Tuesday, June 29, 2010

MacBook Air Fun

I had a small window of time the other day to image a Apple Macbook Air. It was like “my first time” so I felt it would be appropriate to do a little research about “how to turn it on” and “what buttons to press” to make sure things didn’t get sloppy ;-p

I can’t emphasize how important it is to go into situations with more than one option. It’s like the old sang, “Why carry a tool box if you only have one tool in it?” After a little research, I came up with a Plan A and Plan B. Not talking about the Plan B - One-Step here :-)

Before I jump into my procedures, let me note a few things:
  • I knew ahead of time that this Macbook Air did not have an Apple Super Drive (external CD/DVD drive). I do not have an external CD/DVD drive or Apple Super Drive in my forensic kit. Maybe I need to get one!! Furthermore it is reported  that not all USB CD/DVD drives are compatible.The Macbook Air only has one USB port. This USB port is buried in the shell so not all thumb drives will physically fit into it. Yes, I had this problem… What can I say, Dav Nads has a BIG USB thumb drive!! 
  • Similar to the external CD/DVD drive issue, it is reported that some USB hubs do not let you let you boot from them. The one I tried was a Belkin Desktop Hub (Model F4U016) which comes with an external power supply to power the USB ports.
  • The Macbook Air does not have a Firewire port. Therefore, you CANNOT acquire using Targeted Disk Mode.
  • There is no eSata port, ethernet port, or PCMCIA slot
Here’s what I tried:

A) Forensic Linux Boot Disk to Acquire:

We have an in-house Linux variant comparable to Helix, Knopix, Raptor that we use for boot acquisitions. Note that since I did not have an external CD/DVD drive it was a requirement that I load the Boot Disk into RAM since the laptop only has one USB port. I needed the one and only USB port free so I could plug in an external USB hard drive as a destination to save the image to. Our boot disk has a “Load to RAM” option which allowed me to do this. I believe others do as well.
  1. Boot to Forensic Linux from USB thumb drive.
  2. Load into RAM. Some boot disks have this option as noted above.
  3. Remove USB thumb drive and plug USB storage hard drive in.
  4. Image away.
Unfortunately, the specific chipset in the Macbook Air I was acquiring from was not compatible with my Linux boot disk. I found this interesting because it worked for a colleague a few months ago on an earlier MacBook Air model which was also Intel-based. Regardless, it was on to Plan B. I will note here that I have heard Raptor works well booting in Mac environments. However, I did not have time to try it in the field and I do not think it has the option to load into RAM.

Here is what I did:

B) Remove Hard Drive:

Before you get started note that for Rev A Macbook's I would expect you would find a PATA ZIF hard drive. For Rev B&C, you should find a SATA LIF hard drive.

Unfortunately, I have not found a adapter yet for LIF interfaces. So stop reading here if you know that is what your working with. The only place I have seen an adapter advertised for purchase is here, but it has always been out of stock. I recently told that LIF adapters could also be purchased here but I have not personally verified this. If you don't have a adapter to interface with LIF and now looking for a plan C, check back for my next post on FTK's CLI tool for OSX.

  1. There is an excellent tutorial, written by Lee Whitfield, on Forensic 4cast documenting how to remove the hard drive from a Macbook Air. This can be found here. Alternatively, there are a number of videos on YouTube. This is the one I watched.
  2. Whenever I take something a part, I like to draw a picture of where I extracted each piece/screw from. Something that may come in handy when putting it back together! It's also not a bad idea to tape the screws to the piece of paper. I actually had an experience were a person knocked the screws over once and I had to be real creative about putting the laptop back together. Live and learn LOL.
  3. If the laptop has a SSD hard drive you will need a ZIF adapter. I recommend the one that Tableau sells (now owned by Guidance Software). If you use this one, it must be connected this way: To image a Samsung 1.8" drive, connect the Tableau TC20-3-2 ZIF cable to the adapter label face-up. Then connect the cable to the Samsung 1.8" drive, positioning the drive label face-up
  4. Image the hard drive externally using hard drive duplicator or your tool of choice.
  5. Put it back together!!
I will note that it has been reported that some Linux boot disks may temporary disable or render the one USB Port inactive. To reset the USB port, make sure the Mac is turned off. Press and hold the following keys on the keyboard: Shift, Control, Option (all on the bottom left side of the keyboard) and Press and hold the Power button (top right of the keyboard). Hold for about 5 seconds and then release them all. You will not see indication of anything. Try to boot from the External Drive again.

I will document another collection option using FTK Imager CLI for OSX in my next post.

Tuesday, June 1, 2010

Incident Response Questions

The next time your network gets p'owned don't choke your suspects with USB cables, just ask the same questions Dav Nads would!

Understand the Nature of the Incident’s Background
1.     What is the nature of the problem(s), as it has been observed so far?
2.     How was the problem(s) detected initially?
3.     When was it detected and by whom (build time line and list stake holders)?
4.     Who is aware of the incident? What are their names and affiliation to the organization?
5.     What groups or people are internally affected or targeted by the incident?
6.     Were other security incidents observed in the affected environment or the organization recently?
7.     Is there any history of similar situations or patterns?
8.     Who is designated as the primary incident response coordinator?
9.     Who is authorized to make business decisions regarding the affected operations of the IT infrastructure?
10.  What theories exist for how the initial compromise occurred?
11.  Are we aware of compliance or legal obligations tied to the incident? (e.g., PCI, breach notification laws, etc.)
Review the Initial Incident Survey’s Results
1.     What analysis actions were taken during the initial survey when qualifying the incident?
2.     What commands or tools were executed on the affected systems as part of the initial survey?
3.     What measures were taken to contain the scope of the incident? (e.g. disconnected from the network)?
4.     What alerts were generated by the existing security infrastructure compromise (e.g. IDS , anti-virus, etc.)
5.     If logs were reviewed, what suspicious entries were found? What additional suspicious events or state information, was observed?
Technical Assessment to Determine Scope
1.     The affected IT infrastructure components are physically located where?
2.     Request/ Review Network Topology diagram.
3.     Does an automated IT Asset Discovery tool exist? If not, account for all IT assets related to the compromise in the infrastructure
4.     Identify each Host by Name, network address (internal and external), O/S, and purpose, asset #, make, model, version, build, etc.)
5.     Understand how the network functions: Firewalls, Domains, VPN, DMZ, Gateways, Access Points, Intrusion Detection systems, Intrusion Prevention systems, Proxy, Anti-Virus, Domain Controllers, Data Storage, E-mail systems, ERP systems, and etc.
6.     Service provider, DNS, Internal IP Ranges, and external facing IP ranges.
1.     What assets have the ability to log? What is turned on and what is off?
a.     Network:
                                          i.     Firewall,
                                         ii.    Routers,
                                        iii.    Wireless Access Points,
                                        iv.    Domain Controller,
                                         v.    AV,
                                        vi.    ID and/or IP Systems (IDPS),
                                       vii.    Systems,
                                      viii.    Network appliances,
                                        ix.    File Servers,
                                         x.    Backups,
                                        xi.    etc.
b.    Physical:
                                          i.    Building entry / exit,
                                         ii.    Video surveillance, etc.
2.     Are logs backed up or written over?
1.     What is the security posture of the affected IT infrastructure components? How recently, if ever, was it assessed for vulnerabilities?
2.     What security infrastructure components exist in the affected environment? (e.g., firewall, anti-virus, etc.)
3.     How are the security components configured (Wireless, Firewall, DMZ, Segmentation, etc)?
4.     Do computers have standard images/builds?
a.     OS versions and service patches?
b.    Local and network policies?
5.     Do servers have standard images/builds?
a.     OS versions and service patches?
b.    Local and network policies?
6.     IDPS Systems Network and/or Host based?
a.     What kind? Version?
b.    Passive or Reactive?
7.     Anti-virus Network and/or Host based?
a.     What kind? Version?
b.    Definition updating policies?
8.     Password policies / account audits?
9.     Wireless Access Point Security type (i.e. Authentication, encryption, etc.)
10.  E-mail Server and Security (i.e. Attachments Scanned, dumpster, retention)?
11.  File Servers?
a.     Type?
b.    Share permissions?
c.     File System?
d.    Achieved/Backed up?
12.  Guest and Remote access?
13.  Backup Policies, routines, documentation, continuity plans, data storage?
1.     Active Directory or eDirectory Listing: Active or Departed?
Prepare for Next Incident Response Steps
1.     Does the affected group or organization have specific incident response instructions or guidelines?
2.     Does the affected group or organization wish to proceed with live analysis, or does it wish to start formal forensic examination?
3.     What tools are available to us for monitoring network or host-based activities in the affected environment?
4.     What backup-restore capabilities are in place to assist in recovering from the incident?
5.     Who will be leading this effort from the Organization?
Communication Parameters
6.     Communication mechanisms will be defined to communicate when handling incident.
7.     What is your availability to schedule external regular progress updates? Who is responsible for leading them?