DFIR Blog
  • Infosec
    • Blog
    • CISSP
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • Contact

InvesTigations & Analysis

MacOs Keychain Analysis

4/6/2018

 
MacOs Key Chain Analysis
Location: ~Library/Keychains
File of interest: keychain-2.db
Data in Login & System Keychain can be very useful in an investigation.
Once you copy the keychain-db file - you can use keychain native app to view the content.
​

Which plist store auto login items data?

4/5/2018

 
$ cd /Users/<Username>/Library/Preferences
$ open -a xcode com.apple.loginitems.plist
You can use any hex editor to read the hex data. Hex will give you the location of the file path of the login item.
Picture

MacOs Investigation Tracker

4/5/2018

 
​https://docs.google.com/spreadsheets/d/1t6swpG1kN_8ZP6BX3CkEeOyUmsAv86pqU5yEvwIdAP0/edit?usp=sharing

List of Application in Mac Dock

4/5/2018

 
open -a xcode ~/Library/Preferences/com.apple.dock.plist
Picture

Mac Keyboard Dynamic Text

4/5/2018

 
Location: /Users/<username>/Library/KeyboardServices/TextReplacements.db

The data from this DB can be very handy in investigation ot get access to the suspects' machine.

Application Launched at the System Boot

4/5/2018

 
Following plist hold the information of the application that get start at the system boot:

open -a xcode  ~/Library/Preferences/com.apple.loginitems.plist

Launch Agents/Daemons

4/5/2018

 
Launch Agents (User Level) - Background User Process

$ cd /System/Library/LaunchAgents/
$ cd /Library/LaunchAgents/

Launch Deamons (System Level) - Background System Process

cd /System/Library/LaunchDaemons/
$ cd /Library/LaunchDaemons/

This is basically like a cron jobs.Best examples of Launch Daemons are following plist files:
​

Picture

MacOs Keychains

4/5/2018

 
Location: ~/Library/Keychain

Bash History File

4/5/2018

 
Bash History file is very useful for investigation purposes. 
Location: /Users/<username>/.bash_history
- Usually it stores upto last 500 Bash Command but sometimes in live response/collection - you may get little more. 
  • It's a hidden file
  • It's only get created if user use Terminal App
  • By default - There is no timestamp but you can add one please see this post: 
http://www.4n6world.com/blog/how-to-add-timestamp-to-bash-history-in-mac

Antedating

4/5/2018

 
Antedating: Creating a document with incorrect time stamps.
Investigation:
  • Analyzing the metadata of the document to get the baseline information is the first step.
  • Secondly, perform a comparative analysis of the metadata of all the documents under the investigation.
  • One might get some important information from the source machine. Analyze the event logs if it's a windows machine.
  • Look for the email headers if the document is shared via email.
  • Use basic common sense in analysis by looking and the OS and the release date of the extension.

How to antedate a document?
  • Use Software to change the metadata.
  • Changing the computer time before creating an electronic document is another method of antedating, as the metadata for the newly created electronic file will be based on the incorrect setting of the system.

Readings:
http://www.cse.scu.edu/~tschwarz/COEN252_13/Papers/antedating.pdf

    Archives

    July 2019
    April 2018

    Categories

    All
    Plist

    RSS Feed

  • Infosec
    • Blog
    • CISSP
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • Contact