Sun, 20 June 2010
It is time to vote in the 2nd Annual Forensic 4Cast Awards. There are a number of catagories to include: Outstanding Contribution to Digital Forensics - Company & Indivdual Digital Forensic Podcast Digital Forensic Investigator of the Year
Take the time to go to the Awards page and vote for your favorites! Did we mention that Inside the Core was nominated for Best Digital Podcast?
Don't forget to vote for us! A free podcast episode to everyone that votes for ITC!
Be safe, The MacDudes
Category:general
-- posted at: 2:41pm PDT
|
Sun, 25 October 2009
There was a problem with the sound quality of the Episode 7 interview. Yes, sound quality issues, imagine that. I corrected the problem and uploaded a new version yesterday afternoon.
Still trying to get it right. Sorry for the inconvenience it is causing while listening.
Be safe,
Dave
Category:general
-- posted at: 2:25pm PDT
|
Sat, 27 June 2009
Sorry it took so long but the show notes for Episode 3 are ready. You can either read a shortened version below or download the PDF. The PDF has images that help explain some of the locations and other aspects of what was discussed.
Download Show Notes Safari Internet Cache: Original location for Safari 2 and early 3: - Users/USERNAME/Library/Caches/Safari/ - Files were given Unique ID and extension of .cache Version 3: switched to a sqlite database file and moved the cache to /var/folders -Location: /var/folders/(UniqueID)/(UniqueID)/caches/com.apple.Safari -Cache.db file -If in Windows environment, ie. Encase, you will not see “/var/folders”, instead it will be: -/private/var/folders/(UniqueID)/(UniqueID)/caches/com.apple.Safari -var/folders view on Mac is called “soft link” as Private is implied Latest Safari Ver 3 & Version 4 moves the cache back to: Users/USERNAME/Library/Caches\com.apple.safari - The Cache.db file resides here. Probable change was security based as it placed te file back in the users folder. Viewing Safari Cache: SQLite DB Browser 1.3: Database: can use SQLite DB browser 1.3 from Sourceforge -Displays the .db tables -Example: “Response Table”: has website URL and Date/Time Stamp in GMT Filejuicer: -Drop the Cache.db on Filejuicer and it will parse the data out -Images, HTML, TXT, etc. Incident Response/Trusted Utilities: -Often times, whenever out on scene, it is an unknown environment -Must consider all machines to be unknown and applications possibly altered -Best way to prepare is to have our own trusted utilities disk -Recommend a flash drive, minimum 4 GB to use -If PowerPC: recommend Firewire, if Intel: recommend USB Trusted Utilities Drive: 1. Disk Initialization (formatting for you Microsofties): Use Disk Utility to initialize the drive and wipe it prior to placing tools on it. 2. Put on utilities: i.e. Terminal, System Profiler, etc. 3. Rule of thumb: Command Line Tools/GUI Tools/Evidence Collection. 4. Name the Volume/Disk something you will recognize i.e. “RyansTrusted Utilities" This eliminates confusion on Suspectʼs desktop 5. Run Trusted Utilities: Date, System Profiler and export information to Evidence Collection. 6. Keep record of the commands run for later review and reporting, i.e. use PDF printout from Mac builtin utilities. 7. Remember to direct your path to the Trusted Utilities Disk as you are never sure what the suspect has done to their machine. Control your environment. PList(s) of the Week(PLOW): Address Book: /Users/USERNAME/Library/Preferences/addressbookme.plist: -This PList originates information entered at Registration -Can contain: First Name, Last Name, Local Phone #, Street Address 1 and 2, City, State, Zip, Area Code, Local Phone#, Company, Existing email address /Users/USERNAME/Library/Preferences/com.apple.addressbook.plist: -Covers the settings for the address book entries -Print Dialog Setting /Users/USERNAME/Library/ApplicationSupport/addressbook/metadata: -Unique User ID # for each “address book entry” -File saved as “UUID/ABPerson.abcdp -Viewable with Plist Editor or by copying out and dropping in AddressBook Users/USERNAME/Library/ApplicationSupport/AddressBook/images: UUID matches the Metadata UUID -This is the image that represents the corresponding address book entry To View in Address Book: 1. Create a clean User account. 2. Copy the suspect com.apple.AddressBook folder and drop into the corresponding location in the new account. Also, copy and drop AddressBookMe.plist 3. Open Address Book and then you can view and print out the entries. Host at Large Reggie “Good Stuff” Chapman: Part One of his series on the Terminal & Commands Terminal: -Darwin: Open Source Unix Core of MacOSX -Terminal located in /Applications/Utilities -Drag and place on your dock for quick access -Change the Terminal to fit your settings, color, size -Click on “Terminal --> Preferences” (LEOPARD) -”Settings” box allows to change: -Text, Window, Shell, Keyboard, and other Advanced Changes -RYANʼs TEMPLATE OF CHOICE: OCEAN is a good setting for Court Presentation Websites of the Week MACOSXHINTS.com: -Site that has a blog theme -People post ideas/ways to solve problems -Has Forum to help research issues and find answers -Good App and Scripting resource Developer.Apple.Com: -Has the technical notes for Macs -Tech Note 1150: HFS File System -Free Utilities and information
Category:general
-- posted at: 7:35am PDT
|
Wed, 17 June 2009
Look for ITC Episode 3 sometime this weekend. We are just finishing it up and should have it uploaded by Sunday, if work, wives, chores, & injuries don't get the in the way.
We will be talking about: Safari's Internet cache file Trusted Utility Disk Plist of the Week We will also have a visit from our Host at Large, Reggy Chapman, who will be discussing the first part of his series on the Terminal. We are trying to catch up on responding to emails that listeners have sent us. If we haven't responded yet, we apologize. We will get to your questions and comments as soon as possible. We are already integrating some of them into future podcasts. Be safe, The MacDudes
Category:general
-- posted at: 4:45pm PDT
|
Tue, 2 June 2009
Listener Jay pointed out that when the selected startup disk is BootCamp, you will not be able to boot into Single User Mode.
You will also not be able to boot using any other startup option except for Startup Manager (Option Key) and Terminal Disk Mode (T Key). You can reset the PRAM (CMD, Option, P, R Keys) which will reset the startup disk to the OS X startup disk. Remember, this will also reset your date and time and remove the Open Firmware password if one was set. When you boot with the option key and see the BootCamp Disk selected as default, this indicates that it is the selected startup disk. You will need to use a different method to attain the date/time and drive info. You could use forensic Boot CDs such as Macquisiton, SPADA or Raptor to boot the system for imaging or preview. Just make sure that the solution you are using will boot a Mac. Thanks to Jay for his email and tip. Be Safe, The MacDudes
Category:general
-- posted at: 10:30am PDT
|
Fri, 29 May 2009
TechSmith is offering Snagit for free until June 5, 2009. It is normally $49.95. This is a Windows based program that allows you to create screen captures. It is easy to use and a great program.
http://tiny.cc/Free_SnagIt Thanks to Beth for the info! If you have any tips you would like to share, let us know at: coreforensics@gmail.com The Macdudes
Category:general
-- posted at: 12:54pm PDT
|
Tue, 26 May 2009
We are currently working on Episode 1 and hope to have it uploaded within the week. Check back here or at the iTunes Store.
In Episode 1 we will be covering: Single User Mode How to get the date and time on a Mac Macintosh Forensic Training We will also have our regular feature, The Plist of the Week. If you have any comments, questions or a topic you would like covered, you can email us at, coreforensics@gmail.com Thanks The MacDudes
Category:general
-- posted at: 5:00am PDT
|