Thursday, July 25, 2013

Mac OS X Security Part 2: The Mac Forensic Toolkit By Ryan Faas

I didn't wanna lose this info!

Unix Tools Included with Mac OS X

Several Unix tools are included with Mac OS X that can be useful in forensic investigations. The first of these, the dd command, was discussed in part 1 of this series as a method for acquiring a forensic disk image.

While many Mac utilities can create disk images, dd is an optimal choice for forensic use because it can create a disk image without mounting the drive (which would contaminate it). dd can also be used with a variety of arguments to modify how the disk image is created, including an option to split the image into multiple segments, which can be a useful tool if you are asked to present the image to another party (such as a law enforcement agency or attorney) because it enables you to create segments that can easily be burned onto CD/DVD.

To use dd effectively, however, you need to be able to identify which disk connected to your forensic Mac is the suspect disk (as well as any other disks connected to the system). You can use ls /dev/disk? to see a list of connected drives. Likewise, you can use the ioreg command with the –c"IOMedia" argument to get additional information about available drives.

If you want to examine the partition tables of either the connected but not mounted suspect drive or a copy or image of the drive, you might also find the pdisk command useful. For examining the partition table of a drive image, the hdiutil pmap command can also be helpful. Also, as mentioned in part 1 of the series, you can use the mount command to mount connected disks to a forensic system, including the argument to mount the suspect as read-only for inspection prior to imaging or copying, and you can use the –shadow argument to mount a disk image using a shadow file with the hdiutil attach command. This enables you to work with the disk as if it were writable, but preserve its contents by writing any changes to a shadow file that will be destroyed when the disk image is unmounted.

Finally, the command line grep utility as well as the command-line variations of Spotlight can assist you in locating data from a forensic image. You can also use the GUI version of Spotlight and the Finder to search for data on a forensic image.


dcfldd is an open source Unix tool that is based on dd but has been expanded to improve its use in forensic investigations. Although not included with Mac OS X, dcfldd can be downloaded and compiled to run under Mac OS X. One of the major advantages of dcfldd over dd is that is supports the hashing of data when disk images are created, allowing for verification that the contents of the image have not been modified since the image was acquired. In a situation with legal consequences, this provides another item in your chain of evidence to prove that the evidence you acquired has not be tampered with.

dcfldd also includes some other features, including the capability to output to multiple disks/images in a single operation. This is useful timesaver if you are creating multiple copies of the suspect disk to be stored as evidence or used for investigative purposes. dcfldd can also provide updates during copy and image operating so that you have an idea how long they will take, something that dd doesn’t provide. Other features that both dd and dcfldd share are also more configurable under dcfldd, which can make it a better choice in many circumstances.

Sleuth Kit and Autopsy

Sleuth Kit is an open source forensic suite available for Unix that has been verified to run effectively under Mac OS X. Autopsy is a web-based GUI for the commands included in Sleuth Kit. Sleuth Kit includes both analysis tools and case management tools. The analysis tools enable you to examine suspect disks/images in a variety of ways, whereas the case management tools provide a solution for recording your notes and evidence.

Among Sleuth Kit’s analysis tools are tools for listing files and directories, tools for examining and sorting files based on type and content, a tool for developing a timeline of actions performed while the suspect drive was in use, search tools, tools for analyzing the metadata and data structures on a suspect disk, and tools for examining the disk images and the partition tables they contain. Sleuth Kit’s case management features include a tool for organizing multiple investigations, a tool for taking notes, and a tool for establishing a timeline of events based on file activity and logs. Sleuth Kit can also be used to verify image integrity and generate reports of your findings.

Black Bag Technologies Mac Forensic Software

BlackBag Technologies is a company that specializes in data forensic tools and consulting. Its CTO, Derrick Donnelly, is considered the foremost expert on Mac forensic analysis. As a result, it is not surprising that the BlackBag Technologies Mac Forensic Software (BlackBag MFS) suite is a comprehensive, Mac OS X–specific set of tools covering every facet of Mac OS X forensic investigation for acquiring and analyzing a forensic image.

BlackBag MFS includes 19 utilities to aid in forensic investigations including browsing and scanning directories, investigating suspect files, examining file header information and metadata, searching for hidden files, discerning the type and creator codes of files, sorting files by all manner of criteria, viewing image files, searching comment data for files, and breaking up large collections of files in manageable chunks. It also provides easy-to-use GUI tools for disabling disk automounting and for mounting drives as read-only. BlackBag MFS is also designed to work well with many of the Unix command-line tools discussed earlier as well as forensic tools for other platforms.


MacQuisition is a tool also developed by Black Bag Technologies. It is designed to make the process of acquiring a forensic image much simpler. MacQuisition is a bootable Mac OS X DVD that can be used to boot a suspect computer and acquire a forensic image, saving it either to a locally mounted external drive or to a network storage location. While MacQuisition doesn’t provide tools for analyzing that image, it does provide a very simple method for acquiring an image.


SubRosaSoft’s MacFornesicsLab is the second commercial Mac OS X–specific forensic suite on the market. Like BlackBag MFS, MacForensicsLab includes a number of analysis features as well as tools to make acquiring a forensic disk image much simpler (including the ability to dynamically turn auto-disk mounting on or off). Like Sleuth Kit and Autopsy, MacForensicsLab also includes built-in tools for notetaking and case management and for organizing your evidence as you find it. MacFornesicsLab can then combine all this information into a variety of easy-to-format reports.

One of the excellent features of MacForensicsLab is that is a completely self-contained environment. From the process of initially creating and detailing a case/investigation through image acquisition and analysis, notetaking, and final reporting, the investigator never has to leave the application’s interface. It even includes a special terminal feature for running command-line tools. This provides several advantages, most notably the fact that everything is easily and automatically recorded for later use as evidence and that there is a consistency to not only the interface but also to the actions and methods used during investigation.

MacForensicsLab’s interface is very straightforward and user-friendly, but it also provides a powerful set of tools for searching, sorting, and notating data and evidence. MacForensicsLab can be also be used to recover deleted or lost data. It also includes features specifically designed for examining image files for "skin tones" to make identifying pornographic content simpler as well as to search potential credit card and social security number strings within files—two major focuses of criminal or inappropriate activity investigations.

No comments:

Post a Comment