MacOSXandiOSForensicsLOOKINGINTOTHEPASTWITHFSEVENTSSANSDF IR SUMMIT 2017NICOLE IBRAHIMG-C PARTNERS, LLC
WhoamI?
• DigitalForensicsExpertatG-CPartners
• Parttimeresearcher
• Parttimeprogrammer
Nicole Ibrahim | Consultant | G-C Partners, [email protected] | @nicoleibrahim
Importance
• Recordshistoricalfilesystemactivityovertime
• CurrentlynotbeingfullyutilizedbyMacexaminers
• ContainsUserandOSactivity• Creations,deletions,renames,permissionchangesandmore.
• Identifynamesoffilesthatwerepreviouslyexistingbuthavesincebeendeleted
• Identifywhatchangesoccurredtofilesoninterest
Agenda
• IntroductiontoFSEvents
• ParsingFSEvents
• Interestingartifacts
• Caveats
IntroductiontoFSEvents
IntroductiontoFSEvents• FSEventsorFileSystemEvents
• GeneratedbyAppleOSFSEventsAPI• Introducedin10.5(Onlydirectoryeventsupto10.6)• In10.7fileeventswereintroduced
• StoredinFSEventlogfiles(gzip)• Historicaleventsofchangesonthefilesystem• Logscanspandaystomonths
• FoundoniOS,OSXdevices,externaldevicespluggedintoaMac
IntroductiontoFSEvents
• LocationinOSX:• /.fseventsd
• LocationiniOS:• Data:/private/var/.fseventsd• System:/.fseventsd• DeveloperPatch:/DeveloperPatch/.fseventsd
• Gzip archiveformat
• NameislastEventIDstoredintheFSevent logfileplus1.• E.g “00000000000a4b3e”or674,622decimal
FSEVENTLOGS
IntroductiontoFSEvents
LIFECYCLEOFANFSEVENTRECORD
Anobjectischanged
APIchecksmemorybuffertoseeifalready
assignedeventID
Ifyes,recordflagsupdatedinmemory.Ifnot,nextavailableIDassigned.Eventstored
inmemory
Whenmemorybufferisfullorvolume
unmountedallrecordsarewrittentodiskand
bufferiscleared
DecodingFSEvents
DecodingFSEvents
•Therelativefullpathtothefilesystemobjectthatincurredachange.FullPath
•EventIDassignedtofullpathonfirstchange.EventID
•Recordflagsindicatingthetypeofobjectthatwaschangedandwhatchangedforit.RecordFlags
FSEVENTRECORDCOMPONENTS
• AnuncompressedFSEventlogcancontain1ormorepageswiththemagicheader“1SLD”
• Eachlogcancontainupto5,000events
• EventsareorderedalphabeticallybyFullPath
• Eachrecordconsistsof3components
DecodingFSEvents
FSEVENTRECORDFLAGS
• Typeflagsinclude:• File• Folder• Hardlink• Symboliclink
• Reasonflagsinclude:• Created• Removed• Modified• Renamed• Permissions• Inode metadata
• Finderinformation• Mount• Unmount• Lasthardlinkremoved• Endoftransaction• Documentrevisions
ParsingFSEvents
ParsingFSEvents
BLACKBAG BLACKLIGHT SOFTWARE
• Closedsourceandpaid
• https://www.blackbagtech.com/software-products/blacklight.html
ParsingFSEvents
G-CPARTNERSFSEVENTSPARSER SCRIPT
• Opensourceandfree
• Python
• Availableathttps://github.com/dlcowen/FSEventsParser
InterestingArtifacts
RecordArtifacts
OS X
• Justscratchingthesurfaceofinterestingartifacts:• .Trashactivity• Userfoldersactivity• Internetactivity• Mountevents
RecordArtifacts:OSXTRASHACTIVITY• FilessenttotheTrash
• EmptyingtheTrash
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'Users/%/.Trash/%'
RecordArtifacts:OSXUSERFOLDERSACTIVITY• Activityin:
• “Documents”• “Downloads”• “Desktop”
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'Users/%/Documents/%’OR"filename"LIKE'Users/%/Downloads/%’OR"filename"LIKE'Users/%/Desktop/%'
RecordArtifacts:OSXINTERNETACTIVITY• Websitesvisited
• Chrome• Safari
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE
'Users/%/Library/Caches/Metadata/Safari/History/%'OR"filename"LIKE'Users/%/Library/ApplicationSupport/Google/Chrome/Default/LocalStorage/%'
RecordArtifacts:OSXMOUNTACTIVITY• Mountactivityrelatedto:
• DMGs• Externaldevices• Sharednetworkdrives
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"mask"LIKE'%mount%'
Artifacts
IOS
• iCloudsyncedfiles
• Internetactivity
• Emailactivity
RecordArtifacts:iOSICLOUDSYNCEDFILES• iCloudsyncedfilesfromotherdevices
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'mobile/Library/Mobile
Documents/com~apple~CloudDocs/%'
RecordArtifacts:iOSINTERNETACTIVITY• Websitesvisited?
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'%websitedata/local%'
RecordArtifacts:iOSEMAILACTIVITY• Inbox
• Sent
• Attachments
SELECT*,_ROWID_"NAVICAT_ROWID"
FROM"fsevents"
WHERE"filename"LIKE'mobile/Library/Mail/%’
Caveats
Caveats• LostFSEvents
• Lackoftimestamps
• Externaldevices
• Anti-forensics
• Coalescingofmultiplechanges
Caveats:LostFSEvents
PROBLEM
• FSEventsarelostduetoeither:• Ahardresetofasystem• Asystemcrash• Notproperlyunmountingavolume
• Systemupgrades
REMEDIES
• Carveforgzip files
Caveats:LackofTimestamps
• FSEventRecordsconsistof:• EventID• FullPath• Flags
• Notetimestampsarenotmentioned
PROBLEM REMEDIES
• Usetemporaldatafromthenamesoflogs
Caveats:ExternalDevices
PROBLEM
• Unsaferemovalresultsinlostevents
• Saferemovalwasperformed,butFSEventsnotfinishedwritingtodisk
• Filesystemcompatibilityissuesresultsinlostevents
REMEDIES
• Hopethattheuserhasproperlyunmountedtheirdevices• CarvingforthoselosteventsmightnotbepossibleduetoFSEventsbeingstoredinmemory
Caveats:Coalescingofmultiplechanges
PROBLEM
• TheFSEventsAPIcoalescesmultiplechangesintoasinglerecordresultingin:• Inabilitytodetermineorderofchanges
• Inabilitytodeterminefrequencyofchanges
REMEDIES
• NoneThisfilemayhavebeencreated3timesandremovedtwice,butwewillneverknow
Caveats:Anti-Forensics
PROBLEM
• Ano_log filewasplacedinthe.fseventsd directory• FSEventsarenotrecordedforthevolume
REMEDIES
• None.However,thisscenarioisunlikelyandrequiresrootprivilegesandadvancedknowledgeofFSEvents