Mac Forensics

Last Thursday I had the pleasure of attending the Mac Forensics F3 training day.  For those of you that do not know what F3 is, it is the ‘First Forensic Forum’.  Most digital forensic investigators in the UK are linked to this organisation in some way and they offer training days every few months.

I thought that I would quickly note some items that were shared with us before I either forget about it or lose my notes.

Imaging

This can be accomplished on either a Mac or a PC. If you’re looking to image with a Mac there are a few options to choose from but one of the best is offered by the guys over at http://macosxforensics.com.  Their Mac OS X Forensics Imager is based on libewf and offers a graphical interface to the console-driven acquisition tool.

Obviously there are the common everyday items such as DD and DCFLDD that are easily run on the Mac.

Although a write blocker is always recommended it is possible to image a drive without.  In order to do this you need to turn off ‘Disk Arbitration’. This is the process that automounts drives when they are connected to the computer.  After turning this off any newly connected drives will not be mounted. Just don’t forget to turn it back on once you’re finished otherwise you may run into some difficulty.  In order to turn this off just open Terminal and type:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitration.plist

To turn it back on type:

sudo launchctl load /System/Library/LaunchDaemons/com.apple.diskarbitration.plist

Artefacts

Spotlight Files – These maintain an index of the volume from which the file is taken.

Swap File – /private/var/vm/swapfile0

Sleepimage – This file is like the hiberfile on Windows.

Log Files – /var/log – can be opened with the Mac ‘Console’

Property Lists – Two main types: XML and Binary – plists are like the Windows registry. A plist editor is available on the Mac Developer Tools provided with a new Mac. There is also ‘Pref Setter’ (which has a nice search feature) and iPod Robot offers a plist reader for Windows.

Printing – The Mac has an inbuilt PDF printer. This doubles up as a printer spool. This means that, regardless of the printer used, a PDF is created of anything that is printed from a Mac. Once the printing is finished the PDF is released into unallocated clusters. A file carve for PDFs in unallocated space will return items printed with the Mac. These PDFs will also contain metadata providing the application used to print.  I thought that this was the most interesting part of the day. This may be worth some more investigation and a full article written.

Useful Software

PeekIt, iBored, Hex Fiend, File Juicer, Mactracker, and Firefox Add-ons – CacheViewer and SQLiteManager.

MacBook Air Acquisition

The MacBook Air presents a unique problem that is not found with other Apple products.  With other Apple computers the ‘Macquisition’ tool can be used to create an image of the drive in question if the drive is not easily accessible.  Unfortunately Macquisition requires a free firewire (IEEE 1394) port in order to boot the computer into acquisition mode.  The MacBook Air has only one USB port, no firewire port, and no optical drive.  The Apple website suggests that only an Apple branded USB optical drive will allow booting from optical media (such as Helix).  These drives can be costly and largely pointless to purchase.
This guide provides a (relatively) simple method of removing the internal drive and imaging the drive using EnCase (or whatever brand of imaging tool you use).
Firstly, meet the MacBook Air:

The first thing you will notice is that this is a very thin computer; it has an aluminium (aluminum for you non-Brits) case.  This is quite slippery so take care not to drop it.
The first thing you will need to do is turn it over.
There are ten screws that need removing (circled below).  The front six screw are the same size; the rear-corner screws are a little longer; the middle-rear screws are longer still.  Keep track of these for putting it back together.

Once the bottom of the case is off you are going to focus your attention on the rear-right corner of the computer (highlighted below).

When you look closer at this corner you can see two ribbon cables.  The first of these is disconnected at ‘A’ by pulling on tab ‘B’ below:

Once this has been completed you will see four more screws (circle below).  The top two screws are easily enough removed, the bottom two screws are partially obscured by a thin wire.  The wire is tucked in the drive cage.  Gently pry the cable away until the screws are exposed and remove the screws.

We are now ready to remove the second ribbon cable.  Gently pull it away (marked in red below) until it is no longer connected.

Removing the drive is not difficult, carefully life the drive cage and slide the hard drive out from underneath.  Do not pull it out from the top or try to remove the drive cage as you may cause irreparable damage.

Once you have removed the drive the drive turn it over and carefully remove the black tape covering the ribbon connection (marked below).

Once the tape has been removed the ribbon connection is exposed.  Carefully pull the ribbon cable out of the connector (marked below).

When finished you should have something the looks like the picture below:

This is a ‘ZIF’ drive.  These drives are commonly found in iPods and ultraportable PCs.  In order to image this drive you will require the following:

• Either a ‘Tableau T14 IDE’ or a ‘Tableau T35e’ write blocking device
• A ‘TDA5-ZIF’ drive adapter kit

Why so specific? Well, Tableau state that the ‘ZIF’ adapter is only guaranteed to work with one of the two Tableaux mentioned above.  I do not want to risk something going wrong so I’ll follow their advice.  Thankfully I had a ‘T35e’ already available.  You can try using this adapter with a different model, or even a different brand of write-blocker, but its not recommended.
Carefully insert the new ribbon (provided with the adapter) into the ribbon connector on the hard drive and then connect the other end of the ribbon into the adapter (see below).  Then plug the adapter into the Tableau.

From this point forward it is exactly the same as acquiring any other hard drive.  The Tableau will pick up the drive allowing you to image as normal.

Hope this is useful to someone out there.