The increasing popularity of Apple Mac hardware provides new challenges for forensic investigators. The complexity of these investigations is compounded by the ability of modern Macs to run multiple operating systems, such as Windows or Linux, utilizing dual-boot via Apple’s Boot Camp software or in a virtual machine such as Parallels or VMware Fusion. Mac Marshal automates the identification of the operating environment of the Mac OS X based system, and automates the extraction of usage information left by the operating system and Mac OS X applications. Mac Marshal’s unique implementation of the capability to use the Spotlight search functionality is invaluable in speeding searches for files based upon sophisticated content or metadata criteria.
Mac Marshal Field Edition is available in two software-only versions called the Forensic Edition for Macs and the Forensic Edition for PCs. The Forensic Edition for Macs runs on a Mac OS X 10.4 or later platform. The Forensic Edition for PCs runs on a Microsoft Windows XP or later platform.
Forensic Edition requires a unique serial number to be installed on a specific workstation; a different serial number is required to install Forensic Edition on a different workstation.
Mac Marshal is also available in a Field Edition version, which can be used “live” on a running machine rather than a disk image. The Field Edition is supplied on a USB 2.0 flash drive which can be plugged directly into the target machine while it is running. Used in this way on a live target, it can gather live state information (RAM, running processes, network connections, etc.) that would be lost when seizing the machine and imaging the disk. It also enables the Mac Marshal data gathering and analytical functionality which works with hard drive image data to also operate on the live hard drive of the target computer (i.e. taking an image is not necessary).
The Field Edition may also be used with an investigator’s workstation to analyze the image of a hard drive of a target computer. The investigator’s workstation may be either an OS X 10.4 and later or Microsoft Windows XP and later platform. Used in this way, it operates exactly like the Forensic Editions, except that the Mac Marshal application is running from the USB drive and is not actually installed on the investigator’s workstation. It is thus portable from one investigator’s workstation to another.
For further information about Mac Marshal Field Edition Release 3, click here.
Features Common to both the Forensic Editions and Field Edition
Highlights of the features available in the Forensic Edition for Macs, the Forensic Edition for PCs and Field Edition in Release 3.0 of Mac Marshal:
- Analyzes Mac OS X and dual-boot disk and partition images in multiple formats
- Analyzes configuration and log files from OS X applications, such as Apple Mail, Safari, iChat, Quick Time Player, and Address Book
- Automatically gathers comprehensive machine usage information
- Automatically detects and provides analysis of FileVault-encrypted user directories*
- Automatically detects VMware, VirtualBox and Parallels virtual machines
- Lists detailed information about every iPod and iPhone that has been connected to the machine
- Provides rapid searching of Spotlight file metadata*
- Supports dd, EnCase, FTK, AFF, and Apple disk images
- Maintains a detailed audit trail and generates detailed reports in HTML, PDF, RTF and tab-separated value formats
*Refer to limitations for the Forensic Edition for PCs described below.
Mac Marshal Forensic Edition for Macs must be run on a Mac OS X system, version 10.4 and later and Mac Marshal Forensic Edition for PCs must be run on a Microsoft Windows XP and later platform. Installation of the Forensic Edition requires approximately 100 MB of disk space.
Several features available on the Forensic Edition for Macs are not available on the Forensic Edition for PCs due to their dependence on native Mac functionality that is not supported by Microsoft Windows. Spotlight searches are not available on the Forensic Edition for PCs although any existing Spotlight searches in a acquisition, such as from the Mac Marshal Field Edition, may be reviewed. The decryption and analysis of FileVault-encrypted home directories is not supported on the Mac Marshal Field Edition for PCs version.
Mac Marshal can analyze disk images and mounted partitions from any version of Mac OS X. Disk images to be analyzed can be in any of the following formats:
- Raw (dd)
- Expert Witness Format (EWF, e01), used by Guidance EnCase® and AccessData FTK®
- AFF® (The Advanced Forensic Format)
- Apple Disk image
- Apple sparse disk image (sparseimage and sparsebundle)
In addition, any partition mounted by the Mac OS analysis machine, or available as a raw device in /dev, can be analyzed. For instance, Mac OS machines booted in FireWire Target Disk Mode can be analyzed by a FireWire-connected Mac running Mac Marshal.
Results from Mac Marshal are stored in a user-specified directory on the analysis machine, a removable (e.g., USB) disk, or a file server.
Mac Marshal performs the investigation of Mac OS X systems in two phases, the Triage Phase and the Analysis Phase.
The initial Triage Phase allows the investigator to quickly assess the operating system(s) installed on a Mac OS X disk image or machine. Mac Marshal automates the identification of the operating environment of the Mac OS X based system, and automates the extraction of usage information left by the operating system and OS X applications. Mac Marshal automatically presents the investigator with general information about the device or image being analyzed, whether it is a whole disk or a single partition. Mac Marshal describes what type of partition map the target computer contains and provides a list of the partitions and disk images found within the target device.
The installed operating system is identified within each partition. Macs with a dual-boot configuration will contain multiple partitions, each with a different operating system. Macs running OS X and the MacOS Classic (Mac OS 9) environment will list both operating systems. Within each partition, any virtual-machine based operating systems and any disk image files found are listed. Virtual machines, such as Parallels or VMware, are a popular method for running Microsoft Windows or other operating systems within Mac OS X. Disk image files include FileVault encrypted home directories and other large images potentially of investigative interest.
The information that is automatically extracted and analyzed by Mac Marshal allows the investigator to quickly pinpoint the disk partitions most likely of interest and to apply the operating system-specific tools to these partitions. Mac Marshal specializes in the analysis of Mac OS X data; in order to analyze non-Mac OS X operating system images, the investigator may extract the partition(s) or images of interest which have automatically been identified by Mac Marshal and continue the investigation of these non-OS X images with the appropriate tools of choice.
The graphic below shows the flow of the analysis of a dual-boot Mac OS X system with Windows virtual machines.
Upon completing the triage phase, Mac Marshal automatically extracts usage information that pertains to the operating system and Mac OS X applications. Mac OS X and applications on the Mac platform provide an abundance of information about the user’s activities in the configuration files, cashes and logs. Mac Marshal provides an extensible tools suite for the analysis of the data extracted. Access to the Spotlight metadata that is maintained by the operating system is also provided, as is access to and analysis of FileVault encrypted home directories.
Analysis tools for disk images.
A number of tools are available for the analysis of a hard drive, hard drive image, partition, or encrypted home directory found by Mac Marshal, regardless of whether any operating systems are installed on it. Disk images discovered during triage can be further analyzed using the Disk Image and, if applicable, Image Decrypt analysis tools.
The Disk Image analysis tool uses Apple’s DiskImages framework to obtain more information about disk images. It is restricted to disk image formats recognized by the DiskImages framework, which includes all Apple disk image formats but does not include virtual machine image formats. When the image is on a mounted partition of a physical device and is readable, analysis of the disk image can be performed directly. Otherwise, the disk image file must be copied before it can be analyzed. In this case, Mac Marshal automatically makes a local copy of the disk image file and immediately performs further analysis.
If the disk image is encrypted using OS X disk image encryption capabilities, the encryption password must be provided before further analysis can be performed. If the password is available or determined with a third-party tool, it can be supplied directly to Mac Marshal and using the Disk Image tool further analysis may immediately be performed.
Encrypted disk images utilize the Image Decrypt analysis tool, which performs fast brute-force password guessing. Use of the Image Decrypt analysis tool requires a dictionary file containing possible passwords. A sample dictionary is bundled with Mac Marshal; it contains the word list bundled with VileFault, augmented with the contents of Webster's Second New International Dictionary.
The Image Decrypt analysis tool supports the use of more sophisticated word lists that are readily available from a variety of third-party sources. The Image Decrypt tool tests passwords in the dictionary until the encryption password is found or the dictionary is exhausted. If the password is found, it will be stored and remembered and further analysis will immediately be performed on the disk image. The enhanced vfcrack used by Mac Marshal supports FileVault encrypted home directories from both Mac OS X 10.4 (sparseimage) and 10.5 (sparsebundle), as well as other encrypted disk images created by hand with Disk Utility.
Unencrypted or decrypted images have detailed information about the disk image file displayed in the Disk Image analysis tool. If the disk image contains one mountable partition, as is usually the case, it can be mounted and navigated using the Disk Image Analysis Tool. In addition, the Spotlight and Spotlight Images analysis tools will appear. Finally, if the disk image is recognized as a FileVault-encrypted home directory, many additional Mac OS X-specific analysis tools will appear, which are described below.
Spotlight is the metadata indexing system introduced in Mac OS X 10.4. At the highest level, Spotlight is responsible for acquiring, storing, indexing and performing searches on file metadata. By default, the Spotlight indexer runs continuously in the background, tracking modified files and updating the metadata index in real-time. The Spotlight index is invaluable in speeding searches for files based on sophisticated content or metadata criteria.
Because Spotlight make use of the operating system generated index, the speed of case work can increase dramatically. With searches executing in seconds, files of interest can quickly be found, or leads ruled out, in real time. Mac Marshal includes a Spotlight search tool and GUI interface that allows the investigator to execute searches using the Spotlight query language on individual volumes. The Spotlight search tool also supports simple string searches by searching for the specified string in any metadata attribute as well as searching against document text content for the string. Each search result includes a full list of its metadata attributes, including the special path and relevance attributes.
For indexed files, executing Spotlight searches is very fast. Even searches against file text content take only a few seconds. Spotlight searches can also be performed on drives and disk images that have not been indexed. The Mac Marshal Spotlight analysis tool indicates whether the drive is indexed. Searches on un-indexed volumes are slower and cannot access all of the metadata available on an indexed volume.
If the Spotlight index is not present or untrustworthy, Mac Marshal can rebuild the index. The new Spotlight index is written to a shadow file. The shadow file allows a disk image to be mounted read-write without modifying the original disk image. The Spotlight index can then be deleted and rebuilt without changing the source image.
The Spotlight Images analysis tool functions similarly to the Spotlight tool, but is geared toward searching photographs and other graphics. The Spotlight Images analysis tool executes a search that finds all image files recognized by Spotlight on the volume. A thumbnail preview of the selected search result is displayed along with its metadata.
Analysis Tools Available in Mac Marshal
Mac Marshal contains a large number of OS X-specific analysis tools. Each tool focuses on the data written by a specific application or system service. Many of the analysis tools are user-based, allowing the investigator to focus on the data written by a specific user. The analysis tools are also able to show combined data for all users. A brief description of the Mac Marshal Analysis Tools follows:
Address Book. This tool analyzes data written by the Address Book application included in OS X. By default, OS X marks the Address Book entry of the user as “me;” the tool calls out this entry separately at the top of the window (e.g., to discover phone numbers or e-mail addresses for the machine’s owner). The tool also shows the last account used to log in to Apple’s MobileMe service (formerly known as .mac). The “Default Apple.com ID” is the apple.com login name used when installing the operating system, and could be used to trace an identity back to Apple’s user database.
Apple Mail. This tool analyzes data written by Apple’s Mail e-mail application included in OS X. As the machine may have large quantities of stored e-mail, this analysis process happens only on investigator request. Mac Marshal creates a table that shows each found mailbox and e-mail message in a tree structure. Each user can have multiple Mail accounts configured. For Mail accounts, the “Date” column in the message info table is the last-synchronization date (for remote accounts such as IMAP), and the “From” column is the set of e-mail addresses associated with that account. The “Search History” section at the bottom of the window shows text entered in Mail’s own search tool (not Spotlight), and is recorded by Mail v3 (OS X 10.5). Searches are performed incrementally as the word is typed; it is common for partial words to appear in the search history, for instance “sear,” “searc,” and then “search.”
iChat. This tool analyzes data written by Apple’s iChat instant messenger application included in OS X. iChat from OS X versions 10.3 through 10.5 is supported (iChat did not exist before OS X 10.3). Saved chat transcripts can be opened in iChat on the analysis machine.
iTunes/iPod. This tool analyzes data written by Apple’s iTunes application, as well as iPod-related information stored by OS X itself. iTunes versions 4 through 8 are supported. iTunes 4 was the first version to incorporate the iTunes Music Store (now called the iTunes Store), and coincided with OS X 10.2. The iTunes/iPod tool shows the iTunes Store account (if any) used by each user of the Mac; this account data could be used to gather further information from Apple or other sources, if need requires. The tool also lists all iPods and iPhones ever connected to the machine, including the most recent connection date and the number of times it was connected. The iPod or iPhone need not have been “synchronized” with iTunes in order to appear in the list. The iPod or iPhone serial number (shown in the Mac Marshal display) is the same as the serial number engraved on the back of the iPod or iPhone itself; this number can be vital in linking a portable device with a machine to which it has been connected. For iPhones, the cell International Mobile Equipment Identity (IMEI) number is also listed; this number is globally unique, and is used by the phone to connect to the GSM cellular phone network.
Preview. This tool analyzes data written by Apple’s Preview image and PDF viewer application included in OS X. Preview from OS X versions 10.3 through 10.5 is supported. Preview for 10.4 and 10.5 stores “bookmarks” of two types, both displayed in Mac Marshal’s “Preview Bookmarks” table. The first type is for items explicitly bookmarked by the user within Preview, for quick return to a particular section of a particular document. The second type is for all recently-opened items, in order to store the last-viewed page and magnification; when the user re-opens the same document, by any means, Preview automatically goes to the last-viewed page and zoom level.
QuickTime Player. This tool analyzes data written by Apple’s QuickTime Player application included in OS X. QuickTime Player from OS X versions 10.3 through 10.5 is supported. The forensic data stored by QuickTime player is the set of recently-played media files.
Safari. This tool analyzes data written by Apple’s Safari web browser included in OS X. Safari from OS X versions 10.4 and 10.5 is supported (i.e., Safari versions 2 and 3). Much of the Safari data is self-explanatory. The “last session” is the set of windows and tabs currently open in Safari; it is updated periodically while Safari is running as well as when Safari exits. On OS X 10.5, Safari records the text content of all web pages in the browser’s history; this content is separate from the browser cache, and is located in ~/Library/Caches/Metadata/Safari/History/. The text content is used by Spotlight to allow the user to search across previously-viewed sites. When available, Mac Marshal displays this text at the bottom of the Safari History tab. Occasionally, a visited-site content file that is not explicitly listed in the Safari history will remain in that directory; and Mac Marshal displays such entries as well.
Safari Cache. This tool analyzes web cache data written by Apple’s Safari web browser included in OS X. Safari from OS X versions 10.4 and 10.5 is supported (i.e., Safari versions 2 and 3). As the machine may have large quantities of cache data, this analysis process happens only on investigator request. A note about timestamps for cached items: a) for Safari 2 (OS X 10.4), the timestamps are “response timestamps” provided by the respective web servers, and may or may not be correct (subject to the correctness of those servers’ clocks and b) for Safari 3 (OS X 10.4 and 10.5), the timestamps are “request timestamps,” and use the target machine’s clock. Because they all use the same reference clock, Safari 3’s request timestamps are more reliable for establishing the temporal order of items in the cache.
Recent Items. This tool analyzes data maintained by Mac OS X’s internal Launch Services framework. Recent Items can be extracted from OS X versions 10.3 through 10.6.
Launch Services maintains a list of recently-opened applications. This includes applications run from the Finder or other graphical means; it does not include executables run from the Unix command line or internally during the boot process. Similarly, the list of recently-opened documents and recently-accessed servers includes only items opened or accessed by standard graphical OS X applications, such as the Finder.
Note that OS X 10.3 does not track recent servers; that list will be blank for 10.3 targets. OS X 10.4 does not track URLs and host names for recent servers; those fields will be blank for 10.4 targets. OS X 10.6 uses a new, undocumented format for recent documents and applications, so those two lists will be blank for 10.6 targets.
The Recent Items analysis tool is shown below, displaying merged data among a set of users (click image to enlarge):
System Configuration. The Mac Marshal System Config tool displays system-wide configuration data from the target computer. Configuration information is split into multiple tabs:
- General: Presents system-wide parameters such as host name, fast user switching, and auto-login information. This tab also shows current network configurations and DHCP network leases in effect when the image was taken.
- Deleted Users: Shows users deleted using the “Accounts” item in System Preferences. Depending on how a user is deleted, their files may remain within /Users and discovered by Mac Marshal.
- Network History: Lists all networks the target machine has been connected to, either physically or wirelessly. For each network, the router’s physical hardware address, along with its IP address and the target’s assigned IP address, are shown with a timestamp. In addition, the DNS domain name of the network is shown where available. This information can be useful for tracking the past physical whereabouts of the target machine. A sample screenshot is shown below (click image to enlarge):
In this example, the target has been physically connected to the pdx.edu network (Portland State University) on August 7 2010, wirelessly connected to the same network on August 5, and physically connected to a Cox cable network on July 29 2010.
- Wireless Networks: Lists all known wireless networks by SSID and date last used. The “Known Networks” table applies to all wireless interfaces; the “Recent Networks” table breaks out connections by wireless adapter (of which there is typically only one).
- Firewall: Shows the Mac OS X internal firewall configuration for OS X 10.4 and later targets.
- Bluetooth Devices: Lists all Bluetooth devices known to the target, including their names and timestamps.
- Time Machine: If the target is configured to use Apple’s Time Machine backup process (OS X 10.5 and later), this tab shows the backup volume, any paths excluded from backup, and whether system files are backed up. When Time Machine is in use, seizing the backup volume can yield significant time-ordered forensic data about the target machine.
- Internet Sharing: Shows any active Internet Sharing configuration, where a network connection on one “primary” interface (e.g., USB from a mobile phone) is shared to external computers via another interface (e.g., WiFi).
- Launch Items: Lists all automatically-executed or triggered programs, whether they be “login items” executed when a given user logs in, periodic system maintenance items, executables run by the Unix cron or xinetd programs in response to some event or time period, or (for 10.4 and later) launchd Launch Agents and Launch Daemons.
Logging and Auditing
Mac Marshal acquisition and analysis operations are designed to be transparent; the output is stored in text and XML files in the acquisition storage directory. An investigator can easily look through the raw acquisition data by hand if needed.
All acquisition and analysis operations in Mac Marshal are logged. Each item includes a timestamp, message details, the command executed, the file(s) written within the acquisition storage directory, and the hashes computed for each file written.
When parsing individual data files, Mac Marshal caches copies of these files within the acquisition directory. This allows the files to be viewed and parsed even if the original source image is no longer available.
Mac Marshal generates summary reports through the use of a Report Wizard. Reports may be generated in HTML, PDF, tab-separated value, and RTF (Microsoft Word and TextEdit compatible) formats. If an organization has a standard header and/or logo image, the Report Wizard allows these to be included on the pages of the report. The Report Wizard allows the investigator to select which aspects of the acquisition to include in the report by selecting specific items from a table which is presented by the Wizard. The Report Wizard allows the investigator to generate as many reports as desired for an acquisition. The investigator may generate different reports that focus on different data or may create a new report after analyzing new data.