Wednesday, August 18, 2010

FTK Imager (for OS X) to the Rescue

So you have been tasked with acquiring an Apple Macbook Air. There you are, it’s just you and the laptop and you’re losing;

·         Your favorite Linux distribution disk won’t boot,
·         You spent hours taking the laptop apart only to discover the internal hard drive has a ZIFF or LIF interface and you don’t have an adapter,
·         The Firewire and Ethernet ports are missing,
·         there is only one USB port,
·         and the laptop won’t boot from your USB hub.

This documentation specifically applies to Apple’s Macbook Air models. However, the procedures outlined here should be applicable to all Intel-based Macs. When acquiring Macbook Airs traditional acquisition methods can often be challenged by the lack of external media interfaces and software compatibility issues. 
SO…WHAT’S NEXT?!?! In April 2010, Access Data released Command Line (CLI) versions of its popular FTK Imager tool. Supported by one of the versions are Intel-based Mac OS versions 10.5 and 10.6x. I have found this tool to be a strong candidate for Mac collections. This article will explore two collection techniques that exercise this tool:

1.     (Live Collection) – Acquisition of a targeted system in a live (booted) state. FTK CLI tool is executed from target’s system and image is written to external USB hard drive. This method is frequently used to acquire systems that cannot be taken offline or when encryption is involved.

2.     (Secondary-boot Collection) – Acquisition of a targeted system from a secondary-boot device. Target’s system is booted from a bootable external USB hard drive containing OS X and pre-installed with the FTK CLI tool. Once booted FTK CLI imager is executed from this device and image is written to the same USB hard drive in a separate partition FAT32 partition.

Note: As a forensic practitioner, you should weigh the pros and cons of the two collection techniques and use discretion to what method (if any) suits the requirements and needs of your engagement.

Approach 1: Live Collection – Preparation:

1.     OS X does not natively support writing to NTFS or EXT volumes. Therefore, you will need to prepare a HSFS or FAT32 formatted hard drive to write your image too. I prefer FAT32 over HFS because it is readily accessible from Windows.

If you decide to go the HFS route, there is a tool called MacDrive that will allow full read/write to HFS from Windows (

2.     Download and extract “ImagerCLI” from Access Data onto the external device:

File: Mac/FTK ImagerCLI
Supports: Mac OS 10.5 and 10.6x
MD5: 5b33f0ec0c6d5096371f07d19cc698de

Approach 1: Live Collection – Getting Started:

1.     If applicable, power on the device and log in.

2.     Plug in the USB hard drive you have prepared as the destination drive.

3.     Open the console application located in:            /Applications/Utilities/Console

This is a window into the other side of OS X. All commands hereafter will be issued from the console.

4.     Switch to user “root”: Ftechs-Mac-mini:~ ftech$  Su root

Root privileges are needed for FTK CLI to interact with the host device. You will be prompted for the root password.

*Note 1: The default Mac OS X installation has the "root" account disabled. To enable it, follow the steps here:

*Note 2: If you don’t know the root password you can try this to reset it,

*By following this step you are making substantial changes to the host system.

5.     After you have switched users to root, you will need to  identify the source and destination hard drives for acquisition:            Ftechs-Mac-mini:~ root$ diskutil list

This will query all active disks and their partition layouts:
            This information can be interpreted as follows:

"/dev/disk0" is representative of the first physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is the hard drive inside of the system. In this example, the physical device, "/dev/disk0" will be the source of the acquisition.  

/dev/disk1is representative of the second physical hard drive (attached to the system). It is determined based on size, volume name, and partition layout that this is destination hard drive connected via USB to the system.

On this hard drive there is one volume disk1s1 named Evidence_Drive. This is the volume we will use to write the acquisition to.

However, before you can write to a volume you need to determine what the “mount point” of the volume is. A mount point is the connection the operating system uses to interact with a volume on a hard drive.

6.     Mac OS will automatically create a mount point (with full read/write permissions) when a device is attached to the system with a recognizable file system.

The mount point should be consistent with the volume name appended to /Volumes/. The mount command can be used to verify this:  Ftechs-Mac-mini:~ root$  Mount

This will list all volumes mounted on the system:

We see here that “/Volumes/Evidence_Driveis the full path of the mount point for volume “disk1s1” on the destination hard drive “/dev/disk1”. This is the destination mount point.

This now establishes that we will be imaging (source): /dev/disk0 and writing our acquisition image to (destination mount point): /Volumes/Evidence_Drive

After you have determined the source and destination mount point, navigate to the destination mount point where the FTK CLI took resides: Ftechs-Mac-mini:~ root$ cd /Volumes/Evidence_Drive

7.     Execute the following command and flags to execute FTK CLI. This will acquire the source /dev/disk0 (physical hard drive inside of the computer) and save to /Volumes/Evidence_Drive (on the destination hard drive volume) in .EO1 format and fragment every 4 GB with no compression

Ftechs-Mac-mini:~ root$ ./ftkimager /dev/disk0 /Volumes/Evidence_Drive/imagename –e01 –frag 4G –compress 0

A full list of usage and options can be viewed on the man page. This can accessed from the command by: Ftechs-Mac-mini:~ root$ ./ftkimager help

Approach 2: Secondary-boot Collection – Preparation:

1.     Before you start you will need:

·         An Intel-based Mac to use (examiner maEV0ne),
·         OS X 10.5.x or later installation DVD,
·         and a large enough external USB hard drive to install both OS X onto and contain the image(s) of the collection (apx. 320 gb +).

2.     You will need to partition the USB hard drive with two volumes:

1.     Volume 1 - Boot: Approximately 16 GBs formatted OS X Extended (Journaled)

2.     Volume 2 - Storage Area: Remainder of drive formatted Fat 32 

Partition Layout Example:

·         One volume to install OSX which will be the boot partition. The second volume as a storage area that can be used to write your image(s) to.

·         I would suggest using Apple’s Disk Utility, located at /Applications/Utilities/, to prepare this drive.

3.     To make the USB hard drive bootable it must have ownership enabled.

1.     Locate the 16 GB volume on your Mac desktop, right-click its icon, and select ‘Get Info’ from the pop-up menu.

2.     In the Info window that opens, expand the ‘Sharing & Permissions’ section, if it’s not already expanded.

3.     Click the lock icon in the bottom right corner.

4.     Enter your administrator password when asked.

5.     Remove the check mark from ‘Ignore ownership on this volume.’

6.     Close the Info panel.

7.     Once you complete, your USB flash drive will be ready for you to install OS X.

4.     Install OS X - Summarized

1.     Plug USB hard drive (prepared above) into Mac.

2.     Put Install DVD in the Mac.

3.     Reboot.

4.     Choose to install OS X on the USB hard drive 16 GB partition, OSX Journaled Extended.

5.     You may want to customize the software packages that OS X will install to minimize disk space required for the installation.

5.     After install, test to make sure the Mac will boot from the secondary boot drive you just created instead of the internal hard drive. At start up hold down the “Option” key and you will be prompted with the boot options menu.

6.     Once you are booted to the USB hard drive, the secondary OSX boot drive, you will need to copy over the FTK CLI application onto it. You can use a flash drive to do this or just go online and download it if you are connected to the internet.

7.     The default Mac OS X installation has the "root" account disabled. Enable it by following the steps listed here:

8.     Your secondary OSX boot drive is now created and has FTK CLI on it.

Approach 2: Secondary-boot Collection – Getting Started:

1.     Plug the secondary OSX boot drive you created above into the Mac maEV0ne you would like to acquire.

2.     Start the Mac up holding down the Option key at start up to get to the boot options menu. Select to boot to the external secondary OSX boot drive.

3.     Once booted, follow the steps listed above starting in Approach 1.3. In summary:

a.     Go to console.
b.    Switch to user root.
c.     As illustrated below, identify the physical source hard drive (hard drive inside of the computer)
d.    As illustrated below, identify the destination hard drive, volume, and mount point of the FAT32 storage-area volume on the Secondary-boot hard drive.

Attached disks:

Mounted devices:

e.     Navigate to the location of the FTK CLI tool and execute the command with the proper usage and flags.

Ftechs-Mac-mini:~ root$ ./ftkimager /dev/disk0 /Volumes/EV0-09027_F/imagename –e01 –frag 4G –compress 0

Tuesday, June 29, 2010

MacBook Air Fun

I had a small window of time the other day to image a Apple Macbook Air. It was like “my first time” so I felt it would be appropriate to do a little research about “how to turn it on” and “what buttons to press” to make sure things didn’t get sloppy ;-p

I can’t emphasize how important it is to go into situations with more than one option. It’s like the old sang, “Why carry a tool box if you only have one tool in it?” After a little research, I came up with a Plan A and Plan B. Not talking about the Plan B - One-Step here :-)

Before I jump into my procedures, let me note a few things:
  • I knew ahead of time that this Macbook Air did not have an Apple Super Drive (external CD/DVD drive). I do not have an external CD/DVD drive or Apple Super Drive in my forensic kit. Maybe I need to get one!! Furthermore it is reported  that not all USB CD/DVD drives are compatible.The Macbook Air only has one USB port. This USB port is buried in the shell so not all thumb drives will physically fit into it. Yes, I had this problem… What can I say, Dav Nads has a BIG USB thumb drive!! 
  • Similar to the external CD/DVD drive issue, it is reported that some USB hubs do not let you let you boot from them. The one I tried was a Belkin Desktop Hub (Model F4U016) which comes with an external power supply to power the USB ports.
  • The Macbook Air does not have a Firewire port. Therefore, you CANNOT acquire using Targeted Disk Mode.
  • There is no eSata port, ethernet port, or PCMCIA slot
Here’s what I tried:

A) Forensic Linux Boot Disk to Acquire:

We have an in-house Linux variant comparable to Helix, Knopix, Raptor that we use for boot acquisitions. Note that since I did not have an external CD/DVD drive it was a requirement that I load the Boot Disk into RAM since the laptop only has one USB port. I needed the one and only USB port free so I could plug in an external USB hard drive as a destination to save the image to. Our boot disk has a “Load to RAM” option which allowed me to do this. I believe others do as well.
  1. Boot to Forensic Linux from USB thumb drive.
  2. Load into RAM. Some boot disks have this option as noted above.
  3. Remove USB thumb drive and plug USB storage hard drive in.
  4. Image away.
Unfortunately, the specific chipset in the Macbook Air I was acquiring from was not compatible with my Linux boot disk. I found this interesting because it worked for a colleague a few months ago on an earlier MacBook Air model which was also Intel-based. Regardless, it was on to Plan B. I will note here that I have heard Raptor works well booting in Mac environments. However, I did not have time to try it in the field and I do not think it has the option to load into RAM.

Here is what I did:

B) Remove Hard Drive:

Before you get started note that for Rev A Macbook's I would expect you would find a PATA ZIF hard drive. For Rev B&C, you should find a SATA LIF hard drive.

Unfortunately, I have not found a adapter yet for LIF interfaces. So stop reading here if you know that is what your working with. The only place I have seen an adapter advertised for purchase is here, but it has always been out of stock. I recently told that LIF adapters could also be purchased here but I have not personally verified this. If you don't have a adapter to interface with LIF and now looking for a plan C, check back for my next post on FTK's CLI tool for OSX.

  1. There is an excellent tutorial, written by Lee Whitfield, on Forensic 4cast documenting how to remove the hard drive from a Macbook Air. This can be found here. Alternatively, there are a number of videos on YouTube. This is the one I watched.
  2. Whenever I take something a part, I like to draw a picture of where I extracted each piece/screw from. Something that may come in handy when putting it back together! It's also not a bad idea to tape the screws to the piece of paper. I actually had an experience were a person knocked the screws over once and I had to be real creative about putting the laptop back together. Live and learn LOL.
  3. If the laptop has a SSD hard drive you will need a ZIF adapter. I recommend the one that Tableau sells (now owned by Guidance Software). If you use this one, it must be connected this way: To image a Samsung 1.8" drive, connect the Tableau TC20-3-2 ZIF cable to the adapter label face-up. Then connect the cable to the Samsung 1.8" drive, positioning the drive label face-up
  4. Image the hard drive externally using hard drive duplicator or your tool of choice.
  5. Put it back together!!
I will note that it has been reported that some Linux boot disks may temporary disable or render the one USB Port inactive. To reset the USB port, make sure the Mac is turned off. Press and hold the following keys on the keyboard: Shift, Control, Option (all on the bottom left side of the keyboard) and Press and hold the Power button (top right of the keyboard). Hold for about 5 seconds and then release them all. You will not see indication of anything. Try to boot from the External Drive again.

I will document another collection option using FTK Imager CLI for OSX in my next post.

Tuesday, June 1, 2010

Incident Response Questions

The next time your network gets p'owned don't choke your suspects with USB cables, just ask the same questions Dav Nads would!

Understand the Nature of the Incident’s Background
1.     What is the nature of the problem(s), as it has been observed so far?
2.     How was the problem(s) detected initially?
3.     When was it detected and by whom (build time line and list stake holders)?
4.     Who is aware of the incident? What are their names and affiliation to the organization?
5.     What groups or people are internally affected or targeted by the incident?
6.     Were other security incidents observed in the affected environment or the organization recently?
7.     Is there any history of similar situations or patterns?
8.     Who is designated as the primary incident response coordinator?
9.     Who is authorized to make business decisions regarding the affected operations of the IT infrastructure?
10.  What theories exist for how the initial compromise occurred?
11.  Are we aware of compliance or legal obligations tied to the incident? (e.g., PCI, breach notification laws, etc.)
Review the Initial Incident Survey’s Results
1.     What analysis actions were taken during the initial survey when qualifying the incident?
2.     What commands or tools were executed on the affected systems as part of the initial survey?
3.     What measures were taken to contain the scope of the incident? (e.g. disconnected from the network)?
4.     What alerts were generated by the existing security infrastructure compromise (e.g. IDS , anti-virus, etc.)
5.     If logs were reviewed, what suspicious entries were found? What additional suspicious events or state information, was observed?
Technical Assessment to Determine Scope
1.     The affected IT infrastructure components are physically located where?
2.     Request/ Review Network Topology diagram.
3.     Does an automated IT Asset Discovery tool exist? If not, account for all IT assets related to the compromise in the infrastructure
4.     Identify each Host by Name, network address (internal and external), O/S, and purpose, asset #, make, model, version, build, etc.)
5.     Understand how the network functions: Firewalls, Domains, VPN, DMZ, Gateways, Access Points, Intrusion Detection systems, Intrusion Prevention systems, Proxy, Anti-Virus, Domain Controllers, Data Storage, E-mail systems, ERP systems, and etc.
6.     Service provider, DNS, Internal IP Ranges, and external facing IP ranges.
1.     What assets have the ability to log? What is turned on and what is off?
a.     Network:
                                          i.     Firewall,
                                         ii.    Routers,
                                        iii.    Wireless Access Points,
                                        iv.    Domain Controller,
                                         v.    AV,
                                        vi.    ID and/or IP Systems (IDPS),
                                       vii.    Systems,
                                      viii.    Network appliances,
                                        ix.    File Servers,
                                         x.    Backups,
                                        xi.    etc.
b.    Physical:
                                          i.    Building entry / exit,
                                         ii.    Video surveillance, etc.
2.     Are logs backed up or written over?
1.     What is the security posture of the affected IT infrastructure components? How recently, if ever, was it assessed for vulnerabilities?
2.     What security infrastructure components exist in the affected environment? (e.g., firewall, anti-virus, etc.)
3.     How are the security components configured (Wireless, Firewall, DMZ, Segmentation, etc)?
4.     Do computers have standard images/builds?
a.     OS versions and service patches?
b.    Local and network policies?
5.     Do servers have standard images/builds?
a.     OS versions and service patches?
b.    Local and network policies?
6.     IDPS Systems Network and/or Host based?
a.     What kind? Version?
b.    Passive or Reactive?
7.     Anti-virus Network and/or Host based?
a.     What kind? Version?
b.    Definition updating policies?
8.     Password policies / account audits?
9.     Wireless Access Point Security type (i.e. Authentication, encryption, etc.)
10.  E-mail Server and Security (i.e. Attachments Scanned, dumpster, retention)?
11.  File Servers?
a.     Type?
b.    Share permissions?
c.     File System?
d.    Achieved/Backed up?
12.  Guest and Remote access?
13.  Backup Policies, routines, documentation, continuity plans, data storage?
1.     Active Directory or eDirectory Listing: Active or Departed?
Prepare for Next Incident Response Steps
1.     Does the affected group or organization have specific incident response instructions or guidelines?
2.     Does the affected group or organization wish to proceed with live analysis, or does it wish to start formal forensic examination?
3.     What tools are available to us for monitoring network or host-based activities in the affected environment?
4.     What backup-restore capabilities are in place to assist in recovering from the incident?
5.     Who will be leading this effort from the Organization?
Communication Parameters
6.     Communication mechanisms will be defined to communicate when handling incident.
7.     What is your availability to schedule external regular progress updates? Who is responsible for leading them?