I'm Back Baby!

May 06, 2024 in update

Hello folks, I’m back! I took a bit of a break because burn out is no joke – seriously…take care of yourselves! I’ve been on what I’m calling a mid-career retirement – travelling the world to make up for lost pandemic travels.

I’ve been working on a few projects, most recently (and the purpose for this update) I have updated one of my favorite scripts, FSEventsParser from Nicole Ibrahim. I’ve updated it to python 3 and updated for the latest version that came out in macOS 14, version 3 (SLD3 header).

FSEvents are one of my favorite forensic artifacts, if you aren’t parsing them out you are absolutely missing fantastic file system related information. Files Created! Files Deleted! And so much more! You can get my version of the script here*: https://github.com/mac4n6/FSEventsParser

*Cavet: The new format has a new field; I have not yet dived into what it is used for.

This script came about because I’ve given my class a massive update. If you haven’t taken SANS FOR518 ever (or for a while), now is a great time to do so! There is a whole new dataset with the latest and greatest OS’s which also means an all new workbook with 23(!) new labs!

I’ve added a ton of new material and am super excited to introduce Corellium into the course in a new forensic testing module. If you’ve been around this blog for a bit, you know I’m a big proponent of testing EVERYTHING!

We also have a new CTF-style challenge thanks to Kat Hedley and I’ve been doing a demo of the Apple Vision Pros with live forensics!

Lee and I have classes coming up!

San Diego (In-Person and Online - This week, starts Thursday May 9!)
US DFIR Summit in August (Online Only)
APAC DFIR Summit “in” Tokyo in September with Japanese Translation (Online Only)
Europe DFIR Summit in October in Prague, CZ (In-Person and Online)
DFIRCon in November (Online Only)
In December Online “in” Tokyo with Japanese Translation (Online Only)
The new On Demand version of the course has also just dropped! Take it whenever you like!

Don’t forget this class has a GIAC cert now, the GIAC iOS and macOS Examiner (GIME).

I hope this is the first of a new generation of blogs that I release. I’ve got a few good ideas that I’d love to research and write about but I will also be taking it relatively easy so as to not burn out again.

Updates - June 2014

June 14, 2014 in update

A few updates to the website:

Resources Section:

The Resources section now contains the Synalyze It! grammars for HFS+ that I created. Just a reminder – these are work in progress; I will update them as needed.

Also in the Resources section is the most current version of my presentations. If you attended one of my presentations in the past and want that specific copy, please feel free to contact me.

Reverse Engineering Mac Malware – A basic walk though of static and dynamic reverse engineering of Mac malware on a Mac. Approximately 20% static, and 80% dynamic analysis. No assembly knowledge needed!
When Macs Get Hacked – Intrusion analysis on the Mac - where and what to look for to find Mac malware doing a dead-box forensic analysis.
Analysis and Correlation of Mac Logs – Mac systems log a ton of data! This presentation helps correlate this information with other system artifacts to give the analyst a better view of what happened on the system.

Training & Events:

I will be teaching my FOR518: Mac Forensic Analysis at the SANS DFIRCON East 2014 conference in Ft. Lauderdale, Florida in early November. Visit here for more information.

Just a reminder, I will also be co-teaching FOR518: Mac Forensic Analysis with Hal Pomeranz at the following locations in the Fall:

On a budget? If you are looking to get into FOR518: Mac Forensic Analysis at HALF-PRICE(!), seats are still available in the second beta of the class in San Jose, CA in July. Sign up soon! Sign up here. I will be attending the class, while the great Unix god himself – Hal Pomeranz teaches. I assure you he will drop some serious command line kung fu upon us.

OMG HFS+ FTW!

June 02, 2014 in hfs+ file system

The HFS+ file system is an often forgotten part of Mac OS X analysis. Everyone always talks about being able to parse the FAT or NTFS file system files, but I almost never hear about someone needing or wanting to parse the HFS+ special files.

In my new SANS FOR518 - Mac Forensic Analysis class I have the students parse by hand certain aspects of an HFS+ file system. Perhaps I enjoy a good case of schadenfreude, but I believe learning how a file system stores data is one of the fundamentals in this industry that everyone should understand.

I’m not asking everyone to parse their file system files by hand in every case, but you should have the background knowledge and ability to do it if the need arises. Perhaps you need to validate a tools output or analyze data that is corrupted and not able to be parsed by a tool. Let me tell you, parsing HFS+ will give you a whole new appreciation for the simplicity that is NTFS or FAT!

HFS+ is comprised of the volume header and five “special files”. Three of these files use balanced trees (or B-trees) to organize its file and folder data.

Volume Header – Contains data about the volume (surprise?), timestamps, allocated blocks, location of “special” files, etc.
Catalog File – Contains a B-tree with data about each file and folder and its hierarchy. Timestamps, CNID, owner information, file extents, etc. (Think $MFT on NTFS)
Attributes File – Contains a B-tree with additional attributes for files and folders usually in the form of extended attributes. My favorite extended attribute is com.apple.quarantine!
Allocation File – Contains a bitmap of how the volume is allocated.
Extents Overflow File – Contains a B-tree overflow from the Catalog file of where files are allocated.
Startup File – Used for booting other systems – I have personally not seen this implemented on newer systems.

While creating the HFS+ section for my course, I created a HFS+ Reference Sheet and Synalyze It! Grammar files. My hope is to help folks understand and parse (by hand) the HFS+ file system structures.

Note: The following reference sheet and grammar files are still a work in progress – comments and suggestions are welcome!

FOR518 Reference and HFS+ Reference Sheet

Synalyze It! Grammar Files:

Synalyze It! is a very powerful hex editor that a user can create or use grammars to view certain data structures. An example of the Volume Header grammar is show below.