🍏 Mac Evidence Collection

Order

The order for collecting digital evidence on macOS and Linux-based systems during a forensic investigation is similar to that of Windows systems. The main difference is that the specific data sources and tools used may vary depending on the operating system. Here’s a general order for both macOS and Linux systems:

Volatile data: Collect data stored in RAM, cache, running processes, network connections, and active login sessions, as this information can be easily lost or altered when the system is powered off or rebooted. Process and network information: Gather information about running processes, open files, and network connections to identify any suspicious activity. Temporary files: Examine temporary files and folders, as they may contain valuable evidence related to user activities or malicious processes. Log files: Analyze system and application log files to identify events, errors, or activities of interest. File system: Investigate the file system, including files, directories, and metadata, to find evidence of user activities, data theft, or other malicious activities. User profiles and configurations: Examine user-specific data, such as preferences, configurations, and history files, to gather additional information about user activities and system settings. System configurations: Investigate system-wide configuration files and settings to understand the overall state and configuration of the system at the time of the incident. Internet traces: Analyze browsing history, cache, cookies, and other data related to internet usage to uncover information about websites visited, downloaded files, and other online activities.

File Systems

APFS, HFS+, Offers a novel technique to acquire disk copies using a firewire cable between two PCs: Target Disk Mode. Press F (?).

Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files. Imaging - bit-by-bit copy. Should not be used on a live system!

Live Acquisition

https://github.com/Dead-Simple-Scripts/AutoLLR Automatically collect live info. Quite a heavy footprint. But if we are not collecting RAM, not the biggest issue. This script was designed for Linux. However, it can be adjusted for macOS. For example, adding system_profiler, sw_vers. Substitute prinenv for env.

💡 My plan is to review and try running all these commands. This will help to understand the type of evidence present in the system and make necessary macOS-specific substitutions.

🗒 Write a macOS triage tool similar to Kansa but bash-based, specifically targeting macOS. Do the same for iOS, Android, Linux, AWS etc. Check Sarah’s GitHub to ensure there is nothing of that sort yet. Use https://github.com/mac4n6/APOLLO to collect DBS, https://github.com/mac4n6/macMRU-Parser to collect plists, https://github.com/mac4n6/Mac-Locations-Scraper location DBS, https://github.com/mac4n6/iOS-Frequent-Locations-Dumper frequent locations,

Dead Acquisition

For newer MacBooks, it gets tricky. I posted the question here. No answer still (📆 02/08/2022).

Target Disk (Intel)

Share Disk on M1

I tried different channels and forums, but there seemed to be no obvious answer. This took quite an amount of research. By now, I can conclude the following.

Share Disk is very different from Target Disk and is relatively useless for forensic purposes (from what I’ve seen now). Share Disk, unlike its predecessor, operates over SMB protocol and is not mounted like a standard drive. Diskutillist (or its GUI version Disk Utility), Disk Arbitrator (custom tool) or even ls /dev/ | grep disk won’t show it. Its mounting seems not governed by diskarbitrationd (framework for mounting and managing drives). Even though it looks like it’s mounted in GUI, different APIs seem to be in place.

I’ve tried creating a file /etc/fstab and using custom settings for mounting my test USB drive: LABEL="TestDrive" none apfs ro,noauto. This USB device was not automatically mounted; when I mounted it manually, it was in read-only mode (ro option). I did the same for the Macintosh HD, the label for my drive on target MacBook: LABEL="Macintosh HD" /suspect apfs ro,noauto. Just in case, I acquired the volume’s UUID via diskutil info /Volumes/Macintosh\'s\ HD | grep -i uuid from both the recovery mode and when booted normally (which were different).

This is a network share, and you have the same rights as the PC user. I don’t know if there is any way to control the restrictions here, but at the moment, the most forensically sound way would be to use a physical write blocker. This tool from SUMURI is for Live acquisition only. And the page on the forum here has not been updated for a while.

Here is a video from SUMURI experts on the imaging issues, where they mention the Shared Disk mode. I am not sure how they make it forensically sound, though.

Bootable USB

🧪 What if I could make a Kali USB bootable drive and boot into macOS from it?

https://support.apple.com/en-gb/guide/security/sec7d92dc49f/web https://appleinsider.com/articles/21/01/03/how-to-boot-an-apple-silicon-mac-from-an-external-drive

This could be an option to make a raw image of Apple drive. This option will have other complications, like decrypting the drive, dealing with Fusion Drives and parsing APFS containers. But at least it would make the dead acquisition possible. Since there are arm versions of Kali and Kali has dd preinstalled and gpart, this is a good start.

One of the concerns published on StackOverflow was that such functionality as Bluetooth and WiFi would not work. However, this would be even better for forensically sound acquisition.

As per the information from the Internet (in many places), macOS with M1 doesn’t support external boot.

Write Block

You can turn off disk arbitration or write blockers on the forensic MacBook.

Disk Arbitration

It prevents the host computer from writing data to the target MacBook using Target Disk Mode. To turn off this feature, refer to this page. It’s needed so the forensic machine won’t change the data on the suspect MacBook. For Mac acquisition - follow these steps.

🧪 What files are changed when something is connected to a Mac (USB or using Thunderbolt)? Is turning off the disk arbitration feature really preventing changes to the target drive?

🧪 When attaching my MacBook to another via Share Disk mode, I deleted files from the target MacBook even with DA off. Why? Share Disk doesn’t work the same way as the Target Disk mode. It’s an SMB share. See the comprehensive research above.

There is also a tool https://github.com/aburgh/Disk-Arbitrator. That can very much help and ease the work. I need to check this out.

HDD/SSD

Research

At first, Mac imaging was no different from imaging other devices running other OS (Windows or Linux). But then they added Fusion Drives which was quite a trouble for analysts. Samuri stumbled upon it, and they had to work this out. But after T2, Mac imaging has become even more painful since it’s impossible to image a drive without a password and another Mac even if File Vault is turned off. At the moment, Mac forensics resembles iOS forensics because there is probably little you can do without a password. There used to be some disk mode in which one could perform imaging, but now it doesn’t work without a passcode.

Another interesting key point is that the kill signal can now be sent over Bluetooth. That means if someone with Bluetooth enabled on the crime scene, the owner of the evidence (Mac device) could send a command to wipe his notebook leveraged through the investigator’s Bluetooth. It sounds made up, but a Mac forensics expert said this is what it looks like now.

Also, they talked about the ITR tool that images and triages Mac devices. Supports live images of Apple Silicon Macs!

I have an old MacBook (see this blog post) and a new one with an M1 chip. Following the instruction from the Udemy course of Michael Leclair, I’ve bought a Thunderbolt2-Thunderbolt3 cable to connect these two PCs. I’ve tried this and this first, but they worked only for connecting Displays. However, whatever line I tried using, nothing worked. I then tried the Apple ones, but these did not work either. I have run across this text on official Apple docs for the Apple Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter:

This adapter is bidirectional, which means you can connect Thunderbolt 3 devices to a Mac with a Thunderbolt or Thunderbolt 2 port. In that case, the Mac must be using macOS Sierra or later, and the device using Thunderbolt 3 must provide its power. [5]

So, there are two prerequisites:

1. macOS Sierra or later
2. the device using Thunderbolt 3 must provide its power.

https://aliexpress.ru/item/1005001855199343.html?spm=a2g0s.12269583.0.0.5ae9776dYIfPHB&item_id=1005001855199343&sku_id=12000017867458221 USB TYPE-C Thunderbolt 3 2 к мини DisplayPort DP 4k 60 Гц для Macbook Air Pro Samsung dell XPS13 15 к Apple cinema display

https://www.aliexpress.com/item/1005001855439084.html?spm=a2g0s.12269583.0.0.6faf3d9dDfAwT5 Cabletime USB C 3.1 to Mini DP Adapter 4k60hz Projector Type C to Thunderbolt 2 Converter For Laptop Huawei Mate 40 Samsung N428

FileVault 2 Target Disk Mode Unlock Using the Personal Recovery Key. As is stated here on Reddit:

[…] USB-c charging cable provided is only usb2.0 for data transfer […] to do thunderbolt target disk mode, you need a thunderbolt three cable (expensive) […]

So, using the cable that came with the charger shouldn’t work since it supports USB 2.0 transfer only.

https://benfrain.com/the-thunderbolt-usb-c-ports-on-m1-macs-dont-work/

Fusion Drives

A fusion drive combines an ordinary drive and a small NAND flash drive that appear as one logical volume in the OS. Still, when you try imaging it, you’ll get two different images, and the image will be somewhat corrupted for the analysis tools if you don’t assemble it correctly. NAND flash drive stores the most often used files like system ones and those files that the user uses more often than others. It seems to me that the idea is the same as with prefetch in Windows 🌈.

Dead Acquisition Checklist

• Ensure the target media (evidence drive) is sterilised (ref. Identification/Assessment stage above).
• Turn the machine off (better unplugging it to prevent data from being overwritten).
• On the forensic MacBook, make sure all remote functionality is off (Bluetooth, AitDrop, WiFi, Cellular etc.), and the software-based write blocker is on (if no hardware blocker is used) - see above for the latter.
• Connect the forensic machine to the target machine using a USB Type-C cable (for newer MacBooks) or Thunderbolt cable for older ones.
• Turn the target machine in either Target Disk mode (for older MacBook) or Share Disk (for newer MacBook).
  • Share Disk.
    • Turn the suspect machine off. Press turn on the button and hold until you see “Continue holding for startup options”. Stop holding when “Loading startup options” appears.
    • On the top panel, choose Utilities -> Share Disk and select the disk you want to share. You might be asked to unlock it (if FileVault is enabled).
    • On the forensic machine, go to Network () or see the device appear in the side panel in Finder. If it doesn’t, open Finder -> Preferences -> General and make sure External disks, Connected servers and hard disks are selected. Please move to the Sidebar tab and ensure it’s all selected there.
  • Target Disk. There are two ways to boot into this mode. One is simply by pressing the power on the button along with a T key while booting. The second one is from Preferences. This legacy option is not present on the latest Apple devices.

⛔️ I could not make the whole thing work. I even thought there might be some problem with the genuine Apple cables. ✍🏻 However, in my case, the issue appears to be very primitive. The problem was that both my MacBooks had the same name. The airDrop was smart enough to rename one by appending (2), but in this mode, it seems it was not easy. Once I named the PCs differently, it all started to work. Also, I’ve changed the HDD names, just in case.

❗️This option is not a write-proof one. I managed to delete a folder from the drive. Make sure the write blocker is on.

Live Acquisition Checklist

• Attach a write blocker or run a software-based one. On the forensic Macbook, you can turn off disk arbitration or use write blockers. To turn off this feature, refer to this page. It’s needed so the forensic machine won’t change the data on the suspect Macbook. For Mac acquisition - follow these steps.

• List all drives to get the id of the target.

• Connect external HDD or SSD

• Launch some forensic distribution (for example, Paladin). Make an image of the local HDD (❗️ Won’t work for M1 Apple devices).

  🧪 What files are changed when something is connected to a Mac (USB or using Thunderbolt)? Is turning off the disk arbitration feature really preventing changes to the target drive?

RAM

On the forensicswiki [1], there is a list of tools to be used for RAM acquisition. I’ve tried several of them and realised that the current problem in the forensic community is that the tools get old much faster than the information gets updated… Sadly.

OSXPmem

It’s the part of rekall, download. There are a few complications, though.

⚠️ SIP needs to be disabled. Freeboot > CMD+R > Terminal > csrutil disable > reboot). Otherwise, you might run into this issue: dump_memory(833): Failed to load kext (No such process) ⚠️ USB > Get Info > unlock 🔒 > Ignore ownership on this volume (check). Otherwise, you might run into this issue: Can’t load kext ./pmem.kext, as it is not owned by root: wheel. Just chowning didn’t work for me. When I unchecked it, replugged the USB, and decompressed the archive, I managed to get the dump without this error. ❗️ Restart the Terminal for changes to take place!

📘 BTFM

List all drives

(Linux and macOS):

sudo fdisk -l # Linux
lsblk
mount

On Windows:

diskpart
DISKPART> list disk

sudo dd if=/dev/sda1 of=/case1/diska1.dd
sudo dd if=/dev/sdb of=/case1/diskb.dd

sudo dcfldd if=/dev/sda of=/home/diska.dd hash=md5 hashlog=/home/diskaa0md5.txt
sudo dcfldd if=/dev/disk4 of=/Users/%username%/Documents/image.img hash=md5,sha1 md5log=/Users/%username%/Documents/md5.txt sha1log=/Users/%username%/Documents/sha1.log hashconv=after bs=512 # hashconv - calc hash after or before the conversion

# the most forensically useful tool, calculates hashes of the input source and the image to make sure they match. Verbose output
# to install on macOS - brew install dc3dd
sudo dc3dd if=/dev/sdb hof=sdb.img hash=md5 hash=sha1 log=hash.txt

⛔️ If you get dd: /dev/disk4: Resource busy on macOS when trying to make an image with dd, ✍🏻 go to Disk Utility and unmount the drive (don’t eject it).

📝 Some commercial tools like Cyber Triage allow analysing the evidence on a live system without imaging drives or dumping memory. The digital footprint is claimed to be minimal. It can be used remotely.

🧪 Will any USB work (GPT or MSDOS) or should I have both for different cases?

Turn off Disk Arbitration

Older Mac:

cd /etc/mach_init.d
 ls
 
 sudo cp diskarbitrationd.plist /
 ls /
sudo rm diskarbitrationd.plist.

Monterey

# Option #1. Kill the process
# cat /var/run/diskarbitrationd.pid gives the PID 
# ps -ex gives the proc list
ps -ex | grep $(cat /var/run/diskarbitrationd.pid)

# Option #2. Remove the plist
sudo cp /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist /
# give read-only FS

Turn on Disk Arbitration

sudo cp /diskarbitrationd.plist /etc/mach_init.d.

References