BlackBag Training Videos

  • I have added a link to the BlackBag Technologies free “BBTV” training video website. Videos include imaging, analysis, iOS and Mac. The direct link is located in the Ext. Resources menu with other excellent sources of information.

OS X 10.10, FileVault 2, more info

  • A few days ago, I posted about the OS X 10.10 update also updating the HFS+ volume to CoreStorage. With the final release, it appears this is not always the case. Specifically, with FileVault, Yosemite has some defined circumstances where FileVault encryption will (should) be presented during setup. My own experience is outside of the defined criteria and I was offered FileVault encryption on a Mac Mini. A great blog post by Rich Trouton titled “New FileVault 2 enablement option in Yosemite’s Setup Assistant” defines the criteria well. Its important for analysts to remember that FileVault is enabled easily at anytime with a simple click on the “Turn On FileVault” button. When collecting evidence, be aware that someone can enable this feature if not kept away from your scene.

10.10 and Boot Camp

Recently, there has been many question regarding the latest status of support for Windows on the Mac. OS X 10.10 is the most current operating system for Mac. Macs have 2 options for running the Windows operating system, a physical install or virtual machine. Since virtual machines are the easiest solution, this article will focus on Boot Camp, and the nuances of installing the Windows operating system to a Mac. More specifically, we will focus on the supported methods from Apple, and not DIY solutions.

To begin, let’s discuss how Apple supports the installation of Windows. “Boot Camp” is Apple’s solution for easily installing Windows from installation media to the internal drive of a Mac. Boot Camp specifically refers to 2 components.
  • Boot Camp is an application on OS X that will partition a drive and begin the Windows installation
  • Boot Camp is a collection of drivers for the Windows OS that support the Apple hardware

Initially, with OS X 10.5 on Intel Macs, Apple supported Windows XP Service Pack 3. By using the Boot Camp application, one would begin the installation of Windows from OS X, and the end result would be a working copy of Windows with “Boot Camp” drivers installed to Windows. These drivers were available on the OS X Install DVD. Today, Apple’s Boot Camp Drivers are a simple download from their Downloads page.

Today, Apple Boot Camp drivers are version 5.1, and there is a dedicated “Boot Camp Support” portal. In summary, Apple now will be supporting Boot Camp for Windows 8 and later only. This does not mean previous installations are broken, nor does it mean previous drivers cannot still be used. What this does mean; new hardware released from Apple will not get driver support for Windows 7 and earlier. Updating to OS X 10.10 does not break your current Windows installation, nor are you prevented from installing Windows 7 and earlier to older Macs that had support from Apple previously.

However, there are a few nuances to be considered prior to updating to OS X 10.10.

  • First, the HFS+ partition will be converted to CoreStorage. Operationally, your Mac will look and feel the same. However, if you are used to seeing your HFS+ partition from Windows, you will not be happy. Currently, there are no CoreStorage drivers for Windows (or any other operating system). This means you will not be able to read your OS X partition from Windows, nor will third-party HFS+ read-write drivers work with the CoreStorage volume. If that function is important to your analytical work, consider delaying the OS X 10.10 update until you have found an adequate solution.
  • Second, the Fusion Drive is a new structure from Apple to combine an SSD and HD into one large, fast volume. Apple has this available on certain Mac models, and it’s possible to create your own Fusion Drive as well. When a Fusion Drive is in use, you are limited to only one additional partition on the drive. This was designed such that Boot Camp was still possible with the Fusion Drive released Macs. Quoting Apple: ”You can create one additional partition on the hard disk with Fusion Drive. You can create either a Mac OS X partition or a Windows partition.”

My primary method of accessing Windows on any of my Macs is to use virtual machines. The only time I find a VM is not the proper choice is when full, direct hardware access is needed for 100% performance. As noted with our VMWare Fusion article, performance within the virtual machine is adequate for certain high-impact applications.

While not covered in this article, there are many DIY solutions to install unsupported versions of Windows to your Mac. I had installed Win Xp 64-bit to Mac Pros manually with great success. This solution meant finding drivers for the major hardware components of the Mac Pro. What I did not get were the minor pieces that Apple addresses such as their Apple Keyboard specific keys, or the Apple Software Update feature for newer versions of drivers. This was only a minor inconvenience, and I found Apple hardware to run Windows quite well.

Apple articles used for this post (see our Apple Technical Docs page for a list of helpful articles)

Your drive is now CoreStorage

Did you notice after upgrading to OS X 10.10 Yosemite, your disk layout is now CoreStorage? Whether or not you use FileVault encryption, or have the Fusion Drive, your Mac now uses the logical volume manager, CoreStorage. Don’t rely on Linux boot CDs for imaging any longer. OS X, both live and powered off, imaging now requires OS X to be involved.

Yosemite and FileVault

The new default for installation of OS X 10.10 is FileVault encryption on. The good news is, the Apple ID can be a recovery point. See the article here.

Yosemite_Default_FileVault

Apple Event Announcements

Apple is holding their latest event today titled “It’s Been Way Too Long”. Here are the areas that will affect you most with digital forensics.

Emphasis made on the eco-system that has been developed to allow Apple Watch, iOS 8, OS X 10.10, Macs and iCloud to all work together.

Apple Pay
Easy, secure and private.
Starting in US.
AMEX, Visa, MasterCard plus many major banks
Many retailers in the US supporting now
Also can be used online
Opens Monday, October 20th

Apple Watch
WatchKit announced for many third party developers to add apps to the watch
Rolls out in November
Apple Watch ships “early 2015”
Controls Keynote presentations

iOS 8
48% adoption to date
48% on iOS 7 still
HealthKit linked to many third-party devices and apps creating a unique profile of the device owner

iOS 8.1
Camera Roll is back
Cloud sharing of every photo and video to every device with no down-scaling
Availabelc Monday Oct 20th

OS X 10.10 Yosemite
Interface change and icon differences, yet likely recognized by previous OS X users
Notifications include third-party widgets and apps
Spotlight accesses internet
Safari has new tab view
Mail allows for “Markup” within an email for reply without leaving the app
Mail allows up to 5GB attachments
iWork saves directly to both local storage and iCloud Drive

iCloud Drive
Stores any file to the cloud, available via Finder sidebar
Available on Mac and iOS devices, as well as Windows PCs

iCloud, Continuity, and Handoff
Sync of settings and data across all devices via AppleID
AirDrop between all devices (iOS and OS X)
AirPlay between devices
Handoff allowing SMS and voice calls to and from Macs and iPads
Continuity from one device to another to continue working within same app

iWork
Available for download free of charge starting today

iPad Statistics
225 Million iPads sold to date, 675,000 iPad specific apps

iPad Air 2 ($499 - $699, add $130 for cellular versions)
Available tomorrow
A8X chip, specific to this device
10 hour battery (still bag & tag with a battery source!)
8MP camera, 1080p HD video
Panorama up to 43MP, burst mode, time lapse photos
Slo-mo video 120fps at 720p
Dual microphones for audio
HDR video
802.11ac wifi
20 LTE bands up to 150Mbps
Touch ID, works with App Store, iTunes and third-party apps
Supports Apple Pay online, not at retail locations

iPad mini 3 ($399, $130 for cellular versions)
Available tomorrow
Touch ID has been added

iMac ($2499)
Shipping today
New Retina display
27”, 5120x2880 pixels
Termed “Retina 5K display”
3.5GHz i5 to 4.0Ghz i7
Thunderbolt 2, 20Mbps bi-directional
Fusion Drives
21.5 and 27” non-Retina iMacs still for sale

Mac Mini (starts at $499)
Shipping today
New Intel processors, 802.11ac, 2 Thunderbolt 2 ports
PCI-e Flash storage

Apple SIM
Not mentioned during the event, but will be available for the new iPad Air 2 and iPad mini 3
Will be a “world SIM”
AT&T, Sprint and T-Mobile are first 3 to start supporting it

Videos!

BlackBag Technologies has posted videos on how to conduct sound collections and analysis using their tools. Notable is the new Mobilyze and its speed in acquiring data. Mobilyze is the easiest and fastest product on the market for iOS and Android smart phone examinations. Have a look at the video collection here.

Create your own Fusion Drive

In this article, we cover the steps to create your own Fusion Drive. Apple currently ships Fusion Drives in the iMac or Mac Mini as optional fast, large capacity storage options. OS X 10.8 has the ability to create a home-brew Fusion Drive. We discuss how-to and the specific care in creating your own.

BlackBag Technologies launches Mobilyze

BlackBag Technologies has released a new standard in smart phone data collection. Mobilyze runs on both Mac and Windows, and can collect data from both iOS and Android based smart phones. The ease of use will allow anyone to begin using Mobilyze within minutes. The official announcement is seen here:

Today we are thrilled to announce the launch of Mobilyze, our new ultra-fast mobile data triage tool, capable of acquiring data from both Android and iOS devices. We created Mobilyze after several ride-alongs and countless conversations with customers who expressed a growing need for something to address the mountain of smartphones backlogged in evidence. More than anything, this is what Mobilyze was built for. Mobilyze is a tool that we are extremely proud of and we think it carries enormous value as an addition to any forensic toolkit. Listed below are a few distinguishing features you may find interesting:
• Start viewing and filtering data in real time as it is being acquired
• Unplug your device and Mobilyze will preserve all of the data collected to that point
• Acquire everything or specifically choose which applications to collect from
• Import directly into the next release of BlackLight for immediate comprehensive analysis

If you want to learn more or try it for yourself, you can click here to visit our Mobilyze webpage or you can email our team of Forensic Analysts & Instructors (analyst@blackbagtech.com) and they will gladly answer any and all questions.

Carpe Datum, 
The BlackBag Team

Remote access and "intrusion" to Mac

I have recently been asked by a number of people, how do I begin to analyze a Mac for signs of remote intrusion. I’d like to point out a few of the first steps I would take, before diving deep into the data.

Mitigate and further damage and get the Mac off network. This includes wired and wireless connections including bluetooth. Remember Firewire and Thunderbolt are both methods of TCP/IP connections as well!

Next, always start simple and run a malware scanner like ClamXAV (free) against the image.

With those taken care of, begin looking at the most tell-tale areas:
  1. review the logs, especially the system.log (or secure.log) for successful and failed authentications, and note the service
  2. look at the "LaunchDaemons" and "LaunchAgents" in /Library and ~/Library folders
  3. look at /Library/StartupItems
  4. review the overrides.plist for each user to see what services are enabled (remote login, screen sharing, FTP, etc)
  5. look into the sleepimage for RAM traces of malware.
  6. review third-party application installations.  TeamViewer has been the biggest entry point for intrusions in the last year for my cases by far! This includes looking for components of these apps, as the main app may have been removed to conceal usage.
As always, please feel free to contact AppleExaminer for more assistance, or seek out Professional Services thru BlackBag Technologies, my employer.


For more info, see my friend Charles Edge’ article: http://krypted.com/mac-os-x-server/enable-ssh-ard-snmp-the-remote-server-app-use-in-os-x-server-mavericks/

Paragon HFS+ for Windows Free

Paragon has HFS+ drivers for Windows 8/8.1 available for free here. Note, this is not the full sets of drivers available with their paid software at $19.95.

"A Few Thoughts on Cryptographic Engineering" by Matthew Green

Another excellent article has been posted by Matthew Green titled, “Few Thoughts on Cryptographic Engineering” answering the question of “Why can’t Apple decrypt your iPhone?”

"A (not so) quick primer on iOS encryption" by David Schuetz

A great article has been posted by David Schultz on his website DarthNull.org titled, “A (not so) quick primer on iOS encryption” Well worth the read!

Passware Kit 13.7 is out

Passware Kit 13.7 has been released. It acquires iCloud Backups, recovers passwords for non-system FileVault 2 volumes and accelerates TrueCrypt decryption on AMD.

Paragon has released "VMDK Mounter for Mac OS X"

Paragon has realized a free utility for OS X called “VMDK Mounter for Mac OS X”. This application allows for both GUI and command line control of VMDK files on the Mac.

Elcomsoft article on "Keeper Password Manager"

Elcomsoft has posted an in-depth article on the analysis of the iOS password manager, “Keeper Password Manager”. The app is described as “Keeper® Password Manager & Digital Vault 8.3 (or simply “Keeper”) is a password management app for iOS enabling secure storage of credentials, files and pictures. If you have more than one Apple device, Keeper will automatically synchronize between the different mobile devices.”

iOS 8 and the new rules

I have helped author a blog on the BlackBag Tech website titled, “iOS 8 and its Impact on Investigations”. This article looks at what has changed, what is similar, and the areas one should be considering for data related to cases.

Spotlight data, where is it?

Spotlight is a built-in indexing engine for OS X. For it to operate fast, data must be stored on disk. In this article, we discuss how Spotlight works, and where data can be found.

NUIX 6 supports and runs on Mac

NUIX has released version 6 of its analysis software. Showing the strong surge of Apple hardware in the analysis environment, NUIX has released version 6 with support for specific OS X file types and the ability to run on OS X. See the full text on the NUIX website.

iCloud, where do I find data?

When MobileMe was discontinued, iCloud replaced the service with new concepts for the Apple eco-system. Originally introduced with OS X 10.7.2 and iOS 5, iCloud began as a sync service amongst all devices. Today, iCloud offers robust sync capabilities and data storage for both Apple and third-party developers. Based on the sign-in of a specific Apple ID, devices have additional functionality. Here are the important areas to consider for any investigation:

iCloud Drive:
  • 5GB of storage free with up to 1TB of purchased storage
  • acts as a local attached media device for saving of data
  • syncs across all devices

Sync:
  • Photos, syncs pictures and video across all devices
  • Mail, settings and signatures are pushed to iCloud and out to all devices
  • Contacts, syncs all Contact information across devices, including delete
  • Calendar, syncs data in the Calendar app across all devices
  • Reminders, syncs data in the Reminders app across all devices
  • Safari, bookmarks and open tabs are pushed to iCloud and out to all devices
  • Notes, syncs data from the Notes app to all devices
  • Keychain, syncs saved passwords, secure notes, and form data across devices. Keychain is integrated with Safari and allows for random password generation and storage.
  • Back To My Mac, remote screen control of Macintosh computers
  • Find My Mac/Find My iPhone, geo-locates the device, allows for remote erase and remote lock

  • iOS has the Passbook feature, which allows for apps to save boarding passes, coupons, movie tickets, and soon, credit card and debit card information.

iCloud Preference Pane as seen from OS X 10.10
iCloud

A local cache is stored on each Macintosh computer in the user’s Library/Mobile Documents/. Folders for iOS and OS X apps are found here.

What is still to come?

  • With all of the great announcements today, what is still to come?
  • OS X 10.10, this new operating system that is slated for fall release. This will bring about many new features such as Handoff, iCloud Drive and more.
  • Apple Watch is slated for 2015, with no specific date given.
  • AppleTV updates, the latest beta of the AppleTV software only runs on the 3rd generation AppleTV.
  • HomeKit, expansion of this segment of home automation is likely going to be a large segment by Christmas of this year.
  • As more announcements come from Apple, we will continue to update you on the areas significant to Apple digital forensics.

iPhone 6, 6 Plus and Apple Watch

Apple has now introduced:

iPhone 6 and iPhone 6 Plus
  • A8 and M8 processors (found in iPhone 5s with A7 and M7 versions)
  • Main processor and Motion processor
  • Retina HD Display
  • 16GB, 64GB, and 128GB
  • 4.7” and 5.5” display size
  • Touch ID on both models
  • Sensors including barometer
  • 20 LTE bands, 200 LTE carriers supported
  • VoLTE - Voice over LTE
  • 802.11ac - 3x faster than 802.11n
  • WiFi calling - transition calls between WiFi and LTE seamlessly
  • 8MP iSight Camera with True Tone flash
  • 1080p at 30fps, 60fps, and Slow-Mo at 240fps

Apple Watch, Apple Watch Sport, Apple Watch Edition
  • S1 processor, 4 sapphire senors on underside
  • Mag Safe power to back side of watch
  • Direct communication between watches
  • Force touch vs. light touch and swipe for variety of inputs from screen
  • Sync with iPhone or live stream such as music
  • Share internet connection of iOS device with watch (Bluetooth 4 LE)
  • On-board storage of music
  • Dial (crown) gives digital data to watch such as zoom, scroll, and return to home screen
  • Display activated by motion of wrist
  • View and respond to messages and email
  • Send pictures, drawings, and health information to another watch
  • Taptic Engine - provides feedback to wearer appropriate to app
  • 2 sizes available
  • Glances, quick view of customizable information available thru a swipe up
  • Analysis of text within messages for quick reply
  • Siri is available by holding down the Crown (like Home button on iPhone)
  • Friend list allows for viewing of location on Maps in real time
  • Communication to other watches has new tap and drawing options. Friend will feel Taptic feedback based on taps to screen.
  • Third party apps can push Notifications to watch form iOS device
  • Ability to control AppleTV
  • iPhone 5 and later supported for connection
  • Coming in 2015

iOS 8 New Features

iOS 8 brings about a robust maturity by extending iOS 7 functions and the introduction of new features. Notable to analysts and investigators are the following new features.

Available September 17 for download, supporting the iPhone 4s and later, iPod Touch 5th Generation, iPad 2 and later, and iPad mini.

• 2-up display within many apps, the display changes based on orientation of the iPhone
• Horizontal home screen view, not just portrait view. Icons shift when device rotates.
• Time lapse video
• Audio and video messages within Messages app
• Fitness App - tracks motion such as speed and elevation or even standing still
• Health app - tracks personal health including heart beat and calories (personalize fingerprint of owner)

Apple Pay - iPhone 6 and 6 plus, and Apple Watch
• NFC
• Touch ID
• “Secure Element” chip
• All cards are in Passbook
• Add card from iTunes or take picture using iSight Camera
• Device only secure number and dynamic security number
• Suspend payments directly from device
• Apple does not keep records of purchases
• AMEX, Visa and MasterCard only in USA starting in October

CarPlay, HealthKit and HomeKit
  • CarPlay, display the iOS device screen on supported car radios
  • HealthKit, foundation of health sensors and reporting to apps
  • HomeKit, foundation for control of devices such as lighting, door locks, garage door, thermostats

Elcomsoft iOS Forensic Toolkit updated

  • Elcomsoft has updated their iOS Forensic Toolkit (EIFT) to version 1.24. Included in this release is:
  • Works will all 7.x iOS devices with the Pangu 1.2 jailbreak installed
  • Automatic iOS version detection
  • Compatibility with new keybag that may include previously unseen records
  • Latest news for this tool can be found on the Elcomsoft website.

BlackLight 2014R2 released

BlackBag Technologies has released the newest version of BlackLight, 2014R2. Key to this release is speed of searching and user-requested improvements. Both the Windows and Mac applications information is available from their website.

Apple iOS Diagnostic Capabilities

Apple has put out a new tech note titled “iOS: About diagnostic capabilities”. It summarizes “com.apple.mobile.pcapd”, “com.apple.mobile.file_relay”, & “com.apple.mobile.house_arrest”. The document states what use each has and why they are included on iOS devices.

Don't let an iOS device restart

iOS devices have excellent hardware and software based security. The latest iOS devices so far have no hardware flaws such that “physical imaging” is not possible. In addition, the file level encryption causes one specific headache for many of us. When an iOS (5 and later) device starts, and has a pin code applied, the first screen presented after reboot is the pin code screen. At this time, there is no way to perform a logical acquisition of the device, even if you have the valid pairing certificate for this device. The level of security Protected until Open means one must unlock the iOS device once, and then many files become accessible. The number of files available at any given time varies, again because of file level encryption and the times that files will become encrypted again. So, this reminder is, NEVER let an iOS device lose power, forcing it to restart. If you don’t know the pin code, upon power up, you will not be able to do any collection.

UPDATE: This does not prevent a file-relay communication with the iOS device, however this will not return data that is protected until first unlock. iTunes backups occur over Apple File Relay (AFC), which was the initial intent of this blog post. Thanks to Austin Colby, BlackBag Technologies for this tip.

Resetting an Airport base station

I just had a question come in about accessing an Airport Base station when the password is not known. Apple has a tech note (HT3728) for “Resetting an Airport base station”. This article gives temporary access to the device without clearing settings or logs. I also added this to our select Apple Technical Documents bookmarked on this site.

Network Utility on your Portable Workstation

As a part of the Portable Forensic Workstation we setup earlier, a utility is included from Apple. The Network Utility is rather powerful and can be used for many areas of interest in a case. This OSXDaily article describes its functions quite well.

Stellar introduces Mail Converter for the Mac

MacTech is reporting that Stellar has released a new application to convert email to common formats. This can be especially handy with the Microsoft Outlook format for analysis.

Focus Files updated

I have just updated the OS X Focus Files and iOS Focus Files with additional paths from questions I have received lately. Please feel free to email any additional file locations you would like shared with the community. The files listed on each page are common to most analysis performed for each of the operating systems.

Portable Forensic Workstation revisited

Awhile back, I wrote an article on creating your own “Portable OS X Workstations”, allowing any triage or analysis assigned person to boot, and view any Mac in a safe manner. Times have changed! It is time to revisit the concept, and create the best portable solution to protect, collect, and image ANY evidence we come across. Let’s create a current Portable Triage and Analysis Workstation.

BlackBag Technologies releases SoftBlock 1.0.7

BlackBag Technologies has released their latest version of SoftBlock for OS X. This low-level kernel extension allows a Mac to be safely used as a triage or imaging device without threat of evidence alteration. Using SoftBlock and the “Thunderbolt Target Disk Mode” allows for extremely fast 10Gb/s (or 20Gb/s on Mac Pro) triage and imaging of evidence.

Apple posts LE guide

Apple has posted a guide to the requests and returns they receive and comply to under court order. The guide shows what can and cannot happen with data stored on a device as well as stored on their servers.

Boot Camp and Thunderbolt

Boot Camp, Windows and Thunderbolt have not been the easiest technologies to combine. Today I located a Knowledge Base article from Apple regarding usage of Thunderbolt devices after upgrading from Windows 7 to 8. The article, titled “Boot Camp: Thunderbolt devices not recognized after Windows 8 upgrade” helps a bit for items that were once working and may not after the update. ZDNET has an article from September of 2013 regarding Thunderbolt and Windows compatibility that may be of interest also. If you are looking to use the Apple Thunderbolt to Ethernet adapter, there is a community discussion related to drivers. As of today, it appears drivers are still written by specific manufacturers for specific devices, and there is no all-encompassing Microsoft driver for the Thunderbolt port.

MacQuisition 2014R1 released

BlackBag Technologies has updated MacQuisition to version 2014R1. Notable is faster targeted collection, compatibility for OS X 10.9 and improved user authentication process. MacQuisition is a live OS X incident response tool as well as a bootable flash drive for imaging.

Passware updated for OS X 10.9

Passware Inc. has updated Passware to version 13.1. Notable is the extraction of OS X 10.9 Mavericks user passwords from live memory images, additional GPU acceleration, support for Quickbooks for Mac, and a Mobile Forensics section.

SeV Expedition Jacket

SCOTTeVEST (SeV) has sent their Expedition jacket for a run with digital forensic gear. This 37 pocket jacket was a pleasure to review, and we are very happy for the new sponsorship from SeV. Read the full article here.

Apple knowledgebase on iCloud Security

Apple’s KB article on iCloud Security discusses the levels and strength of encryption used for both storage and in-transit data.

EPPB updated

Elcomsoft has updated Phone Password Breaker with the following features, now fully supports new iCloud backup encryption introduced in iOS 7.1, including 3rd party app data (such as WhatsApp, Skype, Viber etc).”

Quick Navigation