Macintosh is an Operating system of Apple manufactured computers and workstations. According an estimate currently around 1 billion MAC and iOS devices are in use. Due to the increased use of Macintosh based systems/devices MAC Forensic Analysis has become a distinct sub-section of Digital Forensic Analysis. The MAC Operating system has evolved through different stages and versions and latest variant MAC operating system is OS X (version OS X El Capitan). MAC OS is based on Hierarchical File System (HFS/HFS+) which consists of a group of folders and subfolders in which data is stored. HFS+ Data Structures have five special files that define the HFS+ file system including
Two important elements that are part of MAC File structure for identifying and recovering deleted files are the dataFork and resource Fork fields. The Data Fork contains the actual data of the File and the Resource Fork contains the resource map, header information for the file, window locations and icons.
Forensic collection of Digital Evidence from MAC OS system
A typical digital forensic analysis starts with forensic collection of the digital evidence from the targeted device/computer. The Collection of evidence, also known as imaging or acquisition is based on the type of data to be collected and analysed. Below are the three methods of forensic data collection that are used in general.
- Physical Acquisition/Imaging
- Logical Acquisition/Imaging
- Targeted Collections
The collection methods also vary for systems that are offline/shutdown and for the systems that are alive/up and running.
a) Collection of Volatile Data
Collection of volatile data such as RAM contents, details about running processes, live network connections, running applications/programs etc. is important to identify any malicious processes that are running in the system. The Live forensic collections has to done while system is up and running with minimal interference or leaving minimum footprint on the operating system. Tools such as Mac Memory Reader, Goldfish and OSXPMem can be used from an external device and volatile data such as RAM dump, list of running processes, open files, running applications, live network connections etc. are captured.
b) Offline data collection/physical imaging
When the target system is offline a full physical image taken for further forensic analysis. The targeted system can be imaged either by
(i) Acquiring the Image in Target Disk Mode
- Booting the system in a Target Disk Mode which is activated by holding the “T” key until Firewire icon appears on the screen.
- Then the suspect system can be connected to the Forensic Working station through Firewire cable. The Forensic work station contains necessary software to acquire a physical (bit-by-bit) image of the suspect hard drive.
- Before connecting the suspect hard drive to the Forensic workstation the “Disk Arbitration” function should be disable in Forensic MAC workstation. Disk Arbitration is a service (daemon) that automatically detects and mounts the connected devices. This would prevent the automatic mounting of the suspect device and ensures that it stays forensically sound.
(ii) Acquiring the image by removing the storage media
If the HDD can be easily detected and removed from the suspect computer system, it can be imaged or acquired either by connecting to the Forensic workstation through a Write-blocker device or by using Forensic Drive Duplicators. Both of these methods ensure that the hard drive is accessed in a read-only mode and no tampering/change is done to it. Forensic Tools like MacQuisition, Mac OSX Forensic Imager, FTK Imager CLI and internal “dd” command, Blackbagtech tools can be used to create a forensic image of the suspect drive while connected to a Forensic Workstation. Below image shows some of the devices used in physical acquisition.
Forensic analysis of the MAC OS image
Once the forensic image is captured, it can be loaded forensic analyser software such as Encase, FTK, ProDiscover, BLACKLIGHT etc. The Image can be browsed for relevant content or a full-fledged forensic analysis involving the examination of various artifacts can be performed. The captured forensic image is loaded and information like Users list, Operating system details, Internet History, File browsing history, Emails sent/received, USB/external devices connected can be identified and extracted by performing different types of analysis. The type information that needs to be identified and retrieved varies from case to case.
Below is the list of some artifacts that are generally processed for relevant information from the MAC forensic images.
Important Differences between a Windows and MAC Operating systems
Apart from methods of acquisition, there are significant difference in the analysis of acquired images. Since the File systems in these two operating systems are different the way different type of information is stored and accessed is also different. Below are some differences between MAC and Windows systems from a forensic perspective.
The Forensic acquisition and analysis of digital evidence from MAC Operating system is posing a challenge for Digital Forensic Investigators due to the complexity in Operating system, File system structures and also due to the non-availability of Commercial/Open-source tools to a larger extent as most of the research is targeted at Windows forensic tools.
Authored by Naresh Goud Lokiri
TCS Enterprise Security & Risk Management