New macOS Sierra (10.12) Forensic Artifacts – Introducing Unified Logging

I know its been a while since I've last posted - I've been hard at work delving into macOS Sierra and iOS 10 to add new artifacts into my course. Here is something new that macOS Sierra has to offer us forensic analysts!

macOS Sierra (10.12) introduced a new logging mechanism called Unified Logging. The developer reference document  states that the same mechanism will be used for iOS 10, tvOS 10, and watchOS 3 as well.

The developer docs also state that unified logs will take the places of Apple System Logs as well as Syslog which is what rely on quite heavily for log analysis on 10.11 and older systems. As of 10.12.1, these logs still exist in /var/log so don’t discount them just yet. (Also as far as I know, Audit logs are still fair game.)

The unified logs are stored in two directories:

  • /var/db/diagnostics/
  • /var/db/uuidtext/

The first file path (/var/db/diagnostics/) contains the log files. These files are named with a timestamp filename following the pattern logdata.Persistent.YYYYMMDDTHHMMSS.tracev3. These files are binary files that we’ll have to use a new utility on macOS to parse them. This directory contains some other files as well including additional log *.tracev3 files and others that contain logging metadata. The second file path (/var/db/uuidtext/) contains files that are references in the main *.tracev3 log files.

The new utility used to interact with these log files is simply called ‘log’. The ‘log’ command can be used to do everything from collecting, removing, configuring, and reviewing logging data. The new ‘Console’ application can be used to view logs in real-time (volatile logs) but you may find it easier to use the ‘log’ command to view log historically or those that are extracted from another system.

The ‘log collect’ command can collect records from a certain timeframe, log size, or type into a *.logarchive archive bundle. *.logarchive files can be imported into the Console application.

The ‘log show’ command will parse the records from the binary log files either from a specific *.tracev3 file(s) or from a *.logarchive bundle . A user can filter on different predicates filters or time frames. It is worth noting that this command by default will not show you “info” or “debug” messages – be sure to keep that in mind. You can choose between different outputs as well including syslog or JSON styles.

Additional References:

  • https://developer.apple.com/videos/play/wwdc2016/721/

 

Update to MacMRU Parser - Now with Microsoft Office Support!

I've updated my MacMRU parser script, located here: https://github.com/mac4n6/macMRU-Parser.

This update includes support for 'Most Recently Used' artifacts for Microsoft Office for Mac 2011 and 2016. I've also added a bit more error checking, so please let me know if you come across a plist that doesn't work or does not contain certain expected keys. It happens, I've run across a few myself - I can't explain why now, but I hope to look into it further.

While researching for this update I noticed something interesting. Microsoft Office used a binary plist format for the 2011 version of the software, but "downgraded" to an XML-based plist format in the 2016 version. Most of the time I see plists headed in the XML->Binary direction.

Got a MacMRU file that I don't parse? Please let me know!

I hope you find this script useful!

Mac News & Updates - 08/11/16

Blogs

Papers

Presentations

Tools

Malware

My Upcoming Classes & Presentations:

I’ll be teaching my SANS FOR518 – Mac Forensic Analysis class at the following conferences, there are some bonus @Night presentations as well! I hope to see many of you at one of these conference some day!

[LINK] SANS Virginia Beach (Aug 28 – Sept 2) - This one is coming up soon! This conference is super chill and relaxed, and you get to watch fighter jets from the beach!

  • @Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Network Security (Sept 12 – 17 in Las Vegas, NV) - Missed Vegas for Blackhat or DEF CON? Didn't get enough of it? Join me...if you're feelin' lucky! :)

  • @Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS DFIR Prague (Oct 3 –  8 in the Czech Republic), Stay for the Summit on the 9th!

[LINK] SANS San Francisco (Nov 27 – Dec 2) 

  • @Night – iOS Location Forensics

[LINK] SANS Cyber Defense Initiative (Dec 12 – 17 in Washington, DC)

  • @Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Cyber Threat Intelligence Summit (Jan 25 – 30 in Arlington, VA)

  • @Night – The iOS of Sauron- How iOS Tracks Everything You Do

New Script! - MacMRU (Most Recently Used) Plist Parser

I have been studying the new SFL-based MRU plist files found in OS X 10.11. They make analysis hard because they are binary plist files using the NSKeyedArchiver format – see here for my manual analysis of these files. I’ve also included the ‘older’ format plist files used in OS X 10.10 and older.

In order to analyze them better (and student requests) I wrote a Python script to output the contents of these files in an easier to read format. Nothing fancy, just text printed to standard output.

Get the script here from my Github page. I hope you find the script useful! 

The script is meant to be run on a directory; this can be a directory of extracted plist files from an image, a directory on your own system (ie: ~/Library), or from a mounted image (ie: /Volumes/mounted_image_file/Users/<username>/), you get the idea.

This script parses the following plist files:

  • /Users/<username>/Library/Preferences/<bundle_id>.LSShardFileList.plist   
  • /Users/<username>/Library/Preferences/com.apple.finder.plist   
  •  [10.10-] /Users/<username>/Library/Preferences/com.apple.recentitems.plist   
  • [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/<bundle_id>.sfl   
  • [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl   
  •  [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl   
  •  [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl   
  •  [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl 

The script usage is below. The only required argument is the directory, but the output can include binary BLOB hex dump of the Bookmark data (--blob). Most of the Mac MRUs contain a binary Bookmark BLOB of data that can be useful to determine where a certain file was located or where an application was run from. I’ve included it as an option as it can get very, very verbose.

The script also has two dependencies, hexdump.py and ccl_bplist.py. These files can be installed or just simply placed in the same directory you are running the macMRU.py script from. (Installation on OS X 10.11 systems are limited thanks to SIP.)

A few screenshots of example script output:

This example shows the output without the BLOB data of the newer SFL-based MRU files:

This example shows the same output with a sample of the hexdump BLOB data, you can see where this can get quite verbose.

The last example shows the ‘older’ MRU plist files found on 10.10 and older systems. (The com.apple.finder.plist files is the same on 10.11.)

Mac News & Updates - 07/06/16

Malware:

OSX.Pirrit

OSX.Eleanor

 

Call for Papers:

[PDF] SANS DFIR Summit in Prague, CZ – I really like this conference; small, good people, great presentations. I’m schedule to be there – hope to see some of you all there as well!

 

Presentations:

[LINK] I just came back from the SANS DFIR Summit in Austin, TX which is by far one of my favorite events of the year. The presentations can be found here under ‘Digital Forensics & Incident Response Summit 2016’.

[PDF] Mach-O Libre – Mach-O Libre: Pile Driving Apple Malware with Static Analysis, Big-Data, and Automation. Accompanying presentation for the tool that was in my last update. Great Mach-O info!

[PDF] Java RATs: Not Even Your Macs Are Safe

 

Tools:

[LINK] PoC code for iCloud Keychain Analysis by n0fate , presentation (in Korean) can be found here.

[LINK] FSMon by Sergi Àlvarez at Nowsecure – File system monitor tools for iOS/OSX/Android/etc now updated to v1.4

 

Blogs:

[LINK] Adam Leventhal’s Blog – APFS in Detail

[LINK] Marc Padilla - Using File Attributes to Fill Volumes and Bypass OS X Server Limits

[LINK] Harden The World – OS X 10.11 Hardening Guide

[LINK] @osxreverser – ‘Apple EFI firmware passwords and the SCBO myth’

[LINK] Blackbag Technologies Blog – Did the iPhone Take the Picture?

 

Media:

[WEBCAST] My iOS Location Forensics webcast from May is up. []

[WEBCAST] Joshua Wright’s webcast, ‘What You Need to Know: iOS 10 Security’

[VIDEO] Attacking OSX for fun and profit Toolset Limitations Frustration and Table Flipping by Dan ‘Viss’ Tentler from CircleCityCon

[AUDIO] ThreatPost - Patrick Wardle on macOS Gatekeeper, Crypto Enhancements

 

Publications: 

[PDF] DRAFT SP 800-179 - Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist

 

My Upcoming Classes & Presentations:

I’ll be teaching my SANS FOR518 – Mac Forensic Analysis class at the following conferences, there are some bonus @Night presentations as well! I hope to see many of you at one of these conference some day!

[LINK] SANS Virginia Beach (Aug 28 – Sept 2) - This conference is right on the beach and makes it a really nice one to go to at the end of the summer season. Class during the day, walking the boardwalk in the breezy late summer evening!  

  • @Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Network Security (Sept 12 – 17 in Las Vegas, NV) - Vegas is always a good time, and the weather in September isn’t too shabby either!

  • @Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS DFIR Prague (Oct 3 –  8 in the Czech Republic), Stay for the Summit on the 9th!

[LINK] SANS San Francisco (Nov 27 – Dec 2) []

  • @Night – iOS Location Forensics

[LINK] SANS Cyber Defense Initiative (Dec 12 – 17 in Washington, DC)

  • @Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Cyber Threat Intelligence Summit (Jan 25 – 30 in Arlington, VA)

© Sarah Edwards [mac4n6.com and mac4n6.net] 2016
Unauthorized use and/or duplication of this material without express and written permission from this blog’s author
and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given
to Sarah Edwards and [mac4n6.com and mac4n6.net with appropriate and specific direction to the original content.
Opinions expressed on this site of that of Sarah Edwards and no one else unless explicictly stated.