OS X forensic acquisition: a basic workflow
OS X is, in effect, a *nix based system.
Therefore the forensic image acquisition processes are very similar to those used on Linux systems.
Today I’d like to share my personal acquisition workflow for Apple Mac systems, suitable for OSX before 10.11 (El Capitan) or any OSX version with SIP disabled.
‘Light’ evidence collection
A first assessment could be performed with a ‘light’ acquisition tool,that gathers information from plists and SQLite databases and the file system.
osxcollector.pyis a single Python file that runs without any dependencies on a standard OSX machine. This makes it really easy to run collection on any machine – no fussing with brew, pip, config files, or environment variables. Just copy the single file onto the machine and run it:
$ sudo osxcollector.py Wrote 35394 lines. Output in osxcollect-2014_12_21-08_49_39.tar.gz
The JSON output of the collector, along with some helpful files like system logs, if bundled into a .tar.gz, containing:
Full disk acquisition
On Unix systems, this step is really simple:
$ sudo dd if=/dev/[DISK] of=diskimage.dd bs=512
I suggest to use MacPmem, from Rekall project.
MacPmem enables read/write access to physical memory on OS X 10.8 through 10.11. It simultaneously exposes a wealth of useful information about the operating system and hardware it’s running on through a informational device and sysctl interface.
https://github.com/Velocidex/c-aff4/releases (Thanks to Phill Moore!)
MacPmem is a Osx Kernel Extension (kext, a dynamically loaded bundle of executable code that runs in kernel space) that, once loaded, exposes two new devices:
- /dev/pmem: allows physical memory read access, but can be built also with write support.
- /dev/pmem_info: Exposes informational dump.
First, clone the Rekall git repository, than build the kernel extension (located in tools/osx/MacPmem).
Finally, load the kext and start acquisition using DD:
$ sudo kextload MacPmem.kext $ sudo dd if=/dev/pmem of=memory.raw