Mac News & Updates - 08/11/16

August 11, 2016 in update, iOS, osx

Blogs

[LINK] Another Forensics Blog - How to image a Mac using Single User Mode
[LINK] Another Forensics Blog - Mounting and Reimaging an Encrypted FileVault2 Mac Image in Linux
- More great Mac imaging articles from Mari!
[LINK] The Eclectic Light Company - Tools to calm your panic, and to protect
- Great overview of Objective-See's tools
[LINK] Pike's Universum - Say hello to new logging in Sierra
- New and different logging stuff in macOS Sierra, this is BIG for DFIR folks!
- [LINK] Additional information in the Apple Developer Docs
- [VIDEO] Video from WWDC
- [PDF] Slides from WWDC
[LINK] BlackBag Technologies - Acquiring iOS 10 Devices with Blacklight
- Yep, iTunes backups change too!
[LINK] Sysforensics.org - Mac DFIR - HFS+ Date Added Timestamp

Papers

[LINK/PDF] Detecting Malicious Behaviour Using system Calls by Vincent Van Mieghem

Presentations

[VIDEO/Keynote] OS X Security - Defense in Depth by Rich Trouton
[VIDEO/PDF] Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao, Slides here.
[VIDEO/SLIDESHARE] Let's Play Doctor: Practicle OS X Malware Detection & Analysis by Patrick Wardle, Slides here
[PDF] Apple's BlackHat Slides - Behind the Scenes with iOS Security by Ivan Krstic
[SPEAKERDECK] I Got 99 Problems, but Little Snitch ain't one! by Patrick Wardle

Tools

[LINK] MacMRU Parser - Python script to rip thru Mac MRU plist files, old and new ones!
- [LINK] Blog article here. What, I can't link to my own stuff? ;)
[LINK] Pangu Jailbreak is out for 9.2 - 9.3.3 (64-bit) devices

Malware

[LINK] OS X & IOS RE 101 - Reverse Engineering OS X/iOS Resources
[LINK] OS X Adwind Malware Analysis by Malwarebytes
[LINK] Objective-See - Persisting via a Finder Sync
[LINK] Open Source OS X Keylogger - keylogger-osx
OSX/Keydnap - Keychain/Credential Stealer/Backdoor
- [MALWARE!] Sample (via Objective-See, passwd: infect3d)
- [LINK] ESET Analysis

My Upcoming Classes & Presentations:

I’ll be teaching my SANS FOR518 – Mac Forensic Analysis class at the following conferences, there are some bonus @Night presentations as well! I hope to see many of you at one of these conference some day!

[LINK] SANS Virginia Beach (Aug 28 – Sept 2) - This one is coming up soon! This conference is super chill and relaxed, and you get to watch fighter jets from the beach!

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Network Security (Sept 12 – 17 in Las Vegas, NV) - Missed Vegas for Blackhat or DEF CON? Didn't get enough of it? Join me...if you're feelin' lucky! :)

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS DFIR Prague (Oct 3 – 8 in the Czech Republic), Stay for the Summit on the 9th!

[LINK] SANS San Francisco (Nov 27 – Dec 2)

@Night – iOS Location Forensics

[LINK] SANS Cyber Defense Initiative (Dec 12 – 17 in Washington, DC)

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Cyber Threat Intelligence Summit (Jan 25 – 30 in Arlington, VA)

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

New Script! - MacMRU (Most Recently Used) Plist Parser

July 10, 2016 in scripts, osx, analysis

I have been studying the new SFL-based MRU plist files found in OS X 10.11. They make analysis hard because they are binary plist files using the NSKeyedArchiver format – see here for my manual analysis of these files. I’ve also included the ‘older’ format plist files used in OS X 10.10 and older.

In order to analyze them better (and student requests) I wrote a Python script to output the contents of these files in an easier to read format. Nothing fancy, just text printed to standard output.

Get the script here from my Github page. I hope you find the script useful!

The script is meant to be run on a directory; this can be a directory of extracted plist files from an image, a directory on your own system (ie: ~/Library), or from a mounted image (ie: /Volumes/mounted_image_file/Users/<username>/), you get the idea.

This script parses the following plist files:

/Users/<username>/Library/Preferences/<bundle_id>.LSShardFileList.plist
/Users/<username>/Library/Preferences/com.apple.finder.plist
[10.10-] /Users/<username>/Library/Preferences/com.apple.recentitems.plist
[10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/<bundle_id>.sfl
[10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl
[10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl
[10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl
[10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl

The script usage is below. The only required argument is the directory, but the output can include binary BLOB hex dump of the Bookmark data (--blob). Most of the Mac MRUs contain a binary Bookmark BLOB of data that can be useful to determine where a certain file was located or where an application was run from. I’ve included it as an option as it can get very, very verbose.

The script also has two dependencies, hexdump.py and ccl_bplist.py. These files can be installed or just simply placed in the same directory you are running the macMRU.py script from. (Installation on OS X 10.11 systems are limited thanks to SIP.)

hexdump.py: https://pypi.python.org/pypi/hexdump
ccl_bplist.py: https://github.com/cclgroupltd/ccl-bplist

A few screenshots of example script output:

This example shows the output without the BLOB data of the newer SFL-based MRU files:

This example shows the same output with a sample of the hexdump BLOB data, you can see where this can get quite verbose.

The last example shows the ‘older’ MRU plist files found on 10.10 and older systems. (The com.apple.finder.plist files is the same on 10.11.)

Mac News & Updates - 07/06/16

July 06, 2016

Malware:

OSX.Pirrit

[PDF] Cyberreason – The Minds Behind the Malicious Mac Adware (Amit Serper)
[VIDEO] Amit Serper’s Layerone Presentation- The Blue Balls of Mac Adware

OSX.Eleanor

[PDF] BitDefender - Backdoor.MAC.Eleanor Grants Attackers Full Access to Mac Systems
[MALWARE SAMPLE] from @objective_see

Call for Papers:

[PDF] SANS DFIR Summit in Prague, CZ – I really like this conference; small, good people, great presentations. I’m schedule to be there – hope to see some of you all there as well!

Presentations:

[LINK] I just came back from the SANS DFIR Summit in Austin, TX which is by far one of my favorite events of the year. The presentations can be found here under ‘Digital Forensics & Incident Response Summit 2016’.

[PDF] Mach-O Libre – Mach-O Libre: Pile Driving Apple Malware with Static Analysis, Big-Data, and Automation. Accompanying presentation for the tool that was in my last update. Great Mach-O info!

[PDF] Java RATs: Not Even Your Macs Are Safe

Tools:

[LINK] PoC code for iCloud Keychain Analysis by n0fate , presentation (in Korean) can be found here.

[LINK] FSMon by Sergi Àlvarez at Nowsecure – File system monitor tools for iOS/OSX/Android/etc now updated to v1.4

Blogs:

[LINK] Adam Leventhal’s Blog – APFS in Detail

[LINK] Marc Padilla - Using File Attributes to Fill Volumes and Bypass OS X Server Limits

[LINK] Harden The World – OS X 10.11 Hardening Guide

[LINK] @osxreverser – ‘Apple EFI firmware passwords and the SCBO myth’

[LINK] Blackbag Technologies Blog – Did the iPhone Take the Picture?

Media:

[WEBCAST] My iOS Location Forensics webcast from May is up. []

[WEBCAST] Joshua Wright’s webcast, ‘What You Need to Know: iOS 10 Security’

[VIDEO] Attacking OSX for fun and profit Toolset Limitations Frustration and Table Flipping by Dan ‘Viss’ Tentler from CircleCityCon

[AUDIO] ThreatPost - Patrick Wardle on macOS Gatekeeper, Crypto Enhancements

Publications:

[PDF] DRAFT SP 800-179 - Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist

My Upcoming Classes & Presentations:

[LINK] SANS Virginia Beach (Aug 28 – Sept 2) - This conference is right on the beach and makes it a really nice one to go to at the end of the summer season. Class during the day, walking the boardwalk in the breezy late summer evening!

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Network Security (Sept 12 – 17 in Las Vegas, NV) - Vegas is always a good time, and the weather in September isn’t too shabby either!

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS DFIR Prague (Oct 3 – 8 in the Czech Republic), Stay for the Summit on the 9th!

[LINK] SANS San Francisco (Nov 27 – Dec 2) []

@Night – iOS Location Forensics

[LINK] SANS Cyber Defense Initiative (Dec 12 – 17 in Washington, DC)

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Cyber Threat Intelligence Summit (Jan 25 – 30 in Arlington, VA)

Mac News & Updates - 06/19/16

June 19, 2016

With WWDC happening this week there has been lots of Apple/Mac news, so I figured I would take this opportunity to put out a list of links and videos that I found worthwhile to read/watch. I hope to do this at somewhat regular intervals so keep an eye out for them! A good portion of these I’ve already tweeted out – but I’ve been told not everyone is on Twitter so here you go!

Videos:

WWDC Videos can be streamed on various Apple devices or thru the Safari browser – for you Windows folks, you can download them in the ‘Resources’ section of each link below. All videos can be accessed from the main page here, https://developer.apple.com/videos/wwdc2016/. I will highlight some of the videos I think are particular useful.

WWDC Keynote – A good overview of what’s to come - ‘OS X’ is changing to ‘macOS’, macOS Sierra (10.12), iOS 10, watchOS 3, etc!
Apple File System (APFS) – Yup, we’re getting a new file system! (I’m both excited and terrified! Lets hope for good documentation from Apple!)
How iOS Security Really Works – Main points from iOS Security Guide
What’s New in Security – Network Security & Gatekeeper

Blogs Articles & Other Web Links:

Mari’s DeGrazia’s Another Forensic Blog - How to image a Mac with Live Linux bootable USB
- I’m really looking forward to her Mac imaging blog series!
BlackBag Tech Blog - Using Blacklight with F-Response's Universal/Now
evad3rs.net - How to Install macOS Sierra on a Mac
mikeroysoft.com - Installing the new macOS 10.12 Sierra ‘Developer Preview’ on VMware Fusion 8
Apple Developer Docs on Apple File System (APFS)

Tools:

Macholibre - Mach-O & Universal Binary Parser

Upcoming Classes & Presentations:

SANS DFIR Summit Presentations in Austin, TX. There is still time to sign up for this one, starts next week! The DFIR Summit is one of my favorite conferences of the year! I like to call it Summer Camp for Digital Forensicators!

Summit Presentation - The iOS of Sauron - How iOS Tracks Everything You Do on Thursday this week.
@Night - iOS Location Forensics on Monday this week.

SANS Virginia Beach (Aug 28 – Sept 2) - This conference is right on the beach and makes it a really nice one to go to at the end of the summer season. Class during the day, walking the boardwalk in the breezy late summer evening!

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

SANS Network Security (Sept 12 – 17 in Las Vegas, NV) - Vegas is always a good time, and the weather in September isn’t too shabby either!

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

DFIR Prague (Oct 3 – 8 in the Czech Republic) - Stay for the Summit on the 9th!

SANS Cyber Defense Initiative (Dec 12 – 17 in Washington, DC)

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

SANS Cyber Threat Intelligence Summit (Jan 25 – 30 in Arlington, VA)

New Script – iOS Locations Scraper

June 06, 2016

Similar to my iOS Frequent Locations Dumper script, I wanted to extract the iOS locations that are stored in various SQLite databases and review them in CSV and KML output to make analysis easier. You can get the Python script here: https://github.com/mac4n6/iOS-Locations-Scraper

iOS is storing location data (Lats/Longs) in a variety of databases that are only accessible via physical access using a Jailbreak. Each database contains slightly different location data from Cellular (ie: LTE/CDMA), to Wi-Fi (war-driving type data), to application specific (Yelp, see example below). I still have quite a bit of research to do in this area to determine what all these points mean and how they are generated, and how long they persist for - thus a script needed to be created to make my life easier.

/private/var/mobile/Library/Caches/com.apple.routined/cache_encryptedB.db

/private/var/root/Library/Caches/locationd/

cache_encryptedA.db
cache_encryptedB.db
lockCache_encryptedA.db

The new iOS Locations Scraper script takes these extracted databases from a directory, looks at each table for a column labeled ‘Latitude’ and extracts the tuple data and writes it into a CSV and/or KML file. Examples of these files are shown below.

An example of the CSV output:

An example of the KML output in Google Earth (Note: A KML file can be opened in a variety of different tools):

CAVEAT: I wanted to make sure that I put this caveat out there. Some locations are fairly exact to where the device was located at a certain time, however others are more of a general location area (ie: cell tower location). The KML example above shows location artifacts from one database table (cache_encryptedA.db, LocationHarvest) in relation to the Yelp application. That's my iPhone tracking my location when I was using the Yelp app this weekend. (Pretty neat huh?)

For more iOS location-based information take a look at some of my other presentations:

iOS Location Forensics

The iOS of Sauron – How iOS Tracks Everything You Do