Issues and implementation of a process for creating a false digital alibi.
The aim is to produce a state of the personal computer that confirming a false digital alibi, following the execution of an automated procedure, without leaving any traces of automation. The aim is to answer to the questions:
1) How reliable is a digital alibi?
2) May have been artificially created?
Within the project, are discussed the issues to consider while creating a false alibi on a machine running Mac OS X and is demonstrated that it is possible to produce artificially "human" traces of machine use.
Top 10 Most Downloaded Games on Play Store in 2024
A false digital alibi on mac os x
1. A false digital alibi on Mac OS X
Dario Di Nucci
Fabio Palomba
Stefano Ricchiuti
University of Salerno
Challange and solutions
domenica 15 luglio 12
2. Focusing on Mac OS X
Mac OS X & Forensic:how and what?
Evaluation of the work
A case study
- Developing the false digital alibi
- A post-mortem digital forensic
Is realistic a false digital alibi on a Mac OS X?
domenica 15 luglio 12
3. Focusing on Mac OS X
Chapter 3
in the thesis
domenica 15 luglio 12
5. Disk utility
Manager of all file systems in
your Mac
Complete information
retrieving on all disks
Improve stability and
performance
Runnable from live
boot
Fix the file system errors
Prevent errors
First AID
Disk Utility
domenica 15 luglio 12
7. File Vault
User Password: Crypt and Decrypt
Disk
Master Password: For System
recovering
XTS - AES 128 bit Cryptography
domenica 15 luglio 12
8. Time Machine
All action on files (deleted,
modified, moved) are recorded on
external disk
The actions are revertable!
Huge impact on Digital
Forensic
domenica 15 luglio 12
9. Why analyze these?
Create false digital evidences is possible!
How?
Construct a false digital alibi using
built-in software
domenica 15 luglio 12
11. “AppleScript is a scripting language that
makes possible direct control of scriptable
applications and of many parts of the Mac
OS. With scriptable applications, users can
write scripts to automate operations.”
[https://developer.apple.com]
A false digital alibi: how to...
AppleScript
domenica 15 luglio 12
12. tell application "Finder" to quit
display dialog "Mostra Files nascosti..." buttons {"Si", "No", "Annulla"}
default button 3
copy the result as list to {buttonpressed}
try
if the buttonpressed is "No" then do shell script ¬
"defaults write com.apple.finder AppleShowAllFiles OFF"
if the buttonpressed is "Si" then do shell script ¬
"defaults write com.apple.finder AppleShowAllFiles ON"
end try
tell application "Finder" to launch
Example...
A false digital alibi: how to...
domenica 15 luglio 12
13. “Automator is your personal automation
assistant, making it easy for you to do more,
and with less hassle.With Automator, you use
a simple drag-and-drop process to create and
run “automation recipes” that perform simple
or complex tasks for you, when and where you
need them.”
[http://support.apple.com]
Automator
A false digital alibi: how to...
domenica 15 luglio 12
15. V
S
Automator or AppleScript?
Actions via Drag & Drop
Simple to learn and use
What about translation?
Direct control on Mac OS X
REJECT
ACCEPT
domenica 15 luglio 12
19. The false digital alibi maker
Automatism setup - Structural Decomposition
The automatism activator
Manager of the actions of
delection of traces and
scheduling
domenica 15 luglio 12
20. Automatism setup - Structural Decomposition
How to develop these modules?
Bottom-up
Develop the Simulator before
the others modules allows us to
understand which are the traces
to cover
domenica 15 luglio 12
27. Double execution
Manual execution -> State t1
Launch automatism -> State t2
Find of the accessed and modified files in t1 e t2
Retrieve differences between t1 and t2
domenica 15 luglio 12
33. Removing traces
Retrieve the last access dates of a
resource before running the automation
os.path.getatime(%PATH)
touch -c -t -%TIME -%PATH
Roll-back last access time after the
execution of the script
Run automation (Simulator module)
domenica 15 luglio 12
34. Removing traces
Compiling Python files...why?
Introduction of indirect traces!
Cannot clean its own traces!
A stand-alone app doesn’t leave traces,
AT ALL!
domenica 15 luglio 12
35. Removing traces
Compiling Python files...how?
curl -O http://peak.telecommunity.com/dist/ez_setup.py
sudo python ez_setup.py -U setuptools
sudo easy_install -U py2app
py2applet --make-setup MyApplication.py
python setup.py py2app -A
this is the WIPER/
SCHEDULER module!
domenica 15 luglio 12
37. Names of legal apps for the modules
e.g.Wiper/Scheduler = Caffeine.app
Secure deletion of modules and
rename legal apps
Obfuscating direct traces
domenica 15 luglio 12
38. Names of the apps are not suspect
The apps used in the process are apps really installed
on the laptop!
All references to these apps are legal!
Obfuscating direct traces
domenica 15 luglio 12
40. Problem: How launch the procedure?
Solution
A launcher module is needed
Wiper/Scheduler module needs
administrator privileges
domenica 15 luglio 12
41. Terminal???
Launcher module
It’s not a good idea because
some resources would be touch!
Bash History
Shell resources
Other resources
domenica 15 luglio 12
43. Python, again!
Launcher module
Compiled Python app, again!
os.system("echo password|sudo -S /Volumes/MYPEN/Anonimus_e-
Mail.app/Contents/MacOS/Anonimus_e-Mail")
this is the launcher
module!
domenica 15 luglio 12
44. Problem
Launcher can’t be deleted while
running!
Launcher
callWiperScheduler()
callSimulator()
Wiper/Scheduler Simulator
When the Simulator ends its execution,Wiper/
Scheduler does not delete the Launcher
module because is the Launcher that keep alive
the Wiper/Scheduler!
domenica 15 luglio 12
45. Solution
Use of threads
ppid=os.getppid()
pid=os.fork()
if pid==0 :
os.kill(pid, signal.SIGKILL)
Launcher
callWiperScheduler()
callSimulator()
Wiper/Scheduler Simulator
os.fork()
Wiper/Scheduler
kill()
Using a thread we create a “good brother” of
Wiper/Scheduler.This allows the “bad brother”
to kill the Launcher module, keeping alive the
good brother and the whole work of the
Wiper/Scheduler module
domenica 15 luglio 12
46. But this operation leave
undesiderable traces in the log files
wifipers3128 sudo[1357]:password : TTY=unknown ; PWD=/Volumes/
MYPEN/Caffeine.app/Contents/Resources ; USER=root ; COMMAND=/
Volumes/MYPEN/Anonimus_e-Mail.app/Contents/MacOS/Anonimus_e-Mail
host-001 [0x0-0x71071].org.pythonmac.unspecified.Caffeine[1406]:
1410 Killed: 9 | sudo -S /Volumes/MYPEN/Anonimus_e-Mail.app/
Contents/MacOS/Anonimus_e-Mail
.log
domenica 15 luglio 12
47. Copy the log files before the automatism
Replace the log files containing
traces, with the previous one
Solving the problem...
AUTOMATION
domenica 15 luglio 12
48. How bring the files on a laptop?
domenica 15 luglio 12
50. Occam’s razor
“When things being equivalent,
a simpler explanation
is better than a more complex one”
Put files on a pendrive with
non-journaled file system
domenica 15 luglio 12
61. Enviroment setup
goal
Generate an exact duplicate of the
source media under investigation
The destination media MUST BE
erased!
Some tools could be used: dd,
dcfldd, dc3dd
domenica 15 luglio 12
66. The only way for being sure about
the construction on the false
digital alibi is to do a digital
forensic analysis on the hard disk,
on the pendrive and in the log
files!
Digital forensic
“The use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence
derived from digital sources for the purpose of facilitating of
furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized action shown to be disruptive to
planned operations.”
[Digital Forensics ResearchWorkshop I - 2001]
domenica 15 luglio 12
67. Digital forensic - How
secure.log
system.log
.bash_history
Safari resources
We have to search in the log files of Mac OS X
“Mac OS X, iPod, and iPhone Forensic Analysis Toolkit”
domenica 15 luglio 12
68. About log files
We have already talk about the log files
The copy on the pendrive before the
automatism does not allow to have surprises!
Anyways, we used a grep command on the
log filed
grep iAmTheAutomatism7777 /private/var/log/secure.log
grep iAmTheAutomatism7777 /private/var/log/system.log
domenica 15 luglio 12
70. About Bash History
The bash history file is never
directly open in the process
All the comands are runned
by Python!
.bash_history is empty!
domenica 15 luglio 12
73. Safari Resources - History
Safari History contains only the sites visited by
AppleScript
domenica 15 luglio 12
74. Are there traces in the hard disk or
on the pendrive?
domenica 15 luglio 12
75. How search traces of the automatism?
In the automatism files we have insert a “signature” of
the automatism...
domenica 15 luglio 12
76. grep -ros iAmTheAutomatism7777 ./
How search traces of the automatism?
...and we used a grep command on the hard disk and on
the pendrive
grep command does not retrieve any file with this
string
domenica 15 luglio 12
78. Deleted files analysis - How
Photorec is a data recovery software designed to recover
lost files from hard disks, pendrive and so on
domenica 15 luglio 12
79. Deleted files analysis
We launched Photorec on the hard disk and on the
pendrive and we used the grep command
grep -ros iAmTheAutomatism7777 ./
grep command does not retrieve any file with this
string, again!
domenica 15 luglio 12
81. Is realistic a false digital alibi on Mac OS X 10.7.3?
Create a false digital alibi is possible!
Remove the traces is possible if you use proper
features of Mac OS X!
Conclusions...
domenica 15 luglio 12
82. ...and future works...
Can we create a false digital alibi using
Automator?
Test the automatism on a real enviroment!
Test the automatism on a different
versions of Mac OS X
domenica 15 luglio 12
83. Thank you!
Questions and/or comments
Dario Di Nucci d.dinucci@studenti.unisa.it
Fabio Palomba f.palomba3@studenti.unisa.it
Stefano Ricchiuti s.ricchiuti@studenti.unisa.it
Remind the link:
https:// www.dropbox.com/sh/8cfw9b0aembhzd5/mbVMwXBCBR
domenica 15 luglio 12