This type of acquisition can only happen on a live system. It’s quicker and easier than imaging the drive, but you will miss some data. It’s sometimes the only way to collect data from a mobile device.
Checklist
Expand…
- Attach a write blocker or run a software-based one. On the forensic MacBook, you can turn off disk arbitration or use write blockers. To turn off this feature, refer to this page. It’s needed so the forensic machine won’t change the data on the suspect MacBook. For Mac acquisition - follow these steps.
- List all drives to get the id of the target.
- Connect external HDD or SSD
- Launch some forensic distribution (for example, Paladin). Make an image of the local HDD (โ๏ธ Won’t work for M1 Apple devices).
๐งช What files are changed when something is connected to a Mac (USB or using Thunderbolt)? Is turning off the disk arbitration feature really preventing changes to the target drive?
Order of Volatility
- Cache, registers (CPU). ๐ Debuggers (OllyDbg, gdb, x64dbg etc)
- ARoTa MeKSaPTa. ARP cache, routing table, memory, kernel statistics, process table. Mnemonics: ARoTa MeKSaPTa
- Routing tables. Contain the following info: destination IP addresses or networks; the gateway IP address, or interface name if a directly connected resource; the metric, or cost, associated with the route โ this enables the most efficient route to be selected; the outgoing interface the machine will use when forwarding a packet.
- Windows
route print
- UNIX
netstat -rn
- Windows
- ARP cache:
arp -a
- Process table. The list of processes currently running + metadata.
- UNIX
ps
- Windows. Task Manager (GUI) or
tasklist
(->csv
).
- UNIX
- Kernel stats. ๐ RAMMap, part of the Sysinternals suite for Windows, and memmap in the Linux world. Tracks the page usage (physical RAM chunks), mappings of those pages.
- Routing tables. Contain the following info: destination IP addresses or networks; the gateway IP address, or interface name if a directly connected resource; the metric, or cost, associated with the route โ this enables the most efficient route to be selected; the outgoing interface the machine will use when forwarding a packet.
- Temporary files. Malware likes these folders because it’s often already full of garbage.
- Linux
/tmp
. - swap (UNIX)
- pagefile (Windows)
- Linux
- Disk.
- Logs. Monitoring data and remote logging pertaining to the computer in question. SIEMs and other log storages.
- Physical configurations, network topology.
- Archival media. CDs, backups, USBs.
Windows
Using ๐ ๏ธ Kansa
, one can collect a wealth of artefacts from a Windows machine.
Get-NetConnectionProfile
Set-NetConnectionProfile -InterfaceIndex X -NetworkCategory private # requires admin
.\kansa.ps1 -Pushbin -Target localhost -Credential username -Authentication Negotiate
โ๏ธ On macOS Parallels 18 with Windows 11 running as a VM, you’d need to change the password for the user first to provide them in the prompt.
Select-String "something" *.csv # search for something keyword in all csv files in the current directory
If the -Analysis
option is provided when collecting data, it will generate analysis files following the collection from remote hosts. This script can be used to pull the frequency of autoruns based on ImagePath, LaunchString and MD5 tuple (given that the publisher is not verified): Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1
https://github.com/davehull/Kansa/blob/master/Analysis/asep/Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1. Here is the most crucial part of the script, its heart โค๏ธ:
SELECT
COUNT(ImagePath, LaunchString, MD5) as ct,
ImagePath,LaunchString,MD5,Publisher
FROM
*autorunsc.csv
WHERE
Publisher not like '(Verified)%' and (ImagePath not like 'File not found%')
GROUP BY
ImagePath, LaunchString, MD5, Publisher
ORDER BY
ct ASC
This script accomplishes frequency analysis using Get-Command logparser.exe
with the above SQL statement.
Select columns ImagePath, LaunchString, MD5, and Publisher
from all CSV files with the names that end with autorunsc.csv
. Then use (ImagePath, LaunchString, MD5)
as a unique identifier, discard all that have been Verified
in the Publisher
column and File not found
in the ImagePath
column. Count unique values, put in the ct
column, group by ImagePath, LaunchString, MD5, Publisher
and sort in ascending order.
Another tool is ๐ ๏ธ Autoruns
(comes with Sysinternals), but its focus is various autorun locations.
autorunsc.exe /accepteula -a * -c -h -s '*' -nobanner
a
- all artefacts (boot, appinit dlls, explorer addons, sidebar gadgets, image hijacks, IE addons, known dlls, logon startups, WMI, office addons, printerr mon dll, LSA sec providers, autostart services and non-disabled drivres, winlogon entries, scheduled tasks, winlock protocol and net providers).
c
- codec
h
- hashes
s
- verify digital signature
'*'
- all user profiles
Something similar to Kansa is KAPE, but looks like it is no longer maintained. It provides the ability to extract artefacts from the mounted drives (be it an image, over network or a loval drive). Here are the files/folders pulled: https://ericzimmerman.github.io/KapeDocs/#!Pages%5C2.1-Targets.md.
๐ Some commercial tools like Cyber Triage allow analysing the evidence on a live system without imaging drives or dumping memory. The digital footprint is claimed to be minimal. It can be used remotely.
macOS
๐ ๏ธ AutoLLR. This script was designed for Linux. However, it can be adjusted for macOS. For example, adding system_profiler
, sw_vers
. Substitute prinenv
for env
.
๐ก My plan is to review and try running all these commands. This will help understand the type of evidence in the system and make necessary macOS-specific substitutions.
๐ก Write a macOS triage tool similar to Kansa but bash-based, specifically targeting macOS. Do the same for iOS, Android, Linux, AWS etc. Check Sarah’s GitHub to ensure there is nothing of that sort yet. Use https://github.com/mac4n6/APOLLO to collect DBS, https://github.com/mac4n6/macMRU-Parser to collect plists, https://github.com/mac4n6/Mac-Locations-Scraper location DBS, https://github.com/mac4n6/iOS-Frequent-Locations-Dumper frequent locations.