Inside the Core

Nov 24 2011 46 mins

The Macintosh and Apple Device Forensics Podcast





























Inside the Core Episode 4
Jul 04 2009 49 mins  
This episode covers why we point everyone to the user's Home folder first. Ryan talks about Diskarbitration for Leopard and Tiger. Chris showcases the Plists of the Week, Safari bookmarks, history, downloads, TopSites & Last Session.Websites of the Week: MacTracker & EveryMacPodcasts to listen to: CyberSpeak & Forensic 4CastShow notes are available for download. They are more detailed than the synopsis below:Click here to DownloadShow notes synopsis:Home Folder: -Most of the evidence is located in the Userʼs Home Folder -Majority of the Preference PLists with user-specific settings are in User/Library/ Preferences -User Logs: -Indicative of the userʼs activity -Not system activity, but user specific logs -Preferences: -PLists files or proprietary format files for the User -Contains configurations and settings for the User -I.E. Online activity, buddy lists, email, logins, etc.-Application Support: -Mozilla Cache, iPhone backup files from MobileSync folder -Application PLists with information LEOPARD: -Disk Arbitration looks at devices and mounts the device and makes icon to access this device available to the user -On Boot, Disk Arbitration recognizes the internal hard drive. Recognizes file system. Mounts partitions on desktop. -In order to prevent writes, we must prevent the mount. -To turn off Disk Arbitration, enter Terminal and type: sudo launchctl unload System/Library/LaunchDaemon/com.apple.diskarbitrationd.plist-Now when you connect a disk, the disk will not mount -To turn back on, enter Terminal and type: sudo launchctl load System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist or Reboot system and diskarbitration will become active again TIGER: -Not controlled by LaunchCtl process -Need to move the PList from one location to another -Method: 1. Make copy of the diskarbitrationd.plist 2.Once the copy is made, use the remove command in Terminal to delete the com.apple.diskarbitrationd.plist from the /etc/mach_init.d folder 3.Reboot system 4.Only OS Boot partition will mount. To UNDO, Copy the diskarbitrationd.plist back to the /etc/mach_init.d folder and reboot the system. PList(s) of the Week(PLOW): User/Library/Safari:Bookmarks.plist: -User created/maintained bookmarks Downloads.plist -Any downloads specific to Safari -Download history History.plist: -History from Safari if not cleared TopSites.plist -Came with Safari 4 -When a New Tab is opened, it opens thumbnails of most visited sites -Instead of typing URL, just click on thumbnail and it opens the site. LastSession.plist: -Indicates what was open on last Safari session -If multiple windows opened, it will indicate each as a different Item




Inside the Core Episode 2
Jun 09 2009 30 mins  
Episode 2 is uploaded! The sound quality is a bit better but still working on that. In this episode we cover: Defeating the Open Firmware password, Mobile Forensics World's iPhone Forensics panel discussion, the Plist of the Week and a few Mac websites.You can send any comments or questions to: Click here to send The MacDudes an e-mailEpisode 1 Show Notes (Download at: Show Notes)GOLDEN RULE: Use OPTION key to boot first and confirm no Firmware Password OFP: Prevents any other startup option other than "option" or "startup disk". If OFP is active and you attempt alternative boot sequence, the system will default to the normal “Startup Disk” and possible writes will be made. -Dont want to make writes.... 1. Boot with option key to confirm Open Firmware Password exist 2. To get around: A. Pull hard drive and image via write block (24 screws or less) B. Reconfigure the RAM: 1) Shut down 2) Disconnect power (if laptop remove battery) 3) Remove stick or add stick of RAM to reconfigure 4) Close up, connect battery/power 5) Command+Option+P+R key all at once "Vulcan Death Grip" 6) Listen for 3 Chimes-Indicates reset 7) Restart and use Option key to check NOTE: Time will be reset. The clock will possibly be off. Logs may be important. Mobile Forensics World iPhone Forensics PaneliPhone Panel: -Ryan Kubasiak: Macosxforensics.com -Jonathan Zdziarski : iPhone Forensics author -Sean Morrissey :Dept. of Defense -Andrew Hoag : Moderator -Took questions from audience after moderated question session.Different ways to get data: Hardware/Software Suites: Wolf: Good for unlocked phone, and if you unlock can use. CellebriteDifferent Methods: Raw Disk info: Jonathan Zdziarski and Sean Morrissey -Concerns as to what is being changed from data standpoint Dont forget about the iPhone backups on the Mac: a wealth of informationPList(s) of the Week(PLOW): Plist: Registry like files but corruption of one file doesnʼt corrupt the entire system. Application plists: Quicktime: Global: Library-- Preferences-- com.apple.quicktime.plist -Shows Registered User and Registered Key -Can indicate the key for verififcation of legal software iWork (Mac Office Suite): Global--Library--Preferences- iWork08: com.apple.iwork08.plist iWork09: com.apple.iwork09.plist Google Gears: Global--Library--Preferences- com.google.gears.plist User--Library--Preferences- com.google.gmailnotifier.plist Websites to Check Out:Mac Shadows: www.macshadows.comMacenstein: www.macenstein.com


Inside the Core Episode 1
May 30 2009 29 mins  
Well, we finally got Episode 1 uploaded! We had some minor problems with sound quality, hopefully we will get those cleared up for the next episode.You can send any comments or questions to: Click here to send The MacDudes an e-mailEpisode 1 Show Notes (Download at: Show Notes)Single User Mode: GOLDEN RULE: Use OPTION key to boot first and confirm no Firmware Password -If Firmware Password in use, power off. (Firmware Password Options will be covered in a later podcast) -Single User Mode can be used to find Date/Time of the system without making changes -After OPTION key boot and confirmation of no firmware password -REBOOT holding OPTION + ʻSʼ Key to boot into Single User Mode -Will be similar to a Verbose boot -After boot stops, type “Date” at cursor and date and time will be displayed. -To find the make & model of the installed hard drive, look for the line that starts with "Got Boot Device"-Can also run System Profiler to access information about the system Training: Forward Discovery: -Non-Tool Specific Mac Forensics Survival Course -Teaches how to do Mac Forensics using Mac -Basic and Advanced Courses being offered Internationally BlackBag Technologies: -Offers both training for non-tool and Blackbag Tool Training -Suite of Proprietary tools for using a Mac to do Mac Forensics -Beginner, Intermediate, and Advanced Courses SubRosaSoft: -Also offers tool specific training -MacForensicsLab:Proprietary software Purdue University: (Law Enforcement Only): -3 day class -Traveling Class and at the University -Beginning and Advanced Course Apple: -Several certifications: -Apple Certified Support Professional (ACSP) -Apple Certified Technical Coordinator (ACTC) -Apple Certified System Administrator (ACSA) -Range of Apple Software Pro Certifications as well Plist of the Week(PLOW): This weekʼs PLOW is: com.apple.ipod.plist 1.It is located in both Global and User: Library -- Preferences 2.Contains information about all IPod/IPhone devices connected to system. 3.Includes (not comprehensive): a.UUID: Unique ID for the Device b.Connected: Last Connected Date/Time c. Device Class: IPod/IPhone d.Firmware Version e.Serial Number f. IMEI (IPhone) g.Use Count




No review available yet...