Forensic Analysis of Mac OS X - Incident Responder View Ms. Haritha Annangi Digital Forensic Investigator Fraud Management & Digital Forensic CoE ESRM, TCS.
1. Introduction Over the years, Mac users considered anti-virus is unnecessary as they have enjoyed the benefit of being less vulnerable to malware attacks than Windows users. This “myth” lead to proliferation of systems running Mac OS X in major corporations, web design, and marketing companies. But the malware such as WireLurker, distributed through trojanized / repackaged OS X applications had disproved this notion and resulted in the need for OS X incident response. This article discusses about collecting important volatile information using basic bash commands and to collect volatile memory (RAM) from Mac systems using open source tool called “osxpmem”. Below mentioned commands and procedures can be used to collect and preserve relevant artifacts for a malware investigation.
2. Basic Bash commands One of the most critical steps in Cyber Security incident handling is to collect the volatile data from computer under investigation in a forensically sound manner, since digital evidence is highly fragile in nature. Volatile data relevant to the system’s current state will produce new leads during analysis. Without volatile information one would lose valuable insight in to system information, network information, startup processes, and running processes. In certain incidents one can determine if a system is compromised or not based on the volatile data alone. Written by Brian Fox for the GNU Project, as a free software replacement for the Bourne shell, Bash is a UNIX shell and command language, first released in 1989. Bash has been distributed widely as a default shell on the major Linux distributions and OS X. The following mind map gives the list of few important bash commands, useful for an incident/ first responder.
1|Page
Mind Map for Bash commands
a) System Information 1. 2. 3. 4. 5.
date : displays current date and time hostname : displays the name of the computer uptime : displays how long the system has been running sw_vers : prints product name, version, and build version. uname –a : Provides details about operating system version and name. The “–a” switch provides extra details such as kernel version. 6. bash –version : displays bash version
b) Users Logged On 1. 2. 3. 4.
Whoami: displays the current domain and username who: Displays which users are currently logged onto the system. w: displays which users are logged in and what process they are currently running finger: displays additional information about a specified user including their home directory, shell, idle time and more. 5. last: shows you the last login times of each user
c) Process Information 1. ps aux : displays process running on the system. a - displays process from all users 2|Page
u - displays owners of each process x - shows processes not attached to a terminal
d) Open files 1. lsof -p -p used to inspect all the opened files of a specified Process Id.
e) Network Information 1. ifconfig : displays system's internal IP address and other network device information 2. netstat (-ru) (-an) : list open ports and connection information. -ru options will display the routing tables. -an displays the state of all routing tables. 3. lsof -i: -i used to map processes to open ports. 4. arp -a : displays IPs that the system has contacted on the local network along with their MAC addresses.
f) System Startup 1. 2. 3. 4.
launchctl list: Lists currently loaded launch agents and daemons. crontab -l: Lists the scheduled cron tasks for the logged in user. atq: Dumps the "at" tasks for the logged in user. kextstat: Returns a list of loaded KEXT files also known as drivers. KEXT files should commonly be installed in the /System/Library/Extensions directory.
g) Miscellaneous 1. Codesign (-vv) (-d): It is used to create or display developer signatures for binaries on the system. -d option displays code information -vv extra verbose in printing information regarding the signature. 2. file: return the known file type of a specified file. When approaching an unknown file, a good first step would be to determine the file types. So, file command is a good starting choice. 3. md5: return the md5 hash value of a specified file 4. mdfind (-name) (-onlyin): This command helps you to search for files containing keywords incredibly quickly. ex: “mdfind scecret" will return all files that contain the word "secret". mdfind -name : looks for specified keywords inside file names rather than file contents.
3. Collection of RAM Dump using osxpmem Mac systems before the release of OS X 10.6 allowed software programs to acquire physical memory through a device file called /dev/mem. Later, due to security reasons this functionality was not carried from the release of OS X 10.6. Thus, to acquire memory dump from the recent Mac systems one has to use a tool that loads a kernel module to access the data. One such tool is “osxpmem”. 3|Page
Step 1: Pre-requisites of RAM Dump Collection: •
Incident responder should carry a wiped external hard disk formatted with exFAT file system to the security incident location to collect the RAM dump. Make note of the Serial number of external device that is being connected to suspect’s machine. OSXPmem.zip is extracted to this external drive prior to connecting it to the system. Make sure that the disk has more space than the size of all the collections.
• •
Step 2: Collection of RAM Dump
The RAM dump should be collected as a single file. Connect the external hard disk to suspected machine and navigate to the OSXPmem folder. Run OSXPmem with root permissions as shown below.
The output of OSXPmem begins by listing the regions it finds and writes to the memory dump. It lists how many pages were acquired, the size of the physical address space, the file format and name of the dump file created and the directory table base location. Step 3: Downloading Mac Volatility profiles
Prebuilt Mac profiles are available on volatility website for all Mac OS X versions starting from 10.5, including 32-bit and 64-bit kernels.
4|Page
Download the proper Mac volatility profile before beginning analysis of Mac memory dumps with Volatility framework. Copy the downloaded profile to “volatility/plugins/overlays/mac” folder as show below.
4. Conclusion As Apple’s market share rises, Mac OS X platform will become target for malware attackers. The proliferation of Mac malware demanded the Mac OS X incident response and Mac malware analysis skills. Collection of relevant volatile information is very much necessary in handling the security incident. In some cases one can determine if a system is compromised based on the volatile data alone.
5|Page
