Wed, 23 November 2011
Just in time for Thanksgiving here in the States! In this episode we talk about: The new Mac Tips section - Using the Go To Folder feature - Terminal Command: Open The kcpassword file and how to decrypt it PList of the Week - Skype History Files Website of the Episode - MacMost.com The release of Reaper, the PList Investigation Tool New version releases by: - Sumuri - Paladin ver 2 - MacMarshall ver 3 - Blackbag - Blacklight R4 Look for the ITC Polo Shirts and Hats available for sale soon! More info at www.insidethecore.com |
Sun, 5 June 2011
It is finally out! Episode 13 with our guest host, Steve Whalen of Sumuri. Steve talks about his Mac training classes and Paladin, the forensic boot CD. We also talk a bit about OS 10.7 Lion, Malware and of course, the Plist of the Week. Our application pick of the show is Disk-Arbitrator. Hopefully we can get its creator on the show in the future. This will be the first in what we hope is a series of interveiws with companies that offer Mac Forensic Training. Thanks for sticking around and waiting for the latest podcast. Be Safe, The MacDudes |
Wed, 22 December 2010
We were kindly invited by Lee Whitfield of Forensic 4Cast to participate in the Digital Forensics Podcast Super Show. Along with Lee, we were joined by Joe Garcia of CyberCrime101 and Lee's brother Simon. Here is the link to the show: http://forensic4cast.com/2010/12/21/episode-34-inside-the-cybercrime-4cast/
Happy Holidays The MacDudes
Category:podcasts
-- posted at: 10:32am PDT
|
Thu, 22 July 2010
In this episode we discuss Chrome for Mac forensics and the Forensic 4Cast Awards. We have guest host Joe Garcia of the CyberCrime 101 podcast, who tells us about his podcast, the SANS Forensic Summit and HacKidCon. We also briefly discuss Steve Whalen's new company, Sumuri, and their Forensic Boot and Imaging CD, Paladin; AccessData's FTK Imager command line tool for the Mac; and the websites of the episode. Thanks to Joe Garcia for being on the show. We would also like to thank you, our listeners, for voting for ITC in the Forensic 4Cast Award's Best Digital Forensics Podcast. Who would of thought we would of won! A special thanks to the Florida State Prison System for their votes. |
Sun, 20 June 2010
It is time to vote in the 2nd Annual Forensic 4Cast Awards. There are a number of catagories to include: Outstanding Contribution to Digital Forensics - Company & Indivdual Digital Forensic Podcast Digital Forensic Investigator of the Year
Take the time to go to the Awards page and vote for your favorites! Did we mention that Inside the Core was nominated for Best Digital Podcast?
Don't forget to vote for us! A free podcast episode to everyone that votes for ITC!
Be safe, The MacDudes
Category:general
-- posted at: 2:41pm PDT
|
Wed, 2 June 2010
In Episode 11, The MacDudes talk about using the command line to see what extended attributes a file has assigned to it. PLoW covers two plists. We also talk a bit about the recent CEIC conference, Twitter, and a couple of software applications. Chris is hard at work trying to get the show notes caught up. We hope to have all of them on the website for your downloading pleasure.
Be safe! The MacDudes
|
Thu, 18 March 2010
After a two month hiatus, we are back with Episode 10. We know it has been a while but we are ready to get back to work and bring the best in Mac forensics information to you. In this Episode we cover the com.apple.LaunchService.QuarintineEvents SQLite DB File. PLoW covers several iWork plists, a VLC plist. The episodes Website of the Week is appleeserialnumberinfo.com. This website interprets a Mac's serial number and provides us with great information on the make up of that particular system. We talk briefly about a native "switch" in Snow Leporad that allows us to turn on read/write to NTFS volumes. No need for NTFS 3G or Tuxera NTFS. Look for more on that later. Show notes to follow.....No really, we promise! Be Safe! The MacDudes |
Wed, 23 December 2009
This is our holiday special episode. We gather around the Christmas tree with the kids and read our version of The Night Before Christmas.
We want to thank all of you for taking the time to listen to the podcast and provide us feedback to help make the show better. We try our best to provide information that will help you in your Mac exams or at least point you in the direction where your questions can be answered. We would especially like to thank our own MacDudette, KK, for writing the MacMas version and for her on the fly editing while Chris and Dave were totally clueless on how to make two words rhyme. We hope that you have a Merry Christmas, Happy Chanukah or whatever you are celebrating! Be safe and we hope to see you in the new year! The MacDudes
Direct download: Inside_the_Core_-_The_Night_Before_MacMas.mp3
Category:podcasts -- posted at: 12:08am PDT |
Sun, 22 November 2009
In Episode 9, The MacDudes talk about hardening your Mac using native security applications and processes.
Following in the security theme, the Plist of the Week (PLoW) covers com.apple.loginwindow.plist and com.apple.loginitems.plist. We have a great interview with Joe Duke of AccessData. Joe will discuss the use of FTK in analyzing Macintosh and the new FTK Mac Forensics course. The following are some of the websites we talk about concerning Mac Security & anti-virus Mac Shadows Secure Mac Mac Hacking Security Social Intego Blog The show note to follow, honest! Be Safe, The MacDudes |
Sun, 15 November 2009
In Episode 8, we cover preparing a Mac for use as an analysis system. We also go over a lot of tools that are useful in analysis of a Mac. We have an interview with Ben Charnota of BlackBag Technologies about their new software write block (beware: Ryan's mic will be found lacking).
Google is providing free internet access in a number of airports this holiday season. Here is a link to an article about it: http://tiny.cc//Free_Google312 Plist of the Week: com.apple.recentitems.plist No Website of the Week this episode, the show was getting a little too long so I pulled it out. We will include it in the next show. Show notes to follow! Be safe, The MacDudes |
Sun, 25 October 2009
There was a problem with the sound quality of the Episode 7 interview. Yes, sound quality issues, imagine that. I corrected the problem and uploaded a new version yesterday afternoon.
Still trying to get it right. Sorry for the inconvenience it is causing while listening.
Be safe,
Dave
Category:general
-- posted at: 2:25pm PDT
|
Fri, 23 October 2009
This episode, the MacDudes have an interview with Lee Whitfield of the Forensic 4cast Podcast, talk about features in Snow Leopard that are of interest to examiners, and the Plist of the Week.
Also discussed; Problems with Time Capsule Linkedin Groups Bodega application Twitter's Computer Forensic Information Snow Leopard's Problems with Guest Accounts MobileSyncBrowser Look for show notes soon. |
Mon, 5 October 2009
In this Episode, Ryan interviews Al Lewis of SubRosaSoft, Chris talks with Social Media & Communications expert, Christ M. Miller about her website, Cops2Point0.com.
The MacDudes also discuss: HFS+ read support in BootCamp 3.0 Mac OS's native screenshot capabilities Plist of the Week: com.apple.sidebarlists.plist We're still struggling with some sound quality issues, hopefully we will have this worked out with the next round of interviews. Show notes will be posted shortly. |
Sun, 9 August 2009
In this episode, the MacDudes talk about iPhone backup files and tools to parse them, imaging iPods, how to extract a dictionary file from swap files over 2GB in size and the Plist of the Week.
|
Sat, 4 July 2009
This episode covers why we point everyone to the user's Home folder first. Ryan talks about Diskarbitration for Leopard and Tiger. Chris showcases the Plists of the Week, Safari bookmarks, history, downloads, TopSites & Last Session.
Websites of the Week: MacTracker & EveryMac Podcasts to listen to: CyberSpeak & Forensic 4Cast Show notes are available for download. They are more detailed than the synopsis below: Click here to Download Show notes synopsis: Home Folder: -Most of the evidence is located in the Userʼs Home Folder -Majority of the Preference PLists with user-specific settings are in User/Library/ Preferences -User Logs: -Indicative of the userʼs activity -Not system activity, but user specific logs -Preferences: -PLists files or proprietary format files for the User -Contains configurations and settings for the User -I.E. Online activity, buddy lists, email, logins, etc. -Application Support: -Mozilla Cache, iPhone backup files from MobileSync folder -Application PLists with information LEOPARD: -Disk Arbitration looks at devices and mounts the device and makes icon to access this device available to the user -On Boot, Disk Arbitration recognizes the internal hard drive. Recognizes file system. Mounts partitions on desktop. -In order to prevent writes, we must prevent the mount. -To turn off Disk Arbitration, enter Terminal and type: sudo launchctl unload System/Library/LaunchDaemon/com.apple.diskarbitrationd.plist -Now when you connect a disk, the disk will not mount -To turn back on, enter Terminal and type: sudo launchctl load System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist or Reboot system and diskarbitration will become active again TIGER: -Not controlled by LaunchCtl process -Need to move the PList from one location to another -Method: 1. Make copy of the diskarbitrationd.plist 2.Once the copy is made, use the remove command in Terminal to delete the com.apple.diskarbitrationd.plist from the /etc/mach_init.d folder 3.Reboot system 4.Only OS Boot partition will mount. To UNDO, Copy the diskarbitrationd.plist back to the /etc/mach_init.d folder and reboot the system. PList(s) of the Week(PLOW): User/Library/Safari: Bookmarks.plist: -User created/maintained bookmarks Downloads.plist -Any downloads specific to Safari -Download history History.plist: -History from Safari if not cleared TopSites.plist -Came with Safari 4 -When a New Tab is opened, it opens thumbnails of most visited sites -Instead of typing URL, just click on thumbnail and it opens the site. LastSession.plist: -Indicates what was open on last Safari session -If multiple windows opened, it will indicate each as a different Item |
Sat, 27 June 2009
Sorry it took so long but the show notes for Episode 3 are ready. You can either read a shortened version below or download the PDF. The PDF has images that help explain some of the locations and other aspects of what was discussed.
Download Show Notes Safari Internet Cache: Original location for Safari 2 and early 3: - Users/USERNAME/Library/Caches/Safari/ - Files were given Unique ID and extension of .cache Version 3: switched to a sqlite database file and moved the cache to /var/folders -Location: /var/folders/(UniqueID)/(UniqueID)/caches/com.apple.Safari -Cache.db file -If in Windows environment, ie. Encase, you will not see “/var/folders”, instead it will be: -/private/var/folders/(UniqueID)/(UniqueID)/caches/com.apple.Safari -var/folders view on Mac is called “soft link” as Private is implied Latest Safari Ver 3 & Version 4 moves the cache back to: Users/USERNAME/Library/Caches\com.apple.safari - The Cache.db file resides here. Probable change was security based as it placed te file back in the users folder. Viewing Safari Cache: SQLite DB Browser 1.3: Database: can use SQLite DB browser 1.3 from Sourceforge -Displays the .db tables -Example: “Response Table”: has website URL and Date/Time Stamp in GMT Filejuicer: -Drop the Cache.db on Filejuicer and it will parse the data out -Images, HTML, TXT, etc. Incident Response/Trusted Utilities: -Often times, whenever out on scene, it is an unknown environment -Must consider all machines to be unknown and applications possibly altered -Best way to prepare is to have our own trusted utilities disk -Recommend a flash drive, minimum 4 GB to use -If PowerPC: recommend Firewire, if Intel: recommend USB Trusted Utilities Drive: 1. Disk Initialization (formatting for you Microsofties): Use Disk Utility to initialize the drive and wipe it prior to placing tools on it. 2. Put on utilities: i.e. Terminal, System Profiler, etc. 3. Rule of thumb: Command Line Tools/GUI Tools/Evidence Collection. 4. Name the Volume/Disk something you will recognize i.e. “RyansTrusted Utilities" This eliminates confusion on Suspectʼs desktop 5. Run Trusted Utilities: Date, System Profiler and export information to Evidence Collection. 6. Keep record of the commands run for later review and reporting, i.e. use PDF printout from Mac builtin utilities. 7. Remember to direct your path to the Trusted Utilities Disk as you are never sure what the suspect has done to their machine. Control your environment. PList(s) of the Week(PLOW): Address Book: /Users/USERNAME/Library/Preferences/addressbookme.plist: -This PList originates information entered at Registration -Can contain: First Name, Last Name, Local Phone #, Street Address 1 and 2, City, State, Zip, Area Code, Local Phone#, Company, Existing email address /Users/USERNAME/Library/Preferences/com.apple.addressbook.plist: -Covers the settings for the address book entries -Print Dialog Setting /Users/USERNAME/Library/ApplicationSupport/addressbook/metadata: -Unique User ID # for each “address book entry” -File saved as “UUID/ABPerson.abcdp -Viewable with Plist Editor or by copying out and dropping in AddressBook Users/USERNAME/Library/ApplicationSupport/AddressBook/images: UUID matches the Metadata UUID -This is the image that represents the corresponding address book entry To View in Address Book: 1. Create a clean User account. 2. Copy the suspect com.apple.AddressBook folder and drop into the corresponding location in the new account. Also, copy and drop AddressBookMe.plist 3. Open Address Book and then you can view and print out the entries. Host at Large Reggie “Good Stuff” Chapman: Part One of his series on the Terminal & Commands Terminal: -Darwin: Open Source Unix Core of MacOSX -Terminal located in /Applications/Utilities -Drag and place on your dock for quick access -Change the Terminal to fit your settings, color, size -Click on “Terminal --> Preferences” (LEOPARD) -”Settings” box allows to change: -Text, Window, Shell, Keyboard, and other Advanced Changes -RYANʼs TEMPLATE OF CHOICE: OCEAN is a good setting for Court Presentation Websites of the Week MACOSXHINTS.com: -Site that has a blog theme -People post ideas/ways to solve problems -Has Forum to help research issues and find answers -Good App and Scripting resource Developer.Apple.Com: -Has the technical notes for Macs -Tech Note 1150: HFS File System -Free Utilities and information
Category:general
-- posted at: 7:35am PDT
|
Sun, 21 June 2009
Hey,
Episode 3 is uploaded and ready for your listening pleasure. We cover Safari Internet cache, the Trusted Utilities Disk and the Plist of the Week. We also have our Host at Large, Reggy, with part one of his series on the Terminal. Show notes should be posted tomorrow. Thanks for listening and keep those emails coming in! Be Safe, The MacDudes |
Wed, 17 June 2009
Look for ITC Episode 3 sometime this weekend. We are just finishing it up and should have it uploaded by Sunday, if work, wives, chores, & injuries don't get the in the way.
We will be talking about: Safari's Internet cache file Trusted Utility Disk Plist of the Week We will also have a visit from our Host at Large, Reggy Chapman, who will be discussing the first part of his series on the Terminal. We are trying to catch up on responding to emails that listeners have sent us. If we haven't responded yet, we apologize. We will get to your questions and comments as soon as possible. We are already integrating some of them into future podcasts. Be safe, The MacDudes
Category:general
-- posted at: 4:45pm PDT
|
Tue, 9 June 2009
Episode 2 is uploaded! The sound quality is a bit better but still working on that. In this episode we cover: Defeating the Open Firmware password, Mobile Forensics World's iPhone Forensics panel discussion, the Plist of the Week and a few Mac websites.
You can send any comments or questions to: Click here to send The MacDudes an e-mail Episode 1 Show Notes (Download at: Show Notes) GOLDEN RULE: Use OPTION key to boot first and confirm no Firmware Password OFP: Prevents any other startup option other than "option" or "startup disk". If OFP is active and you attempt alternative boot sequence, the system will default to the normal “Startup Disk” and possible writes will be made. -Dont want to make writes.... 1. Boot with option key to confirm Open Firmware Password exist 2. To get around: A. Pull hard drive and image via write block (24 screws or less) B. Reconfigure the RAM: 1) Shut down 2) Disconnect power (if laptop remove battery) 3) Remove stick or add stick of RAM to reconfigure 4) Close up, connect battery/power 5) Command+Option+P+R key all at once "Vulcan Death Grip" 6) Listen for 3 Chimes-Indicates reset 7) Restart and use Option key to check NOTE: Time will be reset. The clock will possibly be off. Logs may be important. Mobile Forensics World iPhone Forensics Panel iPhone Panel: -Ryan Kubasiak: Macosxforensics.com -Jonathan Zdziarski : iPhone Forensics author -Sean Morrissey :Dept. of Defense -Andrew Hoag : Moderator -Took questions from audience after moderated question session. Different ways to get data: Hardware/Software Suites: Wolf: Good for unlocked phone, and if you unlock can use. Cellebrite Different Methods: Raw Disk info: Jonathan Zdziarski and Sean Morrissey -Concerns as to what is being changed from data standpoint Dont forget about the iPhone backups on the Mac: a wealth of information PList(s) of the Week(PLOW): Plist: Registry like files but corruption of one file doesnʼt corrupt the entire system. Application plists: Quicktime: Global: Library--> Preferences--> com.apple.quicktime.plist -Shows Registered User and Registered Key -Can indicate the key for verififcation of legal software iWork (Mac Office Suite): Global-->Library-->Preferences-> iWork08: com.apple.iwork08.plist iWork09: com.apple.iwork09.plist Google Gears: Global--Library-->Preferences-> com.google.gears.plist User-->Library-->Preferences-> com.google.gmailnotifier.plist Websites to Check Out: Mac Shadows: www.macshadows.com Macenstein: www.macenstein.com |
Tue, 2 June 2009
Listener Jay pointed out that when the selected startup disk is BootCamp, you will not be able to boot into Single User Mode.
You will also not be able to boot using any other startup option except for Startup Manager (Option Key) and Terminal Disk Mode (T Key). You can reset the PRAM (CMD, Option, P, R Keys) which will reset the startup disk to the OS X startup disk. Remember, this will also reset your date and time and remove the Open Firmware password if one was set. When you boot with the option key and see the BootCamp Disk selected as default, this indicates that it is the selected startup disk. You will need to use a different method to attain the date/time and drive info. You could use forensic Boot CDs such as Macquisiton, SPADA or Raptor to boot the system for imaging or preview. Just make sure that the solution you are using will boot a Mac. Thanks to Jay for his email and tip. Be Safe, The MacDudes
Category:general
-- posted at: 10:30am PDT
|
Sat, 30 May 2009
Well, we finally got Episode 1 uploaded! We had some minor problems with sound quality, hopefully we will get those cleared up for the next episode.
You can send any comments or questions to: Click here to send The MacDudes an e-mail Episode 1 Show Notes (Download at: Show Notes) Single User Mode: GOLDEN RULE: Use OPTION key to boot first and confirm no Firmware Password -If Firmware Password in use, power off. (Firmware Password Options will be covered in a later podcast) -Single User Mode can be used to find Date/Time of the system without making changes -After OPTION key boot and confirmation of no firmware password -REBOOT holding OPTION + ʻSʼ Key to boot into Single User Mode -Will be similar to a Verbose boot -After boot stops, type “Date” at cursor and date and time will be displayed. -To find the make & model of the installed hard drive, look for the line that starts with "Got Boot Device" -Can also run System Profiler to access information about the system Training: Forward Discovery: -Non-Tool Specific Mac Forensics Survival Course -Teaches how to do Mac Forensics using Mac -Basic and Advanced Courses being offered Internationally BlackBag Technologies: -Offers both training for non-tool and Blackbag Tool Training -Suite of Proprietary tools for using a Mac to do Mac Forensics -Beginner, Intermediate, and Advanced Courses SubRosaSoft: -Also offers tool specific training -MacForensicsLab:Proprietary software Purdue University: (Law Enforcement Only): -3 day class -Traveling Class and at the University -Beginning and Advanced Course Apple: -Several certifications: -Apple Certified Support Professional (ACSP) -Apple Certified Technical Coordinator (ACTC) -Apple Certified System Administrator (ACSA) -Range of Apple Software Pro Certifications as well Plist of the Week(PLOW): This weekʼs PLOW is: com.apple.ipod.plist 1.It is located in both Global and User: Library --> Preferences 2.Contains information about all IPod/IPhone devices connected to system. 3.Includes (not comprehensive): a.UUID: Unique ID for the Device b.Connected: Last Connected Date/Time c. Device Class: IPod/IPhone d.Firmware Version e.Serial Number f. IMEI (IPhone) g.Use Count |
Fri, 29 May 2009
TechSmith is offering Snagit for free until June 5, 2009. It is normally $49.95. This is a Windows based program that allows you to create screen captures. It is easy to use and a great program.
http://tiny.cc/Free_SnagIt Thanks to Beth for the info! If you have any tips you would like to share, let us know at: coreforensics@gmail.com The Macdudes
Category:general
-- posted at: 12:54pm PDT
|
Tue, 26 May 2009
We are currently working on Episode 1 and hope to have it uploaded within the week. Check back here or at the iTunes Store.
In Episode 1 we will be covering: Single User Mode How to get the date and time on a Mac Macintosh Forensic Training We will also have our regular feature, The Plist of the Week. If you have any comments, questions or a topic you would like covered, you can email us at, coreforensics@gmail.com Thanks The MacDudes
Category:general
-- posted at: 5:00am PDT
|
Sat, 23 May 2009
Welcome to Inside the Core, the Macintosh & Apple Device Forensics podcast.
Today is a short introduction into what Inside the Core is all about. We will cover Mac specific resources and the Plist of the Week. Resources The Mac OS X Forensics website www.macosxforensics.com The Mac OS Forensics Yahoo Group tech.groups.yahoo/group/macos_forensics Tips & Tricks at the MacForensicLabs website www.macforensicslab.com Plist of the Week com.apple.preferences.account.plist This plist is located in the Local Library (/Library/Preferences) and holds information pertaining to deleted user accounts. These user accounts can be totally deleted from the system or archived by the administrator. To see if the user accounts were archived, look in the Users folder for the Deleted Users subfolder (/Users/Deleted Users/). User accounts that have been archived will be in a disk image (DMG) format or if it was FileVaulted, a sparsebundle image. |