MacOSXandiOSForensicsLOOKINGINTOTHEPASTWITHFSEVENTSSANSDF IR SUMMIT 2017NICOLE IBRAHIMG-C PARTNERS, LLC

WhoamI?

• DigitalForensicsExpertatG-CPartners

• Parttimeresearcher

• Parttimeprogrammer

Nicole Ibrahim | Consultant | G-C Partners, LLCnibrahim@g-cpartners.com | @nicoleibrahim

Importance

• Recordshistoricalfilesystemactivityovertime

• CurrentlynotbeingfullyutilizedbyMacexaminers

• ContainsUserandOSactivity• Creations,deletions,renames,permissionchangesandmore.

• Identifynamesoffilesthatwerepreviouslyexistingbuthavesincebeendeleted

• Identifywhatchangesoccurredtofilesoninterest

Agenda

• IntroductiontoFSEvents

• ParsingFSEvents

• Interestingartifacts

• Caveats

IntroductiontoFSEvents

IntroductiontoFSEvents• FSEventsorFileSystemEvents

• GeneratedbyAppleOSFSEventsAPI• Introducedin10.5(Onlydirectoryeventsupto10.6)• In10.7fileeventswereintroduced

• StoredinFSEventlogfiles(gzip)• Historicaleventsofchangesonthefilesystem• Logscanspandaystomonths

• FoundoniOS,OSXdevices,externaldevicespluggedintoaMac

IntroductiontoFSEvents

• LocationinOSX:• /.fseventsd

• LocationiniOS:• Data:/private/var/.fseventsd• System:/.fseventsd• DeveloperPatch:/DeveloperPatch/.fseventsd

• Gzip archiveformat

• NameislastEventIDstoredintheFSevent logfileplus1.• E.g “00000000000a4b3e”or674,622decimal

FSEVENTLOGS

IntroductiontoFSEvents

LIFECYCLEOFANFSEVENTRECORD

Anobjectischanged

APIchecksmemorybuffertoseeifalready

assignedeventID

Ifyes,recordflagsupdatedinmemory.Ifnot,nextavailableIDassigned.Eventstored

inmemory

Whenmemorybufferisfullorvolume

unmountedallrecordsarewrittentodiskand

bufferiscleared

DecodingFSEvents

DecodingFSEvents

•Therelativefullpathtothefilesystemobjectthatincurredachange.FullPath

•EventIDassignedtofullpathonfirstchange.EventID

•Recordflagsindicatingthetypeofobjectthatwaschangedandwhatchangedforit.RecordFlags

FSEVENTRECORDCOMPONENTS

• AnuncompressedFSEventlogcancontain1ormorepageswiththemagicheader“1SLD”

• Eachlogcancontainupto5,000events

• EventsareorderedalphabeticallybyFullPath

• Eachrecordconsistsof3components

DecodingFSEvents

FSEVENTRECORDFLAGS

• Typeflagsinclude:• File• Folder• Hardlink• Symboliclink

• Reasonflagsinclude:• Created• Removed• Modified• Renamed• Permissions• Inode metadata

• Finderinformation• Mount• Unmount• Lasthardlinkremoved• Endoftransaction• Documentrevisions

ParsingFSEvents

ParsingFSEvents

BLACKBAG BLACKLIGHT SOFTWARE

• Closedsourceandpaid

• https://www.blackbagtech.com/software-products/blacklight.html

ParsingFSEvents

G-CPARTNERSFSEVENTSPARSER SCRIPT

• Opensourceandfree

• Python

• Availableathttps://github.com/dlcowen/FSEventsParser

InterestingArtifacts

RecordArtifacts

OS X

• Justscratchingthesurfaceofinterestingartifacts:• .Trashactivity• Userfoldersactivity• Internetactivity• Mountevents

RecordArtifacts:OSXTRASHACTIVITY• FilessenttotheTrash

• EmptyingtheTrash

SELECT*,_ROWID_"NAVICAT_ROWID"

FROM"fsevents"

WHERE"filename"LIKE'Users/%/.Trash/%'

RecordArtifacts:OSXUSERFOLDERSACTIVITY• Activityin:

• “Documents”• “Downloads”• “Desktop”

SELECT*,_ROWID_"NAVICAT_ROWID"

FROM"fsevents"

WHERE"filename"LIKE'Users/%/Documents/%’OR"filename"LIKE'Users/%/Downloads/%’OR"filename"LIKE'Users/%/Desktop/%'

RecordArtifacts:OSXINTERNETACTIVITY• Websitesvisited

• Chrome• Safari

SELECT*,_ROWID_"NAVICAT_ROWID"

FROM"fsevents"

WHERE"filename"LIKE

'Users/%/Library/Caches/Metadata/Safari/History/%'OR"filename"LIKE'Users/%/Library/ApplicationSupport/Google/Chrome/Default/LocalStorage/%'

RecordArtifacts:OSXMOUNTACTIVITY• Mountactivityrelatedto:

• DMGs• Externaldevices• Sharednetworkdrives

SELECT*,_ROWID_"NAVICAT_ROWID"

FROM"fsevents"

WHERE"mask"LIKE'%mount%'

Artifacts

IOS

• iCloudsyncedfiles

• Internetactivity

• Emailactivity

RecordArtifacts:iOSICLOUDSYNCEDFILES• iCloudsyncedfilesfromotherdevices

SELECT*,_ROWID_"NAVICAT_ROWID"

FROM"fsevents"

WHERE"filename"LIKE'mobile/Library/Mobile

Documents/com~apple~CloudDocs/%'

RecordArtifacts:iOSINTERNETACTIVITY• Websitesvisited?

SELECT*,_ROWID_"NAVICAT_ROWID"

FROM"fsevents"

WHERE"filename"LIKE'%websitedata/local%'

RecordArtifacts:iOSEMAILACTIVITY• Inbox

• Sent

• Attachments

SELECT*,_ROWID_"NAVICAT_ROWID"

FROM"fsevents"

WHERE"filename"LIKE'mobile/Library/Mail/%’

Caveats

Caveats• LostFSEvents

• Lackoftimestamps

• Externaldevices

• Anti-forensics

• Coalescingofmultiplechanges

Caveats:LostFSEvents

PROBLEM

• FSEventsarelostduetoeither:• Ahardresetofasystem• Asystemcrash• Notproperlyunmountingavolume

• Systemupgrades

REMEDIES

• Carveforgzip files

Caveats:LackofTimestamps

• FSEventRecordsconsistof:• EventID• FullPath• Flags

• Notetimestampsarenotmentioned

PROBLEM REMEDIES

• Usetemporaldatafromthenamesoflogs

Caveats:ExternalDevices

PROBLEM

• Unsaferemovalresultsinlostevents

• Saferemovalwasperformed,butFSEventsnotfinishedwritingtodisk

• Filesystemcompatibilityissuesresultsinlostevents

REMEDIES

• Hopethattheuserhasproperlyunmountedtheirdevices• CarvingforthoselosteventsmightnotbepossibleduetoFSEventsbeingstoredinmemory

Caveats:Coalescingofmultiplechanges

PROBLEM

• TheFSEventsAPIcoalescesmultiplechangesintoasinglerecordresultingin:• Inabilitytodetermineorderofchanges

• Inabilitytodeterminefrequencyofchanges

REMEDIES

• NoneThisfilemayhavebeencreated3timesandremovedtwice,butwewillneverknow

Caveats:Anti-Forensics

PROBLEM

• Ano_log filewasplacedinthe.fseventsd directory• FSEventsarenotrecordedforthevolume

REMEDIES

• None.However,thisscenarioisunlikelyandrequiresrootprivilegesandadvancedknowledgeofFSEvents

Questions?

Nicole Ibrahim | Consultant | G-C Partners, LLCnibrahim@g-cpartners.com | @nicoleibrahim