Chapter 7
OS X El Capitan forensics
Shawn Jordan Marshall University, WV, USA
Abstract
Apple’s OS X has a steady growth within the United States. This also means digital forensics laboratories will likely see more OS X products. This chapter looks at Mac OS X 10.11 El Capitan. The chapter begins at the top level or root directory, and it works down the file system. This chapter highlight areas of forensic interest. However, it also takes a basic look at the file system as a whole. This chapter gives the analyst a foundation in OS X. There is also a quick guide at the back of the chapter providing paths to key forensic information.
Keywords
OS X
El Capitan
Mac forensics
OS X 10.11
Apple forensics
Introduction
As Macintosh computers continue to increase in market share, OS X is going to have more exposure in the Digital Forensic Laboratories (Gartner, 2015). OS X 10 has been the default operating system for Macintosh since January 2002. OS X has seen several major updates, and the updates are indicated by an incremented number. For example, Mac OS X El Capitan is also known as OS X 10.11. All the updates from 10.1 to 10.8 are also named after catlike animals. Any version after 10.8 is named after places in California (Table 7.1).
Table 7.1
Names of OS X Operating Systems
| OS X Number | Name | Release Date |
| 10.0 | “Cheetah” | March 24, 2001 |
| 10.1 | “Puma” | September 25, 2001 |
| 10.2 | “Jaguar” | August 24, 2002 |
| 10.3 | “Panther” | October 24, 2003 |
| 10.4 | “Tiger” | April 29, 2005 |
| 10.5 | “Leopard” | October 26, 2007 |
| 10.6 | “Snow Leopard” | August 28, 2009 |
| 10.7 | “Lion” | July 20, 2011 |
| 10.8 | “Mountain Lion” | July 25, 2012 |
| 10.9 | “Mavericks” | October 22, 2013 |
| 10.10 | “Yosemite” | October 16, 2014 |
| 10.11 | “El Capitan”* | September 30, 2015 |
Names of Mac OS X Operating Systems and release dates. Mac updates generally have a version number and a name. For example, OS X 10.7 was called Lion. Although OS X can be referenced by either number or name, it is preferred to reference the version number to include minor updates (e.g., OS X 10.7.1).
* Note: All research pertaining to OS X 10.11 in this book was using the developer beta 6. The final version was not released at the writing of this book.
Author’s Note: Apple is an advocate of user privacy. Apple recently enabled iPhone encryption by default. OS X does not have encryption by default, but it does have an encryption program called File Vault. In future versions of OS X, File Vault may be used by default.
OS X is built on a UNIX backbone. UNIX is also the backbone for Linux, making the two operating systems similar in structure and function. There are several core binary programs that are found on both OS X and Linux – such as cp, mv, Vi, nano, and more. Fig. 7.1 shows the programs in use in terminal.
Figure 7.1 Command Line Examples in Terminal
This is an example of the commands listed in Table 7.2. This gives the forensic analyst a sample of command line tools and processes. The commands show how to list all files, change directories, show your current directory, and show running processes.
This is an example of the commands listed in Table 7.2. This gives the forensic analyst a sample of command line tools and processes. The commands show how to list all files, change directories, show your current directory, and show running processes.
OS X uses a file system called the Hierarchical File System Plus (HSF +). This file system is a modern update of the Hierarchal File System. Some key features of HFS+ are:
• The capacity to support larger drives. HSF could only support 2 terabyte drives.
• The capability to map more files on the drive (increase in the total number of files able to store on the drive).
• The ability to have longer names within the file system.
• The ability hard linking to directories.
HSF+ is typically only used on Macintosh systems.
Author’s Note: Unix systems are usually case sensitive. All commands and paths must match exactly.
Default directory structure
With the OS X file structure, we will be taking a top-down approach beginning at the root directory. We will go over each of the main directories within root. We will then move into the User directory, which will have a majority of the forensic evidence.
Unix Directories Hint: Any file that begins with a “.” in both OS X and Linux will be considered a hidden file. These files will not appear in Finder or an ls command without additional commands (see Table 7.2).
Table 7.2
Common Unix Commands
| Hint to Function | Terminal Call | Function |
| Manual | man | Most functions will have a help page dedicated to describing its function. This will list optional calls and define how to call the function. |
| copy | cp | The copy function is the command line version of copy. |
| move | mv | Move a file or directory to another location (think cut and paste). |
| nano | nano | An early predecessor to notepad or Microsoft word |
| vi | vi | An early predecessor to notepad or Microsoft word. A little more complicated to use than nano. |
| list | ls | Lists the files and directories. There are options such as – a that will show hidden files as well. |
| change directory | cd | This command allows a user to change directories. |
| print working directory | pwd | This will show the user where they are in the file structure. |
| process | ps -e | This function will list all processes running on the system. |
These Unix commands can be used on most versions of Linux and OS X. They are basic commands used in the Terminal application.
Root directory
All files in most Unix-based systems have a single point of origin within the file directory (excluding mounted drives such as flash drives). The top directory is called the root directory and is signified with a “/.” For example, every full path will begin with /{directory}. Also, the root directory is not the directory of the root user. (OS X includes a root directory for the root user in /var directory, but most versions of Unix will include the root directory with the user’s directories.)
Author’s Note: If manual examination is required, you can use the terminal command “default write com.apple.finder AppleShowAllFiles YES” to show all the hidden files in OS X.
Applications
The Application directory stores applications available for any user on the system. This generally includes all applications downloaded from the app store. In the applications folder, the icons are clickable link to launch the application. Upon further investigation, we find the applications actually are directories with files and folders under the application as seen in Figs. 7.2 and 7.3. Most applications will either store data as a hidden file in the user’s directory or inside the application itself.
Figure 7.2 Applications
Applications in Mac OS X actually contain files behind the icon. By right clicking and selecting “Show Package Contents,” the investigator can see the files within the application.
Applications in Mac OS X actually contain files behind the icon. By right clicking and selecting “Show Package Contents,” the investigator can see the files within the application.
Figure 7.3 Inside the Application
This shows the structure of an application directory. Some applications may store user information or metadata within the application itself.
This shows the structure of an application directory. Some applications may store user information or metadata within the application itself.
Bin/sbin
Bin is the directory for system binaries. These include commands listed in Table 7.2. Sbin is the directory incorporating system binaries. While these locations generally do not contain forensic value, they may be used to stash evidence, or some of these locations may contain tools used in incident response. For example, tcpdump can be used to dump network traffic and is included by default in OS X and most Linux distributions.
Case Example: A database engineer notices some files have incorrect modification dates. The engineer reports it to the security team. The team conducts a scan on the database server, and they notice a port is open that should not be open. Before they act on the server, they conduct a packet dump to see what information is being transferred. They use tcpdump, and they find packets containing parts of their encrypted database. They isolate the server and conduct an investigation.
Library/system
The library contains several configurations for the system. These directories include printers set up on the device, automatic time zone discovery, time machine status, and more. The root-level library also contains programming language such as Python and Java. This directory will also contain the logs for some parts of the system. This library only supports the local domain. Only non-sandboxed applications can share information through this library. The system directory is almost identical to the library directory. The key difference is the system directory only relates to the system’s domain – programs and processes needed only by the system (Apple Inc., 2015).
Private
The private directory appears to be the area where OS X stores system information that should not be seen or edited by the user. The user password hash can be seen under this directory. The following path leads to the SHA1 password: /private/var/db/dslocal/nodes/Default/users/{user’s name}.plist. Also, this file contains the email address of the user for the account, the creation time, number of failed logins, and user name. There are also several directories and files with sensitive system information. You can see in Fig. 7.4 the SHA1 hash of the password. It is followed by the username. Finally, you can see the email address of the user’s account.
Figure 7.4 The {Username} Plist
The private directory contains the hash of the user’s password. It will also give the investigator the default email account linked with the user and the user name.
The private directory contains the hash of the user’s password. It will also give the investigator the default email account linked with the user and the user name.
Inside the /private/var/db/ directory is another folder called dhcpclient. This directory contains a plist of the dhcp information. This includes the IP Address, the lease start date and time, the lease length, and the router IP address. An example is provided in Fig. 7.5.
Figure 7.5 The User’s DHCP Lease and Router Information
The dhcpclient plist contains the address of the last connected router. It will also contain the date the machine acquired an IP address and the length of the lease. The router hardware address is also given in this file. This could indicate what network the machine assessed.
The dhcpclient plist contains the address of the last connected router. It will also contain the date the machine acquired an IP address and the length of the lease. The router hardware address is also given in this file. This could indicate what network the machine assessed.
Author’s Note: Apple does not use a central directory, like the Windows Registry, to store configurations and data. OS X uses a format called a Plist. Plist are similar in format to XML documents, and they can be found throughout the operating system.
Usr
The usr directory is not the actually user’s directory. The usr directory contains most the unessential binaries and libraries installed by default. This provides some separation from processes needed for the system to operate and nonessential processes. These will include several of the binaries shown in Table 7.2.
Var
Var is used for variable data. This is where a majority of system logs will be found. The logs can help the forensic analyst to build a timeline of events. It can also give a better picture of what happened on a system. Var also contains a keychain folder with certificates. The keychain contains passwords, keys, and certificates, but it is usually encrypted for security reasons.
User
User’s directory
The user directory contains all the data within the users’ domain. Every user will have their own folder. These folders will have the user’s pictures, documents, desktop, configurations, and more. As this is within the user’s domain, most of the areas of interest will be in this directory. Fig. 7.6 shows a single user’s directory, including hidden files and subdirectories. We will take a look at several of the default subdirectories.
Figure 7.6 The Structure of a User’s Directory
Every user has a directory under their user name. Some examples of hidden directories are shown and will not be shown by default in Finder. The default directories include Applications, Documents, Library, etc. The Library directory contains the user’s preferences, iMessages, email, and more.
Every user has a directory under their user name. Some examples of hidden directories are shown and will not be shown by default in Finder. The default directories include Applications, Documents, Library, etc. The Library directory contains the user’s preferences, iMessages, email, and more.
Author’s Note: A quick way to tell if the guest account is active in OS X is by looking under the User directory. If guest is enabled, there will be a guest directory.
.cups
Cups contains the configuration of the default printer for the user. This is usually a file containing the name of the printer. This could lead to the investigator finding printing devices related to the case. Every user with a printer configured should have a .cups folder.
.ssh
The {user name}/.ssh file contains all the SSH keys for the user. SSH is a common protocol used for remotely accessing a system. SSH depends on private and public keys to provide encrypted communication. Fig. 7.7 shows the user’s known_hosts file, which contains the addresses used with SSH and the private keys associated with the connection. It will also tell you the encryption method used to generate the keys. Only systems accessed will appear in the .ssh directory. This would be especially useful during an investigation of a network breach. SSH is a common protocol to use for remote access, and this directory could show all systems accessed.
Figure 7.7 SSH Information Including IP, Keys, and Encryption Method
The known_host file contains all the SSH connections for the user. This will include domains or IP addresses of connections. The file contains the method of key encryption, as well as the private key for this machine.
The known_host file contains all the SSH connections for the user. This will include domains or IP addresses of connections. The file contains the method of key encryption, as well as the private key for this machine.
.Trash
Every user on the system has a .Trash directory. Trash contains all the items deleted by the user. It stores the file exactly the same as it was before deletion. The Trash’s .DS_Store file contains the previous locations of the files in case the user restores the files (see Fig. 7.8).
Figure 7.8 .DS_Store File in .Trash Showing the Past Paths of Deleted Items
The .DS_Store file is similar to the $I and $R files in Windows. It maintains the name of the deleted item. It also stores the path of the deleted item in the event the user decides to restore the item.
The .DS_Store file is similar to the $I and $R files in Windows. It maintains the name of the deleted item. It also stores the path of the deleted item in the event the user decides to restore the item.
Desktop/documents/.DS_Store
The desktop and documents are similar to the Windows equivalent. The .DS_Store file contains the locations of icons and applications displayed in the window. The .DS_Store will keep a record of every document and icon on the screen. You will find a .DS_Store file in every directory.
Pictures
The pictures directory can contain several items of forensic value. You can usually find a directory for both of the default Apple applications. Photo and Photo Booth are installed by default. Within the Photos directory, the program will store original photographs in a subdirectory called Masters. Conveniently, they appear to sort the photos by year and then month. Photo Booth will keep the photos in a subdirectory called Originals.
Photos has a unique area of forensic interest. The Photos app has two features called Faces and Places. Faces can be useful in linking two suspects together. Photos will attempt to find people within photographs using facial recognition (see Figs. 7.9 and 7.10). Faces also keeps people sorted by person. On the other hand, Places maps all the locations of the photographs using the photographs’ EXIF data. Places may provide some indications of the location of a suspect. However, EXIF data can be manipulated. Also, the devices used to record the GPS data can have a wide range of accuracy.
Figure 7.9 Faces Within the Photos Application
Users can pick faces out of their photographs in the Photos application. Photos will scan other photographs for that face, and it will link the name with a contact if available.
Users can pick faces out of their photographs in the Photos application. Photos will scan other photographs for that face, and it will link the name with a contact if available.
Figure 7.10 Finding Names and Emails in the Faces Profile
The Faces feature keeps randomly named file on every identified face. The name can be located in the random string file, and it can also contain an email address for the identified face. An investigator would use this to build connections.
The Faces feature keeps randomly named file on every identified face. The name can be located in the random string file, and it can also contain an email address for the identified face. An investigator would use this to build connections.
You can find the Faces data under {username}/Pictures/Photos Library.photoslibrary/Database/Faces/Facenames. This will contain all the names of individuals identified. Another item of relevance is users with an email in the contacts app will have their email address with their name in the files under Facenames. (Please note that email is no longer in use.)
You can find the Places data under {username}/Pictures/Photos Library.photoslibrary/Database/Places/. The places files are a little more cryptic. The files seem to use a separate, random identifier for the photos. However, the time stamps on the locations may help with associating the correct photographs. The latitude and longitude coordinates are in plain text, and the file may also contain a nearby landmark or location. For example, Fig. 7.11 indicates the photograph was taken near the Mud River at a certain latitude and longitude.
Figure 7.11 Places Files
Places uses the EXIF data out of the photographs in Photos. It records the information in a cryptic file name. The modified dates can help the investigator to link the actual photograph to Places and Faces files. Also, Places attempts to pull a location name using the coordinates.
Places uses the EXIF data out of the photographs in Photos. It records the information in a cryptic file name. The modified dates can help the investigator to link the actual photograph to Places and Faces files. Also, Places attempts to pull a location name using the coordinates.
iMovie
iMovie has a similar structure to Photo. Projects are located within {user name}/Movies/iMovie Library.imovielibrary/. The directory names appear to be the date the project is created. The directory contains a folder called “Original Media” with the music, videos, and pictures used in the video. Fig. 7.12 shows photographs and videos used in an iMovie project.
Figure 7.12 iMovie Directories and Media Storage
iMovie stores information in a similar fashion to most of Apple’s applications. The project file actually contains a directory of files and subdirectories. Also, every image and video used in a movie project is stored inside the project directory.
iMovie stores information in a similar fashion to most of Apple’s applications. The project file actually contains a directory of files and subdirectories. Also, every image and video used in a movie project is stored inside the project directory.
{User name}/library
The user library can contain an overwhelming amount of forensic value. The library stores core application data and configurations. The library contains accounts, call histories, caches, calendars, notes, messages, and more. We will take a closer look at the subdirectories below.
Accounts
Accounts contain an SQLite database for the accounts used on the system. This can provide email addresses, social media usernames, and descriptions of the item. You can use a free application to browse the data within the database. Fig. 7.13 shows the several accounts linked with this user and includes account descriptions and usernames.
Figure 7.13 Accounts Used on OS X by a User
The accounts database contains all the usernames of accounts accessed by the user. This can include Facebook, Twitter, email service providers, and some messaging services. Since most usernames are emails, this will also give the investigator an idea of what email addresses belong to the user.
The accounts database contains all the usernames of accounts accessed by the user. This can include Facebook, Twitter, email service providers, and some messaging services. Since most usernames are emails, this will also give the investigator an idea of what email addresses belong to the user.
Author’s Note: There are several database viewers. Apple usually uses SQLite database. A good and free tool to use is SQLite Browser. It is open-source and available on sqlitebrowser.org.
Application support/call history
Under library in the user directory is a database containing several artifacts about call data. The database contains duration, date, and a unique ID for the call. The phone number or email is not stored in this database. However, there is another directory under application support called CallHistoryTransactions. This file contains a log file with the phone number and the unique ID. This will allow you to match the unique identities between the CallHistoryDB and the CallHistoryTransactions. Fig. 7.14 shows the database with the call history and duration. Fig. 7.15 shows the database with the phone number.
Figure 7.14 Call Metadata
This database contains the unique identifier, call date and time, duration, and more. This database does not contain the phone number used, but the unique identity can be linked with the CallHistoryTransaction database.
This database contains the unique identifier, call date and time, duration, and more. This database does not contain the phone number used, but the unique identity can be linked with the CallHistoryTransaction database.
Figure 7.15 Unique Identifiers with Phone Numbers
This database is needed with the CallHistoryDB database. This contains the numbers called or received, as well as the numbers unique identification used in CallHistoryDB.
This database is needed with the CallHistoryDB database. This contains the numbers called or received, as well as the numbers unique identification used in CallHistoryDB.
Caches
The caches directory may contain several artifacts of forensic value. The com.apple.bird cache has a subdirectory called sessions. Sessions appears to have images of files stored in iCloud. The images are stored as JPEG, and they have the first page of the documents created or stored in iCloud.
The com.apple.Safari contains several directories with potential evidence. For example, Amazon’s website builds a subdirectory of products and images the user browsed. There is also a subdirectory for website previews. The web previews are used to generate a grid of popular websites. This would allow the investigator to see popular websites visited by the suspect.
The subdirectory metadata also contains some Safari artifacts of interest. The bookmarks subdirectory contains all the saved bookmarks synced through iCloud. The history subdirectory contains the history from Safari. The history syncs across iCloud, so the history may include the history from other Apple devices.
Calendar
The user’s calendar can be found in {user name}/Library/Calendars. Each account gets its own uniquely named subdirectory. The info.plist will contain the account names along with some preference information. Inside the account’s directory, you will find another subdirectory called Events. This will contain all the events for that account. Fig. 7.16 shows events for the Holiday calendar.
Figure 7.16 Calendars with Events
This shows the Holiday calendar in the Calendar application. Each account is given a randomly named identity. All events are stored in a subdirectory called Events. Every event will have its own file.
This shows the Holiday calendar in the Calendar application. Each account is given a randomly named identity. All events are stored in a subdirectory called Events. Every event will have its own file.
The mail folder contains all the messages from the Mail app. Each of the user’s email accounts will have their own directory listing the protocol, email address, and the server address. The emails will also be in this directory. Messages are stored in plain text and can be found in the subdirectory Messages.
Mail downloads
This folder will contain attachments that have been downloaded from the mail server. They maintain their file names. If no attachments are opened or downloaded, this subdirectory will not exist. All attachments are stored, and the system does not sort by email address.
Messages
The message directory contains all the messages synced from the user’s iMessage and SMS. OS X will only get SMS if the user sets up “Text Message Forwarding” on their iPhone. All messages can be located in an SQLite database called chats.db. SMS messages are treated exactly the same as iMessages. The database attempts to be ambiguous by assigning messages a unique identifier that must be reverenced in another table. Fig. 7.17 shows the table with the user information, and Fig. 7.18 shows the actual messages.
Figure 7.17 The Messages app uses a database with multiple tables to store messages. This table contains user information, but it does not contain the message contents.
Figure 7.18 This table contains all the messages sent. Each message is an individual entry in the database. The unique ID used in this table will link with the unique ID in the table shown in Figure 7.17.
Notes
Note artifacts can be discovered in the directory groups.com.apple.notes. There is a directory called media containing any images contained in any notes. The note contents can be located in an SQLite database under com.apple.Notes/Data/Library/Notes.
New features in OS X 10.11 El Capitan
Spotlight has several new features allowing advanced searching through the file system. There appears to be no history associated with spotlight searches. This will likely leave little artifacts for the forensic analyst.
Apple has also migrated some of the power of the root user. They have implemented a System Integrity Protection (SIP) account. This places a special flag on processes protected by Apple, and they can only be modified by system processes with Apple’s code signing identity. From a forensic standpoint, this removes some of the user’s ability to hide data in certain locations. It should also prevent malicious programs from modifying core processes (Apple Inc., 2015).
Conclusion
Apple recently released their newest OS X update – OS X 10.11 El Capitan. Apple uses its own file system called Hierarchical File System Plus (HFS+). OS X is built on a Unix backbone. Linux is also built on a Unix backbone, and the forensic examiner will see several similarities between the two operating systems.
All directories begin at the root directory. The root directory is identified by a “/.” The root directory contains all the files used by the operating system. The most forensically valuable directory within root is the User directory.
The User directory contains most of the user’s data. The directory stores messages, call logs, email, photos, movies, and more. Most of these items are stored within SQLite databases, which can be found throughout Apple’s OS X. At the moment, most of these databases and files remain unencrypted and are easily readable by the forensic analyst.
Quick reference table
Table 7.3
Table of Key Default Locations
| Category | Item | Path | Description |
| Root | Root directory | / | The top of the file hierarchy |
| Application | /Application | The applications available to all users. | |
| Binaries | /bin | Binaries for command line tools | |
| Library | /library | Universal configurations for users and applications. | |
| Private | /private | Contains sensitive information usually restricted to users (such as hashes) | |
| System binaries | /sbin | Binaries used by the operating system | |
| System | /system | Contains a Library directory for system configurations | |
| Users | /User | Contains the user’s content and configurations. Each user should have a subdirectory here. | |
| Password | User passwords | /private/var/db/dslocal/nodes/Default/users/{user’s name}.plist | This contains a plist with the user’s password hash in SHA1. |
| Exterior Interactions | .ssh | /User/{un}/.ssh/ | Contains SSH private keys and IP addresses of sessions |
| .cups | /User/{un}/.cups/ | Contains the printers used | |
| Trash | System trash | /.Trashes | Contains system’s deleted items |
| User trash | /User/{un}/.Trash | Contains files and directories deleted by user | |
| Trash data | /User/{un}/.Trash/.DS_Store | This contains the last location of items in the .Trash directory | |
| Accounts | User accounts | /User/{un}/Library/Accounts | Contains an SQLite database of accounts |
| Calendar | /User/{un}/Library/Calendars/{Random string} | Contains info.plist of accounts with calendar capabilities | |
| Mail accounts | /User/{un}/Library/Mail/V{Some number}/ | Contains a subdirectory for each account with email address | |
| Safari | Cache | /User/{un}/Library/Caches/com.apple.Safari/WebKitCache/ | This contains a cache of images from Safari |
| History | /User/{un}/Library/Safary/history.db | This is an SQLite database of the user’s history | |
| Bookmarks | /User/{un}/Library/Safari/Bookmarks.plist | Contains the user’s bookmarks | |
| Messages | Message database | /User/{un}/Library/Messages/chat.db | Contains the user’s iMessages and SMS if enabled |
| Mail messages | /User/{un}/Library/Mail/V{Some number}/{Account}/{Inbox name}/{Random string}/Data/Messages | Leads to email messages stored on the system. Emails are stored in an .emxl format. | |
| Photos | Photo library | /User/{un}/Photos/Photos Library.photoslibrary/Masters | This contains the unedited photos in the Photo application. |
| Photo faces | {un}/Pictures/Photos Library.photoslibrary/Database/Faces/Facenames | This contains the information for faces identified in the Photo’s app | |
| Movies | Movie location | /User/{un}/Movies | |
| Calendars | Calendar location | /User/{un}/Library/Calendars/{Random string} | Calendars separate accounts with subdirectories with random strings. The info.plist will give you an idea of what the account is used. |
| iCloud | Synced iCloud data | /User/{un}/Library/Mobile Documents | Contains synced iCloud data |
| Documents | Documents | /User/{un}/Documents | Local document default storage path |
| iCloud documents | /User/{un}/Library/MobileDocuments/com∼apple∼CloudDocs | Synced iCloud Documents | |
| Calls | Facetime metadata | /User/{un}/Library/ApplicationSupport/CallHistoryDB/Callhistory.storedata | This contains metadata of Facetime and phone calls including duration, date, and type (Facetime, etc.). The phone numbers are not included, but the unique ID can be matched to the tx.log file (see below). |
Facetime Phone numbers |
/User/{un}/Library/ApplicationSupport/CallHistoryTransactions/tx.log | Log file that contains the phone numbers with the unique ID used in the CallHistory.storedata file. |
Quick Reference Chart: {un} indicated the user’s name.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.