💫 System Supernova

Created: 12.10.2020

One of the main things to know when performing forensic analysis is knowing what’s normal and what’s not. It would take ages to google every single pinch of this information, that’s why I have decided to make a clean install of several systems and capture their state to have an idea what’s good for each of them.

A SANS poster “Hunt Evil”.

🍏 Apple MacBook

Clean install configs:

Two internal drives (HDD500Gb for Data + SSD500Gb for OS)
macOS Catalina
Region selected - United Kingdom
Preferred Languages are thus English (UK), Input Sources - British and Dictation English (United Kingdom)
Connected over WiFi
Don’t transfer any information now
Logged in with my AppleID account
Set username and password for the local acc
Geolocation allowed and allow analytics
Share crash and usage data
Screen Time and Siri enabled
Do not share audio recordings (not now)
Do not store files from Documents and Desktop, photos and videos in iCloud Drive
Turn off FileVault
Not sure that it might drastically influence the file contents, but the theme I chose was dark

I have made a clean install on MacBook 13’’ (2012) and captured the following things:

Open Activity Monitor and put down all processes running.
Open Console and let it write down the logs for a while.
Capture the list of all files in /System/Library and /Library folders and their contents. Root directory’s folders (to view hidden - Shift+Cmd+>). Optionally: make a tree of these folders in some editor or file along with a corresponding hash. Takes quite a while even on a small
```
# get a hash for each file in the folder 
sudo find . -type f  -exec shasum {} ';' > >sums.txt
```
View open sockets with netstat -anvp tcp.
Repeat all the steps except for the recursive find and save.

🪟 Windows

I have made a clean install on Dell Inspiron 5770 (?). Windows 10.

Take a regshot for the registry state (only one, of course).
View Task Manager processes.
View open sockets.
Get a list of all files in Windows folder (same way as for Mac above).

🤖 Android

This only applied to a system with USB debugging mode on (otherwise, impossible to gain access). Then this device was rooted and a new snapshot was made.

🍎 iOS

This only is possible for a jailbroken device. Same python script can be used, but I’d rather try writing a batch to make as little impact on the system as possible.

Python crawler-script idea 💡

Crawl of the files recursively, put down the folder name and the file name into a nested dictionary. Put down a file hash as well. Write this down into a xml or sqlite file?

class FileDesc:
  name = ""
  md5_hash = ""
  full_path = ""
  parent = ""

for file in files: 
  hash = md5(file)
  f = new FileDesc()
  f.name = file.name
  f.md5_hash = hash
  f.full_path = file.path
  f.parent = file.parent
  # f.desc = "This file does that and that"
  

def retrieve_file_desc(file_name, md5_hash):
  if md5_hash:
    do this
    print(f.desc)
  elif file_name:
    do that(f.desc)
    
# Corner cases:
# files with the same hash or name => select by full path.

This script will populate my DB of files of a clean system. Then, I can refer to it later and get the information if the file exists upon new install or not and what does it do.