (T Key). You can reset the PRAM (CMD, Option, P, R Keys) which will reset the startup disk to the OS X startup disk. Remember, this will also reset your date and time and remove the Open Firmware password if one was set.

When you boot with the option key and see the BootCamp Disk selected as default, this indicates that it is the selected startup disk. You will need to use a different method to attain the date/time and drive info.

You could use forensic Boot CDs such as Macquisiton, SPADA or Raptor to boot the system for imaging or preview. Just make sure that the solution you are using will boot a Mac.

Thanks to Jay for his email and tip.

Be Safe,
The MacDudes
Category:general -- posted at: 10:30am PST