To Carry Out MockInv'estigation. Part 2

πŸ“† 16/06/2021 , Wednesday

πŸ•° 09:21 PM.

I had a 7-day license of Magnet AXIOM and I’ve decided to try this tool and compare it with others that I had. In 2021 May-June Magnet held a great event of a great value - Magnet SUMMIT with lots of very useful webinars and workshops. One of them was a case study using Magnet. I am going to follow these steps and study another way to solve a crime.

One of the first observation was how Apple specific this tools is. It has lots of Apple specific artifacts (MacOS πŸ’» and iOS πŸ“±). This is a good starting point for me to learn more about what’s important for the examiner.

While examining the UI, I’ve intuitively opened CHAT πŸ’¬ Section and some iMessage thread revealed that the person whose device was acquired, intended to sell the information. The next random Facebook message revealed that this device was stolen. May be, that’s the person who wanted to see financial information? Timestamps would help. These are just some unmethodical random clues, pivot point for further swinging around πŸ“:) Let’s start with the video from Magnet and follow along.

The first step was opening “View evidence for this source only” and choosing “File System” instead of “Artifact” selected by default to left-upper corner of the program (Screenshot). There I saw the evidence source - MBA_Dante_April15_fv2.E01. As was stated in the presentation - fv2 means “encrypted with FileVault2”. E01 - is the proprietary file format for disk images, produced by EnCase Forensics, one of the most commonly used, as I notice. The rest is the identifying information about the evidence. The file system detected is APFS. There are some pecularities about it, that I’m collecting here. It also shows FreeQueue and Unallocated Space. Gib - 1024, Gb - 1000.

The next step is selecting “Artifacts” category back and choosing “Operating system” (evidence category on the left). There I saw a huge list πŸ“š of available information and evidence. While scrolling, a word “SIM” πŸ“‡ caught my eye. I am currently persuing some decent practical experience with SIM cards and mobile forensics, so this was an interesting point of future analysis.

But I’ve got a little sidetracked. Let’s get back on the track. I’ve chosen “File System Information” from the same list. There are five entries (raws) there. One of them, the first, is most likely a general, main container. The other 4 are volumes: MacHD, Preboot, Recovery, VM (standard, but MacHD is usually named Macintosh HD). The first one - container GUID. All the volumes have the same container GUID.

When examining a MacBook, you’ll likely see two major types of users: nothing except of browsing and a sophisticated user. So, if you see something like volume renamed from its default value, you are probably dealing with the second type.

When we go to “Artifacts -> Operating System Information -> File System Information (APFS)”, select the main partition “MacHD” and see the detailed summary to the right - we may notice, that “Volume Creator Program” field has a value hfs_convert. This might indicate that the disk was fromated from HFS file system to APFS. Volume count shows how many volumes there are.

“Artifacts -> Operation System -> Operating System Information”. Local Host Name might be a useful piece of information.

“Artifacts -> Operation System -> User Accounts”. On MacOS User ID is something similar to Windows SIDs. User accs start from 501. 500 is probably root. Event if FileVault is not activated, you’ll need a password for Keychain. Slated SHA-256 PBKDF2.

“Artifacts -> Operation System -> Generic Passwords” and “Artifacts -> Operation System -> Internet Passwords”. GUID\Library\Keychains\System.keychain - system keychain. Might be able to get info even if you don’t know the password and FV2 is not activated. “Process -> Add new evidence”. Magent Process is starting. Select Mac Artifact -> Image -> mach_image.E01. Deselect all, Volume1 -> Users -> grimessr -> Library -> Keychains (select). For the second user as well. Next, “Computer artifacts”, clear all. Go to “OPERATING SYSTEM” and find Apple Keychain. Click “OPTIONS” and enter the password for the user account to retreive the User Keychain. ❗️❗️ No trailing spaces❗️❗️unless that’s what you want.

“Artifacts -> Operation System -> Installed Applications”. To see all third-party application, apply a negative filter for “com.apple” package name.

“Artifacts -> Operation System -> Startup Items - macOS”. We see OneDrive Daemon. They manage services and processes in UNIX. We know it’s strating automatically and syncing.

“Artifacts -> Operation System -> KnowledgeC Application Focus”. It records how the user interacts with the device. Not much like Windows Prefetch.

“Artifacts -> Operation System -> FinderMRU”. Recent locations. Looks like the user has copy something to or from OneDrive. Let’s go to “File System -> MacHD -> Users -> dantegrimes -> One Drive”. We see an Excel file, Employee CC_SN Information. Below that a file “takeout_XXXX”. Might be google take out. It also extracts meta data and shows where this file came from. For example, this takeout came from googleusercontent.

“File System -> MacHD -> Users -> dantegrimes -> DropBox”. Lots of pictures. Possible canabis photos. Screenshot from a mobile device as well. We also see Facebook-dantegrimes.zip. It’s similar to google takeoout.

If FV2 is active, even if collected an unallocated space, how would you decrypt it? These block are dynamically allocated to different volumes. May be it didn’t come from a FV2 volume. And how to define the right order for this addresses to decrypt the contents?

πŸ“† 22/06/2021 , Tuesday

πŸ•° 10:36 PM.

It’s time to make a timeline to be able to visualise this case better.

Before starting digging into the system, one needs to know what question he or she needs to ask. I was not given any specific challenge, that’s why I am going to see through some evidence and make it myself.

Let’s assume that the owner of the PC is accused of drug dealing (I’ve briefly notices canabis and cocaine photos). Now, what are the potential artifacts here? Is there a way to plant such evidence πŸ’¬? There are two ways of doing so, that I can think of:

  1. Browsing history. Browse on another PC and then copy the browser files on the PC. Is this possible? What would be the indicators that these browser data was planted? Is there any metadata that cannot be tampered with? πŸ”¬πŸ§ͺ Research exclamation mark❗️❗️❗️
  2. Documents. How is it easy to tamper with the documents metadata? πŸ”¬πŸ§ͺ Research exclamation mark❗️❗️❗️
  3. Emails and chat messages. I need to make a backup of my iPhone (since all the chat messages were acquired from the iPhone backup) and try to edit some chat messages and see whether it is possible. πŸ”¬πŸ§ͺ Research exclamation mark❗️❗️❗️

Since we have so many accounts (facebook, email, MacOS) with the same name, it is pretty save by now to asume that this PC was indeed owned by Dante Grimes, at least, for quite a time.

In the tokens and passwords section there are hashed and salted passwords for the both accounts on this PC. Let’s try to crack them. The algoritm was defined as SHA-512 + PBKDF2 + salted. On a live system you can get them from here as well as some other user account information: sudo plutil -p /var/db/dslocal/nodes/Default/users/<usename>.plist

But since I am using a dedicated tool that has acquired all itself, here are the hashes themselves:

$ml$49261$0a35842877f52fb195336a58f72b9db92ee056a40527290a599bcda908c16d15$5c5fd0083920004948b549641100a35ed614a1b64903c55cf40192c7ec33ee307e90071eb12873a40e0f8808f81673d2545d9eea2f506997df08a65ddaaf235e and $ml$91743$9dc0fe0ffdfe980ddf410bcb14e51d126d83154aff1474bdba04e9d0761a2349$05fe38bc2b0af26ff9a92ae3a86efb8fa89179f8c4330c4e26f3aa0dcf237c7ecc87fdc0011c4743b572c65aff41075c2c1d75c661b23020c46af9be25e91bce.

I will install John the Ripper for that from here and hashcat with the following cmd: brew install hashcat.

Since it is not a real case, most probably the password is easily crackable. Well, “crackable” is a big word for this, since hashes are irreversable and the only way to get the plaintext in this case would be generate hashes with the most likely passwords using the same algorithm (SHA-512 + PBKDF2 + salted) and compare with the ones that we have. This is called rainbow 🌈 tables. Don’t really get, why rainbow… What’s so rainbowy about the hashes?

I’ve decided not to use a rainbow table, leaving my mac deal with the problem on its own: hashcat --attack-mode 3 --hash-type 7100 HASHES.txt WORDLIST.txt. It’s slow, but the meantime I can explore the system further.

πŸ•° 10:59 PM.

I’ve scrolled through the “Artifacts” section and an idea πŸ’‘ has striken me: the most interesting things are usually found in conversations, which take the form of chats and email on PCs. That’s why I have started reading the acquired messages from FB, iMessage, SMS etc. Here are my findings (all put on the timeline, of course).

Date/time event(message)
πŸ“† 9/28/2018 πŸ•°12:52:21 PM The user writes to some of his friends (Hoitz) that he has recently went out jail. He contacted him about money πŸ’° and weed πŸͺ΄. Hoitz gave him the nickname of a drug dealer: camkins90.
πŸ“† 9/28/2018 πŸ•°5:06:11 PM Friends with some Cameron Jenkins on FB.
πŸ“† 9/28/2018 πŸ•°5:09:11 PM The same day he contacted this camkins90 guy.
πŸ“† 9/28/2018 πŸ•°5:16:47 PM Cameron suggests some serious drugs from Mexico.
A year later
πŸ“† 1/19/2019πŸ•°11:28:06 PM Message from Dante: “How was Amsterdam man? setting up my new laptop, man its sweet!
πŸ“† 3/15/2019 πŸ•°1:25:00 PM He writes to his buddy: “man I need to get over there. I got locked up last week… stupid warrants”.
πŸ“†3/15/2019 πŸ•° 1:47:47 PM Writes to his buddy Cameron: “you got any phones you dont need/”. Cameron replys: “I’m low right now but expecting some to come in next week.”. Dante needed Android. Why?
πŸ“† 3/19/2019 πŸ•°1:45:09 PM Some friend of Dante needed an Anroid. He was hiding from the police and was afraid to get caught. His name is Ross. Dante suggested to help.
πŸ“†3/21/2019πŸ•° 6:46:15 PM Dante registers on Slack to talk to the drug dealer.
πŸ“†3/21/2019πŸ•°7:00:18 PM Dante writes to the drug dealer: “Just messaged you on slack”.
πŸ“†3/22/2019πŸ•°6:03:47 PM Dante and the running-from-the-police-Ross guy agreed to meet at Reston Town Center.
πŸ“†3/26/2019πŸ•°2:57:35 PM Someone calls his Grimes (Cameron or Ross), meaning, that’s probably the same person.
πŸ“†4/15/2019πŸ•°12:51:10 PM iMessage to +15405398185 from Dante: “Never mind! Just got hired on with a finance company. Going to try and grab some info I can sell… as always. But finance stuff”.
πŸ“†3/10/2019πŸ•°10:01:44 PM looks like recon of Apple. May be that the company?
πŸ“†4/7/2019πŸ•°2:42:55 PM googles about APFS snapshots. Turned on or off?

There are several conclusions and clues that I now have:

  1. This Dante guy is a convicted criminal who has recently went out of jail. However, he has not learned his lesson and carries on doing illegal stuff. It’s mostly buying drugs (he is not a dealer, he is a user), stealing and selling what was stolen (phones, information) and his “speciality”, as it seems, to be some sort of a mediator. Probably people ask for stuff and he finds the way to get that stuff.
  2. This MacBook was not originally Dante’s. He claims have found it sometime around πŸ“† 1/19/2019 (see the first 2019-year-message). Good present for Xmas and the New Year. That means that evidence from the HDD before the first of January do not belong him. However, if the data source of the evidence is the mobile phone backup, then these evidence are his, since he had this phone before he had this MacBook.
  3. I saw that around 4/15/2019πŸ•°12:51:10 PM Dante found a job in order to steal information and sell it. This is our pivot point of the investigation. Now I know what would be the most probable reason for acquiring this laptop. By some means the company has found out that the data was exfiltrated and wants to know how, who’s responsible and was it already sold or sent anyone.

We need to determine, what data was stolen and how much was already exfiltrated and to whom. Let’s sort the most probable evidence by access date and look at only those evidence that were acquired after 04/15/2019, the day when Dante started working. Documents, emails are of the main interest.

Why am I sorting by access dates? My reasoning is as follows. Date created is when the document was created, right? It might even be created on another PC. If Dante has stolen a document that was created years ago, I will not have it in my filter. Access date, however, is in my humble opinion a more reliable property. He might have opened, modified, downloaded a file. And this must have happened after he was hired (04/15/2019).

I’ve looked through all the documents (numbers, pages, pdfs, txt, excel, word, rtf, images and videos). I have found nothing of interest in images or videos (apart from a screen recording, dated 12/14/2018). txt, rtf and pdf were also of no use to the investigation. However, I have found something very interesting with

There are lots of PDFs of the previous user. They were created before 2019 (when numbers, pages, excel and word. First of all, his CV (I’ve also notices him openening an indeed job opening which must correlated with this doc). This will help to determine how exactly did he gain access to the data and what else he could have accessed as well.

Test to open ABCDefg

1234

Some serial numbers found in docs section -

BYV3679172

183736GTT

Bkytownsjsk24563

I have also noticed a screen recording, dated 12/14/2018. That has made me think that Screeshots and screen recordings are very valuable peaces of information. I am going to export this video, may be I will find something useful there later.

The only question left: how he could have been hired for this position with such a past 🀨.

References

[1] Working with Mac password hashes

[2] Another answer about Mac passwords

[3] Where hashes are stored on different systems

[4] Hashcat vs John the Ripper for password cracking

[5] How to use Hashcat