A false digital alibi on mac os x

A false digital alibi on Mac OS X
Dario Di Nucci
Fabio Palomba
Stefano Ricchiuti
University of Salerno
Challange and solutions
domenica 15 luglio 12

Focusing on Mac OS X
Mac OS X & Forensic:how and what?
Evaluation of the work
A case study
- Developing the false digital alibi
- A post-mortem digital forensic
Is realistic a false digital alibi on a Mac OS X?

Focusing on Mac OS X
Chapter 3
in the thesis

Use of BTree
Journaling
Max File Dim 263
Max Folder Dim 231
Hierarchical File System+

Disk utility
Manager of all ﬁle systems in
your Mac
Complete information
retrieving on all disks
Improve stability and
performance
Runnable from live
boot
Fix the ﬁle system errors
Prevent errors
First AID
Disk Utility

....What is right,
what is wrong...
Mac apps

File Vault
User Password: Crypt and Decrypt
Disk
Master Password: For System
recovering
XTS - AES 128 bit Cryptography

Time Machine
All action on ﬁles (deleted,
modiﬁed, moved) are recorded on
external disk
The actions are revertable!
Huge impact on Digital
Forensic

Why analyze these?
Create false digital evidences is possible!
How?
Construct a false digital alibi using
built-in software

A false digital alibi: how to...

“AppleScript is a scripting language that
makes possible direct control of scriptable
applications and of many parts of the Mac
OS. With scriptable applications, users can
write scripts to automate operations.”
[https://developer.apple.com]
AppleScript

tell application "Finder" to quit
display dialog "Mostra Files nascosti..." buttons {"Si", "No", "Annulla"}
default button 3
copy the result as list to {buttonpressed}
try
if the buttonpressed is "No" then do shell script ¬
"defaults write com.apple.finder AppleShowAllFiles OFF"
if the buttonpressed is "Si" then do shell script ¬
"defaults write com.apple.finder AppleShowAllFiles ON"
end try
tell application "Finder" to launch
Example...

“Automator is your personal automation
assistant, making it easy for you to do more,
and with less hassle.With Automator, you use
a simple drag-and-drop process to create and
run “automation recipes” that perform simple
or complex tasks for you, when and where you
need them.”
[http://support.apple.com]
Automator

V
S
Automator or AppleScript?
Actions via Drag & Drop
Simple to learn and use
What about translation?
Direct control on Mac OS X
REJECT
ACCEPT

A case study
Chapter 4
in the thesis

Developing the
false digital alibi
Paragraph 4.A - 4.B
in the thesis

Automatism setup
Best practices
Software built-in is better!
Automatism habits-based
Needs to clean all traces!
No stupid error!

The false digital alibi maker
Automatism setup - Structural Decomposition
The automatism activator
Manager of the actions of
delection of traces and
scheduling

Automatism setup - Structural Decomposition
How to develop these modules?
Bottom-up
Develop the Simulator before
the others modules allows us to
understand which are the traces
to cover

The Simulator module

AppleScript at work
at
9.00
am
at
10.00
am
at 12.00 am
at 15.00 pm

AppleScript at work

AppleScript as app
this is the simulator
module!

The Wiper/Scheduler module

How retrieve traces of the automation?

Double execution
Manual execution -> State t1
Launch automatism -> State t2
Find of the accessed and modiﬁed ﬁles in t1 e t2
Retrieve differences between t1 and t2

/System/Library/Components/AppleScript.component
/System/Library/Components/AppleScript.component/Contents
/System/Library/Components/AppleScript.component/Contents/Resources
/System/Library/Components/AppleScript.component/Contents/Resources/
Italian.lproj
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/Applications/Utilities/AppleScript Editor.app/Contents/Resources/
ScriptEditor.help/Contents/Resources
/Applications/Utilities/AppleScript Editor.app/Contents/Resources/
ScriptEditor.help/Contents/Resources/Italian.lproj
Anomalies in accessed ﬁles
find / -amin -3 > accessedFiles.txt

Anomalies in modiﬁed ﬁles
/private/var/log/asl/AUX.2012.06.04
/private/var/log/asl/AUX.2012.06.04/3793
/private/var/log/DiagnosticMessages/2012.06.04.asl
/private/var/log/DiagnosticMessages/StoreData
/private/var/log/opendirectoryd.log
/private/var/log/secure.log/private/var/log/system.log
find / -mmin -3 > modifiedFiles.txt

How remove this traces?

Via software
Removing traces
The software must delete itself!
Interpreted language!

Removing traces
Python
Interpreted language!
Very simple for complex jobs!

Removing traces
Retrieve the last access dates of a
resource before running the automation
os.path.getatime(%PATH)
touch -c -t -%TIME -%PATH
Roll-back last access time after the
execution of the script
Run automation (Simulator module)

Removing traces
Compiling Python ﬁles...why?
Introduction of indirect traces!
Cannot clean its own traces!
A stand-alone app doesn’t leave traces,
AT ALL!

Removing traces
Compiling Python ﬁles...how?
curl -O http://peak.telecommunity.com/dist/ez_setup.py
sudo python ez_setup.py -U setuptools
sudo easy_install -U py2app
py2applet --make-setup MyApplication.py
python setup.py py2app -A
this is the WIPER/
SCHEDULER module!

And what about the direct traces?

Names of legal apps for the modules
e.g.Wiper/Scheduler = Caffeine.app
Secure deletion of modules and
rename legal apps
Obfuscating direct traces

Names of the apps are not suspect
The apps used in the process are apps really installed
on the laptop!
All references to these apps are legal!
Obfuscating direct traces

The Launcher module

Problem: How launch the procedure?
Solution
A launcher module is needed
Wiper/Scheduler module needs
administrator privileges

Terminal???
Launcher module
It’s not a good idea because
some resources would be touch!
Bash History
Shell resources
Other resources

Launcher module
AppleScript can leave traces!
AppleScript???
Who cleans these traces???

Python, again!
Launcher module
Compiled Python app, again!
os.system("echo password|sudo -S /Volumes/MYPEN/Anonimus_e-
Mail.app/Contents/MacOS/Anonimus_e-Mail")
this is the launcher
module!

Problem
Launcher can’t be deleted while
running!
Launcher
callWiperScheduler()
callSimulator()
Wiper/Scheduler Simulator
When the Simulator ends its execution,Wiper/
Scheduler does not delete the Launcher
module because is the Launcher that keep alive
the Wiper/Scheduler!

Solution
Use of threads
ppid=os.getppid()
pid=os.fork()
if pid==0 :
os.kill(pid, signal.SIGKILL)
Launcher
callWiperScheduler()
callSimulator()
Wiper/Scheduler Simulator
os.fork()
Wiper/Scheduler
kill()
Using a thread we create a “good brother” of
Wiper/Scheduler.This allows the “bad brother”
to kill the Launcher module, keeping alive the
good brother and the whole work of the
Wiper/Scheduler module

But this operation leave
undesiderable traces in the log ﬁles
wifipers3128 sudo[1357]:password : TTY=unknown ; PWD=/Volumes/
MYPEN/Caffeine.app/Contents/Resources ; USER=root ; COMMAND=/
Volumes/MYPEN/Anonimus_e-Mail.app/Contents/MacOS/Anonimus_e-Mail
host-001 [0x0-0x71071].org.pythonmac.unspecified.Caffeine[1406]:
1410 Killed: 9 | sudo -S /Volumes/MYPEN/Anonimus_e-Mail.app/
Contents/MacOS/Anonimus_e-Mail
.log

Copy the log ﬁles before the automatism
Replace the log ﬁles containing
traces, with the previous one
Solving the problem...
AUTOMATION

How bring the ﬁles on a laptop?

curl -O http://remote_resources
More possibilities
Get a remote resource - curl command
Use a resource of Dropbox

Occam’s razor
“When things being equivalent,
a simpler explanation
is better than a more complex one”
Put ﬁles on a pendrive with
non-journaled ﬁle system

Summarizing...

...The structure of the process
Wiper/Scheduler
Simulator
Sniffomucca.app
Caffeine.app
anonimous_e-
mail.app
Launcher

MYPEN Contents - Before
Caffeine_p.app
SniffoMucca_p.app
Anonimous_e-mail_p.app
Caffeine.app + Caffeine.py
SniffoMucca.app
Anonimous_e-mail.app + Anonimous_e-mail.py
Automatism apps Legal apps

MYPEN Contents - After
Caffeine.app
SniffoMucca.app
Anonimous_e-mail.app
Legal apps

Where can we test the procedure?
Where can we test the whole process?

Enviroment setup
Virtual Machine:Why?
Come back to another state of disk is
simple
Needed to build and test the false
alibi procedure

Virtual Machine:The choise
VIRTUALBOX
PARALLELS
DESKTOP
VMWARE
FUSION
Creation
Management
License

Virtual Machine:The choise
VIRTUALBOX
PARALLELS
DESKTOP
VMWARE
FUSION
Creation
Management
License
ACCEPT

Enviroment setup
goal
Generate an exact duplicate of the
source media under investigation
The destination media MUST BE
erased!
Some tools could be used: dd,
dcﬂdd, dc3dd

Enviroment setup
First step
HD 1 HD 2
dd if=/dev/zero of=dev/disk bs=512 conv=notrunc

Second step
Enviroment setup
HD 1

Enviroment setup
Third step
HD 1
HD 2
dd if=/dev/sda of=dev/sdb bs=512 conv=notrunc

A post-mortem
digital forensic
Paragraph 4.C
in the thesis

The only way for being sure about
the construction on the false
digital alibi is to do a digital
forensic analysis on the hard disk,
on the pendrive and in the log
files!
Digital forensic
“The use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence
derived from digital sources for the purpose of facilitating of
furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized action shown to be disruptive to
planned operations.”
[Digital Forensics ResearchWorkshop I - 2001]

Digital forensic - How
secure.log
system.log
.bash_history
Safari resources
We have to search in the log files of Mac OS X
“Mac OS X, iPod, and iPhone Forensic Analysis Toolkit”

About log files
We have already talk about the log files
The copy on the pendrive before the
automatism does not allow to have surprises!
Anyways, we used a grep command on the
log filed
grep iAmTheAutomatism7777 /private/var/log/secure.log
grep iAmTheAutomatism7777 /private/var/log/system.log

Bash History
.bash_history is an hidden ﬁle located in the user home

About Bash History
The bash history ﬁle is never
directly open in the process
All the comands are runned
by Python!
.bash_history is empty!

Safari Resources - Cache.db

About Cache.db
"#“
! _
_CFURLStringType_CFURLString
_
http://www.google.it/s?hl=it&gs_nf=1&cp=20&gs_id=14&xhr=t&q=Extract%20class
%20Fowler&pf=p&output=search&sclient=psy-ab&oq=&aq=&aqi=&aql=&gs_l=&pbx=1&bav=on.
2,or.r_gc.r_pw.r_qf.,cf.osb&fp=b58bcc71a4fb82fa&biw=1024&bih=674&tch=1&ech=2&psi=hCjgT6eFA
s3usgb5oOTACA.1340090487838.1#Aµê`a¡◊
⁄
!VServerContent-Type_
Transfer-EncodingTDate_
X-Frame-Options_
Content-Encoding_
X-XSS-Protection_
Content-Disposition]Cache-ControlWExpiresSgws_
application/json; charset=UTF-8XIdentity_
Tue, 19 Jun 2012 07:21:52 GMTZSAMEORIGINTgzip]1; mode=blockZattachment_
private, max-age=0R-1
n_
__CFURLResponseNullTokenString__
≠≤ƒ◊Í
Safari stores in the cache.db
all sites visited by users
We cannot use Safari for
dangerous operations
Cache.db does not contains relevant infos

Safari Resources - History
Safari History contains only the sites visited by
AppleScript

Are there traces in the hard disk or
on the pendrive?

How search traces of the automatism?
In the automatism ﬁles we have insert a “signature” of
the automatism...

grep -ros iAmTheAutomatism7777 ./
How search traces of the automatism?
...and we used a grep command on the hard disk and on
the pendrive
grep command does not retrieve any ﬁle with this
string

Problem
Launcher,Wiper/Scheduler and
Simulator modules could create some
temporary ﬁles!
Solution
We have to analyze deleted ﬁles!

Deleted ﬁles analysis - How
Photorec is a data recovery software designed to recover
lost ﬁles from hard disks, pendrive and so on

Deleted ﬁles analysis
We launched Photorec on the hard disk and on the
pendrive and we used the grep command
grep -ros iAmTheAutomatism7777 ./
grep command does not retrieve any ﬁle with this
string, again!

conclusions
future works
Chapter 5
in the thesis

Is realistic a false digital alibi on Mac OS X 10.7.3?
Create a false digital alibi is possible!
Remove the traces is possible if you use proper
features of Mac OS X!
Conclusions...

...and future works...
Can we create a false digital alibi using
Automator?
Test the automatism on a real enviroment!
Test the automatism on a different
versions of Mac OS X

Thank you!
Questions and/or comments
Dario Di Nucci d.dinucci@studenti.unisa.it
Fabio Palomba f.palomba3@studenti.unisa.it
Stefano Ricchiuti s.ricchiuti@studenti.unisa.it
Remind the link:
https:// www.dropbox.com/sh/8cfw9b0aembhzd5/mbVMwXBCBR

A false digital alibi on mac os x

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (8)

Similar to A false digital alibi on mac os x

Similar to A false digital alibi on mac os x (20)

Recently uploaded

Recently uploaded (20)

A false digital alibi on mac os x