mac os x and ios forensics - sans os x and ios forensics looking into the past with fsevents sans...
TRANSCRIPT
![Page 1: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/1.jpg)
MacOSXandiOSForensicsLOOKINGINTOTHEPASTWITHFSEVENTSSANSDF IR SUMMIT 2017NICOLE IBRAHIMG-C PARTNERS, LLC
![Page 2: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/2.jpg)
WhoamI?
• DigitalForensicsExpertatG-CPartners
• Parttimeresearcher
• Parttimeprogrammer
Nicole Ibrahim | Consultant | G-C Partners, [email protected] | @nicoleibrahim
![Page 3: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/3.jpg)
Importance
• Recordshistoricalfilesystemactivityovertime
• CurrentlynotbeingfullyutilizedbyMacexaminers
• ContainsUserandOSactivity• Creations,deletions,renames,permissionchangesandmore.
• Identifynamesoffilesthatwerepreviouslyexistingbuthavesincebeendeleted
• Identifywhatchangesoccurredtofilesoninterest
![Page 4: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/4.jpg)
Agenda
• IntroductiontoFSEvents
• ParsingFSEvents
• Interestingartifacts
• Caveats
![Page 5: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/5.jpg)
IntroductiontoFSEvents
![Page 6: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/6.jpg)
IntroductiontoFSEvents• FSEventsorFileSystemEvents
• GeneratedbyAppleOSFSEventsAPI• Introducedin10.5(Onlydirectoryeventsupto10.6)• In10.7fileeventswereintroduced
• StoredinFSEventlogfiles(gzip)• Historicaleventsofchangesonthefilesystem• Logscanspandaystomonths
• FoundoniOS,OSXdevices,externaldevicespluggedintoaMac
![Page 7: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/7.jpg)
IntroductiontoFSEvents
• LocationinOSX:• /.fseventsd
• LocationiniOS:• Data:/private/var/.fseventsd• System:/.fseventsd• DeveloperPatch:/DeveloperPatch/.fseventsd
• Gzip archiveformat
• NameislastEventIDstoredintheFSevent logfileplus1.• E.g “00000000000a4b3e”or674,622decimal
FSEVENTLOGS
![Page 8: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/8.jpg)
IntroductiontoFSEvents
LIFECYCLEOFANFSEVENTRECORD
Anobjectischanged
APIchecksmemorybuffertoseeifalready
assignedeventID
Ifyes,recordflagsupdatedinmemory.Ifnot,nextavailableIDassigned.Eventstored
inmemory
Whenmemorybufferisfullorvolume
unmountedallrecordsarewrittentodiskand
bufferiscleared
![Page 9: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/9.jpg)
DecodingFSEvents
![Page 10: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/10.jpg)
DecodingFSEvents
•Therelativefullpathtothefilesystemobjectthatincurredachange.FullPath
•EventIDassignedtofullpathonfirstchange.EventID
•Recordflagsindicatingthetypeofobjectthatwaschangedandwhatchangedforit.RecordFlags
FSEVENTRECORDCOMPONENTS
• AnuncompressedFSEventlogcancontain1ormorepageswiththemagicheader“1SLD”
• Eachlogcancontainupto5,000events
• EventsareorderedalphabeticallybyFullPath
• Eachrecordconsistsof3components
![Page 11: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/11.jpg)
DecodingFSEvents
FSEVENTRECORDFLAGS
• Typeflagsinclude:• File• Folder• Hardlink• Symboliclink
• Reasonflagsinclude:• Created• Removed• Modified• Renamed• Permissions• Inode metadata
• Finderinformation• Mount• Unmount• Lasthardlinkremoved• Endoftransaction• Documentrevisions
![Page 12: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/12.jpg)
![Page 13: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/13.jpg)
ParsingFSEvents
![Page 14: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/14.jpg)
ParsingFSEvents
BLACKBAG BLACKLIGHT SOFTWARE
• Closedsourceandpaid
• https://www.blackbagtech.com/software-products/blacklight.html
![Page 15: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/15.jpg)
ParsingFSEvents
G-CPARTNERSFSEVENTSPARSER SCRIPT
• Opensourceandfree
• Python
• Availableathttps://github.com/dlcowen/FSEventsParser
![Page 16: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/16.jpg)
InterestingArtifacts
![Page 17: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/17.jpg)
RecordArtifacts
OS X
• Justscratchingthesurfaceofinterestingartifacts:• .Trashactivity• Userfoldersactivity• Internetactivity• Mountevents
![Page 18: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/18.jpg)
RecordArtifacts:OSXTRASHACTIVITY• FilessenttotheTrash
• EmptyingtheTrash
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'Users/%/.Trash/%'
![Page 19: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/19.jpg)
RecordArtifacts:OSXUSERFOLDERSACTIVITY• Activityin:
• “Documents”• “Downloads”• “Desktop”
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'Users/%/Documents/%’OR"filename"LIKE'Users/%/Downloads/%’OR"filename"LIKE'Users/%/Desktop/%'
![Page 20: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/20.jpg)
RecordArtifacts:OSXINTERNETACTIVITY• Websitesvisited
• Chrome• Safari
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE
'Users/%/Library/Caches/Metadata/Safari/History/%'OR"filename"LIKE'Users/%/Library/ApplicationSupport/Google/Chrome/Default/LocalStorage/%'
![Page 21: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/21.jpg)
RecordArtifacts:OSXMOUNTACTIVITY• Mountactivityrelatedto:
• DMGs• Externaldevices• Sharednetworkdrives
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"mask"LIKE'%mount%'
![Page 22: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/22.jpg)
Artifacts
IOS
• iCloudsyncedfiles
• Internetactivity
• Emailactivity
![Page 23: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/23.jpg)
RecordArtifacts:iOSICLOUDSYNCEDFILES• iCloudsyncedfilesfromotherdevices
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'mobile/Library/Mobile
Documents/com~apple~CloudDocs/%'
![Page 24: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/24.jpg)
RecordArtifacts:iOSINTERNETACTIVITY• Websitesvisited?
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'%websitedata/local%'
![Page 25: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/25.jpg)
RecordArtifacts:iOSEMAILACTIVITY• Inbox
• Sent
• Attachments
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'mobile/Library/Mail/%’
![Page 26: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/26.jpg)
Caveats
![Page 27: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/27.jpg)
Caveats• LostFSEvents
• Lackoftimestamps
• Externaldevices
• Anti-forensics
• Coalescingofmultiplechanges
![Page 28: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/28.jpg)
Caveats:LostFSEvents
PROBLEM
• FSEventsarelostduetoeither:• Ahardresetofasystem• Asystemcrash• Notproperlyunmountingavolume
• Systemupgrades
REMEDIES
• Carveforgzip files
![Page 29: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/29.jpg)
Caveats:LackofTimestamps
• FSEventRecordsconsistof:• EventID• FullPath• Flags
• Notetimestampsarenotmentioned
PROBLEM REMEDIES
• Usetemporaldatafromthenamesoflogs
![Page 30: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/30.jpg)
Caveats:ExternalDevices
PROBLEM
• Unsaferemovalresultsinlostevents
• Saferemovalwasperformed,butFSEventsnotfinishedwritingtodisk
• Filesystemcompatibilityissuesresultsinlostevents
REMEDIES
• Hopethattheuserhasproperlyunmountedtheirdevices• CarvingforthoselosteventsmightnotbepossibleduetoFSEventsbeingstoredinmemory
![Page 31: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/31.jpg)
Caveats:Coalescingofmultiplechanges
PROBLEM
• TheFSEventsAPIcoalescesmultiplechangesintoasinglerecordresultingin:• Inabilitytodetermineorderofchanges
• Inabilitytodeterminefrequencyofchanges
REMEDIES
• NoneThisfilemayhavebeencreated3timesandremovedtwice,butwewillneverknow
![Page 32: Mac OS X and iOS Forensics - SANS os x and ios forensics looking into the past with fsevents sans dfirsummit 2017 nicole ibrahim g-c partners, llc](https://reader030.vdocuments.us/reader030/viewer/2022012322/5af562617f8b9a154c8f9d46/html5/thumbnails/32.jpg)
Caveats:Anti-Forensics
PROBLEM
• Ano_log filewasplacedinthe.fseventsd directory• FSEventsarenotrecordedforthevolume
REMEDIES
• None.However,thisscenarioisunlikelyandrequiresrootprivilegesandadvancedknowledgeofFSEvents