It's no joke! Today I presented at one of my favorite conferences BsidesNOLA. I've uploaded the slides to my Github here - Logs Unite!
Enjoy the log goodness!
osx
Update to MacMRU Parser - Now with Microsoft Office Support!
I've updated my MacMRU parser script, located here: https://github.com/mac4n6/macMRU-Parser.
This update includes support for 'Most Recently Used' artifacts for Microsoft Office for Mac 2011 and 2016. I've also added a bit more error checking, so please let me know if you come across a plist that doesn't work or does not contain certain expected keys. It happens, I've run across a few myself - I can't explain why now, but I hope to look into it further.
While researching for this update I noticed something interesting. Microsoft Office used a binary plist format for the 2011 version of the software, but "downgraded" to an XML-based plist format in the 2016 version. Most of the time I see plists headed in the XML->Binary direction.
Got a MacMRU file that I don't parse? Please let me know!
I hope you find this script useful!
Mac News & Updates - 08/11/16
Blogs
- [LINK] Another Forensics Blog - How to image a Mac using Single User Mode
- [LINK] Another Forensics Blog - Mounting and Reimaging an Encrypted FileVault2 Mac Image in Linux
- More great Mac imaging articles from Mari!
- [LINK] The Eclectic Light Company - Tools to calm your panic, and to protect
- Great overview of Objective-See's tools
- [LINK] Pike's Universum - Say hello to new logging in Sierra
- New and different logging stuff in macOS Sierra, this is BIG for DFIR folks!
- [LINK] Additional information in the Apple Developer Docs
- [VIDEO] Video from WWDC
- [PDF] Slides from WWDC
- [LINK] BlackBag Technologies - Acquiring iOS 10 Devices with Blacklight
- Yep, iTunes backups change too!
- [LINK] Sysforensics.org - Mac DFIR - HFS+ Date Added Timestamp
Papers
- [LINK/PDF] Detecting Malicious Behaviour Using system Calls by Vincent Van Mieghem
Presentations
- [VIDEO/Keynote] OS X Security - Defense in Depth by Rich Trouton
- [VIDEO/PDF] Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao, Slides here.
- [VIDEO/SLIDESHARE] Let's Play Doctor: Practicle OS X Malware Detection & Analysis by Patrick Wardle, Slides here
- [PDF] Apple's BlackHat Slides - Behind the Scenes with iOS Security by Ivan Krstic
- [SPEAKERDECK] I Got 99 Problems, but Little Snitch ain't one! by Patrick Wardle
Tools
- [LINK] MacMRU Parser - Python script to rip thru Mac MRU plist files, old and new ones!
- [LINK] Blog article here. What, I can't link to my own stuff? ;)
- [LINK] Pangu Jailbreak is out for 9.2 - 9.3.3 (64-bit) devices
Malware
- [LINK] OS X & IOS RE 101 - Reverse Engineering OS X/iOS Resources
- [LINK] OS X Adwind Malware Analysis by Malwarebytes
- [LINK] Objective-See - Persisting via a Finder Sync
- [LINK] Open Source OS X Keylogger - keylogger-osx
- OSX/Keydnap - Keychain/Credential Stealer/Backdoor
- [MALWARE!] Sample (via Objective-See, passwd: infect3d)
- [LINK] ESET Analysis
My Upcoming Classes & Presentations:
I’ll be teaching my SANS FOR518 – Mac Forensic Analysis class at the following conferences, there are some bonus @Night presentations as well! I hope to see many of you at one of these conference some day!
[LINK] SANS Virginia Beach (Aug 28 – Sept 2) - This one is coming up soon! This conference is super chill and relaxed, and you get to watch fighter jets from the beach!
- @Night – The iOS of Sauron- How iOS Tracks Everything You Do
[LINK] SANS Network Security (Sept 12 – 17 in Las Vegas, NV) - Missed Vegas for Blackhat or DEF CON? Didn't get enough of it? Join me...if you're feelin' lucky! :)
- @Night – The iOS of Sauron- How iOS Tracks Everything You Do
[LINK] SANS DFIR Prague (Oct 3 – 8 in the Czech Republic), Stay for the Summit on the 9th!
[LINK] SANS San Francisco (Nov 27 – Dec 2)
- @Night – iOS Location Forensics
[LINK] SANS Cyber Defense Initiative (Dec 12 – 17 in Washington, DC)
- @Night – The iOS of Sauron- How iOS Tracks Everything You Do
[LINK] SANS Cyber Threat Intelligence Summit (Jan 25 – 30 in Arlington, VA)
- @Night – The iOS of Sauron- How iOS Tracks Everything You Do
New Script! - MacMRU (Most Recently Used) Plist Parser
I have been studying the new SFL-based MRU plist files found in OS X 10.11. They make analysis hard because they are binary plist files using the NSKeyedArchiver format – see here for my manual analysis of these files. I’ve also included the ‘older’ format plist files used in OS X 10.10 and older.
In order to analyze them better (and student requests) I wrote a Python script to output the contents of these files in an easier to read format. Nothing fancy, just text printed to standard output.
Get the script here from my Github page. I hope you find the script useful!
The script is meant to be run on a directory; this can be a directory of extracted plist files from an image, a directory on your own system (ie: ~/Library), or from a mounted image (ie: /Volumes/mounted_image_file/Users/<username>/), you get the idea.
This script parses the following plist files:
- /Users/<username>/Library/Preferences/<bundle_id>.LSShardFileList.plist
- /Users/<username>/Library/Preferences/com.apple.finder.plist
- [10.10-] /Users/<username>/Library/Preferences/com.apple.recentitems.plist
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/<bundle_id>.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl
The script usage is below. The only required argument is the directory, but the output can include binary BLOB hex dump of the Bookmark data (--blob). Most of the Mac MRUs contain a binary Bookmark BLOB of data that can be useful to determine where a certain file was located or where an application was run from. I’ve included it as an option as it can get very, very verbose.
The script also has two dependencies, hexdump.py and ccl_bplist.py. These files can be installed or just simply placed in the same directory you are running the macMRU.py script from. (Installation on OS X 10.11 systems are limited thanks to SIP.)
- hexdump.py: https://pypi.python.org/pypi/hexdump
- ccl_bplist.py: https://github.com/cclgroupltd/ccl-bplist
A few screenshots of example script output:
This example shows the output without the BLOB data of the newer SFL-based MRU files:
This example shows the same output with a sample of the hexdump BLOB data, you can see where this can get quite verbose.
The last example shows the ‘older’ MRU plist files found on 10.10 and older systems. (The com.apple.finder.plist files is the same on 10.11.)
Presentation Update: Analysis and Correlation of Mac Logs
This week I had the privilege of presenting an updated version of my "Analysis and Correlation of Mac Logs" talk at the CTIN Conference.
The updated slides have been uploaded to my presentation area on GitHub.
Note: Some content from the older presentation is still valid, however due to timing I had to cut out some slides, therefore both presentations are still available.