Enviar búsqueda
Cargar
File000128
•
0 recomendaciones
•
565 vistas
Desmond Devendran
Seguir
Tecnología
Vista de diapositivas
Denunciar
Compartir
Vista de diapositivas
Denunciar
Compartir
1 de 81
Descargar ahora
Descargar para leer sin conexión
Recomendados
File000124
File000124
Desmond Devendran
File000132
File000132
Desmond Devendran
File000174
File000174
Desmond Devendran
File000129
File000129
Desmond Devendran
File000125
File000125
Desmond Devendran
File000123
File000123
Desmond Devendran
File000121
File000121
Desmond Devendran
File000127
File000127
Desmond Devendran
Recomendados
File000124
File000124
Desmond Devendran
File000132
File000132
Desmond Devendran
File000174
File000174
Desmond Devendran
File000129
File000129
Desmond Devendran
File000125
File000125
Desmond Devendran
File000123
File000123
Desmond Devendran
File000121
File000121
Desmond Devendran
File000127
File000127
Desmond Devendran
File000122
File000122
Desmond Devendran
File000126
File000126
Desmond Devendran
File000131
File000131
Desmond Devendran
Ch16 system administration
Ch16 system administration
Raja Waseem Akhtar
File000175
File000175
Desmond Devendran
Ch12
Ch12
Raja Waseem Akhtar
File000138
File000138
Desmond Devendran
Ch07
Ch07
Raja Waseem Akhtar
Ch11
Ch11
Raja Waseem Akhtar
Ch04
Ch04
Raja Waseem Akhtar
CHFI 1
CHFI 1
Desmond Devendran
Ch14 system administration
Ch14 system administration
Raja Waseem Akhtar
Ch08
Ch08
Raja Waseem Akhtar
Ch10
Ch10
Raja Waseem Akhtar
Ch09
Ch09
Raja Waseem Akhtar
Notes for LX0-101 Linux
Notes for LX0-101 Linux
Chris Henson, CCNP
3.1.computer foundations
3.1.computer foundations
Miriam Baig
File000115
File000115
Desmond Devendran
Input output in linux
Input output in linux
Dr. C.V. Suresh Babu
Ch02
Ch02
Raja Waseem Akhtar
File000166
File000166
Desmond Devendran
File000157
File000157
Desmond Devendran
Más contenido relacionado
La actualidad más candente
File000122
File000122
Desmond Devendran
File000126
File000126
Desmond Devendran
File000131
File000131
Desmond Devendran
Ch16 system administration
Ch16 system administration
Raja Waseem Akhtar
File000175
File000175
Desmond Devendran
Ch12
Ch12
Raja Waseem Akhtar
File000138
File000138
Desmond Devendran
Ch07
Ch07
Raja Waseem Akhtar
Ch11
Ch11
Raja Waseem Akhtar
Ch04
Ch04
Raja Waseem Akhtar
CHFI 1
CHFI 1
Desmond Devendran
Ch14 system administration
Ch14 system administration
Raja Waseem Akhtar
Ch08
Ch08
Raja Waseem Akhtar
Ch10
Ch10
Raja Waseem Akhtar
Ch09
Ch09
Raja Waseem Akhtar
Notes for LX0-101 Linux
Notes for LX0-101 Linux
Chris Henson, CCNP
3.1.computer foundations
3.1.computer foundations
Miriam Baig
File000115
File000115
Desmond Devendran
Input output in linux
Input output in linux
Dr. C.V. Suresh Babu
Ch02
Ch02
Raja Waseem Akhtar
La actualidad más candente
(20)
File000122
File000122
File000126
File000126
File000131
File000131
Ch16 system administration
Ch16 system administration
File000175
File000175
Ch12
Ch12
File000138
File000138
Ch07
Ch07
Ch11
Ch11
Ch04
Ch04
CHFI 1
CHFI 1
Ch14 system administration
Ch14 system administration
Ch08
Ch08
Ch10
Ch10
Ch09
Ch09
Notes for LX0-101 Linux
Notes for LX0-101 Linux
3.1.computer foundations
3.1.computer foundations
File000115
File000115
Input output in linux
Input output in linux
Ch02
Ch02
Destacado
File000166
File000166
Desmond Devendran
File000157
File000157
Desmond Devendran
File000148
File000148
Desmond Devendran
File000171
File000171
Desmond Devendran
File000113
File000113
Desmond Devendran
File000163
File000163
Desmond Devendran
File000152
File000152
Desmond Devendran
[Gerard blokdijk, claire_engle,_jackie_brewster]_i(book_see.org) (1)
[Gerard blokdijk, claire_engle,_jackie_brewster]_i(book_see.org) (1)
Desmond Devendran
File000145
File000145
Desmond Devendran
File000135
File000135
Desmond Devendran
File000139
File000139
Desmond Devendran
File000117
File000117
Desmond Devendran
File000150
File000150
Desmond Devendran
File000142
File000142
Desmond Devendran
File000170
File000170
Desmond Devendran
Investigating server logs
Investigating server logs
Animesh Shaw
File000169
File000169
Desmond Devendran
File000149
File000149
Desmond Devendran
File000136
File000136
Desmond Devendran
File000154
File000154
Desmond Devendran
Destacado
(20)
File000166
File000166
File000157
File000157
File000148
File000148
File000171
File000171
File000113
File000113
File000163
File000163
File000152
File000152
[Gerard blokdijk, claire_engle,_jackie_brewster]_i(book_see.org) (1)
[Gerard blokdijk, claire_engle,_jackie_brewster]_i(book_see.org) (1)
File000145
File000145
File000135
File000135
File000139
File000139
File000117
File000117
File000150
File000150
File000142
File000142
File000170
File000170
Investigating server logs
Investigating server logs
File000169
File000169
File000149
File000149
File000136
File000136
File000154
File000154
Similar a File000128
Linux Basics
Linux Basics
Lokesh C
Dheeraj chugh -_presentation_on_ms-dos
Dheeraj chugh -_presentation_on_ms-dos
REXY J
Disk and File System Management in Linux
Disk and File System Management in Linux
Henry Osborne
11 linux filesystem copy
11 linux filesystem copy
Shay Cohen
Os concepts
Os concepts
John Carlo Catacutan
Ms dos
Ms dos
Mercy Lou Yecla
UNIX Operating System ppt
UNIX Operating System ppt
OECLIB Odisha Electronics Control Library
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849
marangburu42
Lec9chap8f04
Lec9chap8f04
screaminc
Selecting and Installing Operating System
Selecting and Installing Operating System
Amir Villas
Root file system
Root file system
Bindu U
11. operating-systems-part-1
11. operating-systems-part-1
Muhammad Ahad
TLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
Shu-Yu Fu
Root file system for embedded systems
Root file system for embedded systems
alok pal
Linux filesystemhierarchy
Linux filesystemhierarchy
Dr. C.V. Suresh Babu
Ch11
Ch11
jeffcflynn
Introduction To operating System:
Introduction To operating System:
Munazza-Mah-Jabeen
Operating system of computer
Operating system of computer
HamzaAbbas43
Chapter - 1
Chapter - 1
Munazza-Mah-Jabeen
Edubooktraining
Edubooktraining
norhloudspeaker
Similar a File000128
(20)
Linux Basics
Linux Basics
Dheeraj chugh -_presentation_on_ms-dos
Dheeraj chugh -_presentation_on_ms-dos
Disk and File System Management in Linux
Disk and File System Management in Linux
11 linux filesystem copy
11 linux filesystem copy
Os concepts
Os concepts
Ms dos
Ms dos
UNIX Operating System ppt
UNIX Operating System ppt
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849
Lec9chap8f04
Lec9chap8f04
Selecting and Installing Operating System
Selecting and Installing Operating System
Root file system
Root file system
11. operating-systems-part-1
11. operating-systems-part-1
TLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
Root file system for embedded systems
Root file system for embedded systems
Linux filesystemhierarchy
Linux filesystemhierarchy
Ch11
Ch11
Introduction To operating System:
Introduction To operating System:
Operating system of computer
Operating system of computer
Chapter - 1
Chapter - 1
Edubooktraining
Edubooktraining
Más de Desmond Devendran
Siam key-facts
Siam key-facts
Desmond Devendran
Siam foundation-process-guides
Siam foundation-process-guides
Desmond Devendran
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Desmond Devendran
Enterprise service-management-essentials
Enterprise service-management-essentials
Desmond Devendran
Service Integration and Management
Service Integration and Management
Desmond Devendran
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Desmond Devendran
File000176
File000176
Desmond Devendran
File000173
File000173
Desmond Devendran
File000172
File000172
Desmond Devendran
File000168
File000168
Desmond Devendran
File000167
File000167
Desmond Devendran
File000165
File000165
Desmond Devendran
File000164
File000164
Desmond Devendran
File000162
File000162
Desmond Devendran
File000161
File000161
Desmond Devendran
File000160
File000160
Desmond Devendran
File000159
File000159
Desmond Devendran
File000158
File000158
Desmond Devendran
File000156
File000156
Desmond Devendran
File000155
File000155
Desmond Devendran
Más de Desmond Devendran
(20)
Siam key-facts
Siam key-facts
Siam foundation-process-guides
Siam foundation-process-guides
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Enterprise service-management-essentials
Enterprise service-management-essentials
Service Integration and Management
Service Integration and Management
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
File000176
File000176
File000173
File000173
File000172
File000172
File000168
File000168
File000167
File000167
File000165
File000165
File000164
File000164
File000162
File000162
File000161
File000161
File000160
File000160
File000159
File000159
File000158
File000158
File000156
File000156
File000155
File000155
Último
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Último
(20)
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
File000128
1.
Module XV –
Mac Forensics
2.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: ProteMac Announces ProteMac Meter 1.1 for Mac OS X Source: http://prmac.com/release-id-3023.htm
3.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Mac OS and File System • Partitioning Schemes • Mac OS X Directory Structure • Pre-requisites for Mac Forensics • POSIX Permissions • Mac OS X Log Files • Vulnerable Features of Mac • Imaging a Target Macintosh • .Mac and Related Evidence • Mac Forensics Tools This module will familiarize you with:
4.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Mac OS and File System Partitioning Schemes Mac OS X Directory StructurePre-requisites for Mac Forensics POSIX Permissions Mac OS X Log Files Vulnerable Features of MacImaging a Target Macintosh .Mac and Related Evidence Mac Forensics Tools
5.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS and File Systems
6.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Mac OS X is a Unix-based operating system built on object-oriented NeXTSTEP operating system and development environment It is a memory management and multitasking Mac platform The following are some of the Mac OS X versions: • Mac OS X 10.0- “Cheetah”, was the first major release of Mac OS X • Mac OS X 10.1- “Puma”, was released on September 25, 2001 • Mac OS X 10.2- “Jaguar” was the third major release of Mac OS X • Mac OS X 10.3- “Panther” • Mac OS X 10.4- “Tiger” • Mac OS X 10.5- “Leopard”
7.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Partitioning Schemes The partitioning scheme is the basic definition of how a hard drive or other media is laid out for a file system to be applied There are two types of Mac partitioning schemes: • Apple partition map (PowerPC based Macintosh) • GUID partition scheme (Intel based Macintosh)
8.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Apple Partition Map (APM) Apple Partition Map is used to define the low-level organization of data on Mac formatted disks Apple disks are divided into blocks, with 512 bytes belonging to each block First block of APM contains driver information The number of entries in the partition map is not restricted, however, because the partition map must begin at block 1 and must be contiguous, it cannot easily be expanded once other partitions are created APM defines itself as one of the partitions on the disk fdisk and pdisk tool can be used to manipulate an APM
9.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Apple Partition Map Entry Record The partition map entry record is defined by the Partition data type
10.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GUID Partition Table GUID Partition Table (GPT) is a partitioning scheme introduced by Intel and adopted by Apple Block layout used by GPT is as follows: Block Description 0 Protective MBR 1 Partition Table Header (primary) 2 through 2+b-1 Partition Entry Array (primary) 2+b through n-2-b Partition Data n-2-b+1 through n-2 Partition Entry Array (backup) n-1 Partition Table Header (backup) Where, n is the number of blocks on the disk b is the number of blocks used to describe the partition entry
11.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited GUID Partition Table (cont’d) Figure: GUID Partition Table
12.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X File System Mac OS X supports a variety of file systems and volume formats such as: File System Description HFS Mac OS Standard file system. Standard Macintosh file system for older versions of Mac OS HFS Plus Mac OS Extended file system. Standard Macintosh file system for Mac OS X UFS Unix File System. A variant of the BSD “Fast File System” WebDAV Used for directly accessing files on the web UDF Universal Disk Format. The standard file system for all forms of DVD media and some writable CD formats FAT The MS-DOS file system, with 16- and 32-bit variants SMB/CIFS Used for sharing files with Microsoft Windows SMB file servers AFP AppleTalk Filing Protocol. The primary network file system for all versions of Mac OS NFS Network File System. A commonly-used BSD file sharing standard. Mac OS X supports NFSv2 and NFSv3 over TCP and UDP FTP A file system wrapper for the standard Internet File Transfer Protocol
13.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HFS+ File System • Volume header – contains file system attributes, such as the version and the allocation block size, and information to locate the metadata files • Allocation file – tracks the usage status of the allocation blocks • Catalog file – contains the majority of file and folder metadata • Extents overflow file – contains additional extents records for files composed of more fragments than can be recorded in the catalog file • Attributes file – extensible metadata; it is used for features such as access control lists and Time Machine • Journal file- is allocated as a contiguous set of blocks on the file system The major components of the HFS+ file system are:
14.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HFS+ File System (Cont’d) Figure: HFS+ File System Reserved (1024 bytes) Volume Header Allocation File Extents Overflow File Catalog File Attribute s File Startup File Alternate Volume Header Reserved (512 bytes) File Data or Free Space
15.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Directory Structure The command /ls is used to see the directories Following are the directories in the Mac OS X: Directory Description /Applications This is where your Mac’s applications are kept /System System related files, libraries, preferences, critical for the proper function of Mac OS X /Library Shared libraries, files necessary for the operating system to function properly, including settings, preferences, and other necessities /Network Contains information about network related devices, servers, libraries, etc /Users All user accounts on the machine and their accompanying unique files, settings /Volumes Mounted devices and volumes, either virtual or real, such as hard disks, CDs, DVDs, DMG mounts
16.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Directory Structure (cont’d) Directory Description /bin Essential common binaries, holds files, and programs needed to boot the operating system /etc Machine local system configuration, holds administrative, configuration, and other system files /usr Second major hierarchy, includes subdirectories that contain information, configuration files, and other essentials used by the operating system /sbin Essential system binaries, contains utilities for system administration /tmp Temporary files, caches, etc. /var Variable data, contains files whose contents change as the operating system runs
17.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Security Architecture Overview • Berkeley Software Distribution (BSD) • It provides fundamental services, such as the basis for the Mac OS X file system, including file access permissions • Common Data Security Architecture (CDSA) • It provides a wider array of security services, including finer-grained access permissions, authentication of users’ identities, encryption, and secured data storage Mac OS X security is built on the following two standards:
18.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: Mac Security Architecture Figure: Mac Security Architecture BSD: Berkeley Software Distribution CDSA: Common Data Security Architecture API: application programming interface
19.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensics: Collecting Evidence
20.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pre-requisites for Mac Forensics • Macintosh OS X based laptop for mobile forensics • Macintosh OS X based desktop for laboratory forensics • MacOS X with the XCode tools installed • Firewire cable with the appropriate adapters • USB Flash Drive, minimum of 1GB in size • Examination Notes information sheet Pre-requisites for Mac forensics are:
21.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Obtaining System Date and Time Steps to obtain date and time if system is on and has no Open Firmware Password or has disabled single-user mode: • Press the power button to start the computer • Immediately press and hold the Command (Apple) key and the "s" key to go to single-user mode • Type "date" at the prompt near bottom of the screen and press Return Steps to obtain date and time if system is running: • Open Date & Time preferences • Take a screenshot of time and date setting • Check the “time zone” selected and take a screenshot
22.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Date and Time Preferences
23.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Single User Mode Single User Mode provides “root” user priviledge The following commands can be used for safe information gathering in Single User Mode: •date: Returns the date with the current time zone applied •date -u: Returns the date in UTC •hdiutil partition /dev/disk0: Returns the partition table of the boot drive •hdiutil pmap2 /dev/disk0: Returns additional partition table information for the boot drive •ls /dev/disk?: Lists the current device files in use for installed disks •system_profiler SPHardwareDataType: Returns Macintosh hardware info •system_profiler SPSoftwareDataType: Returns operating system info •system_profiler SPParallelATADataType: Returns info on ATA devices •system_profiler SPHardwareRAIDDataType: Returns info on hardware RAID •system_profiler SPMemoryDataType: Returns info on installed memory •system_profiler ParallelSCSIDataType: Returns info on SCSI devices •system_profiler SPSASDataType: Returns info on SAS devices •system_profiler SPSerialATADataType: Returns info on SATA devices
24.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determining and Resetting the Open Firmware Password • Press the Power button and immediately hold down the Option key • A password dialog confirms the use of Open Firmware Password First determine if Open Firmware Password is used • The Open Firmware Password will be reset if a user changes the amount of the physical memory in the machine and reboots Resetting the password: Note - Resetting the password will reset the system clock
25.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checking Plist Files File Uses /System/Library/CoreServices/Syste mVersion.plist Contains the current version of the installed operating system /private/var/log/OSInstall.custom Contains the date and time the operating system was first installed (completion time, not start time) /private/etc/hosts Contains defined IP addresses and the associated name User settings are stored in plist (Property List Format) files Property List Editor utility reveals the data contained within plist files The following are the miscellaneous plist files:
26.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering Network Setting Information from Plist files Plist Files Network Information /Library/Preferences/com.apple.alf.plist Firewall Settings /Library/Preferences/SystemConfiguration/com.apple .airport.preferences.plist Airport (Wireless) Settings /Library/Preferences/SystemConfiguration/com.apple .nat.plist Internet Sharing Settings /Library/Preferences/SystemConfiguration/com.apple .network.identification.plist Historical Network TCP/IP Assignments with Timestamps /Library/Preferences/SystemConfiguration/com.apple .NetworkInterfaces.plist Onboard Interfaces /Library/Preferences/SystemConfiguration/com.apple .preferences.plist Network Configuration for each interface
27.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect User Home Directory Information Each time a user is added to the computer, Mac OS X creates a new folder named after that user called as "Home directory" The Users folder in the Mac OS X disk stores the Home directories for all of the computer's users • Desktop - Contains all of the items that are seen on the user's desktop • Documents - Typically contains user data files such as Pages, Keynote, MS Word, and other types of files • Limewire - This is created by the Limewire application; by default, it stores shared files and downloaded files • Incomplete - Created by Limewire and contains files that have not yet been successfully downloaded to this user's account • Library - It contain logs, preferences, browser history, recent files, etc. Major folders in users’ Home directories:
28.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect User Home Directory Information (cont’d) • Magazines - Used by the Zinio Reader application for electronic magazines • Movies - Contain iDVD movie data, Quicktime files, and other digital video material • Music - Contain a user's iTunes library and other digital music material such as MP3files • Pictures - Contains a user's digital photo collection such as the iPhoto library • Public - This is a "drop box" where other users have permissions to place files, read files, but not delete files • Sites - If a WWW server is active such as the built in Apache web server, users can host their website from this directory Major folders in users’ Home directories: Figure: User Home Directory
29.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Information in the User’s Library Folder User Library folder contains information such as user specific drivers, fonts, settings, and system add-ons It also gives information about Browser’s history, webpage cache, email remnants, email attachments, and indexes The following are some of the folders in User Library folder: • Application Support • Automator • Caches • Cookies • Favorites • Logs • Mail and Mail Downloads • Phones • Recent Servers • Safari
30.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Information in the User’s Library Folder (cont’d) • Includes information about applications installed, and may show usage information Application Support • User specific actions such as file copying, server connections, and other actions a user wants to automate will be stored here Automator • Include information of application usage, web sites visited, buddy lists, and downloaded files Caches • Used by Safari and other web browsers for the Cookies of various websites Cookies • Show other network resources that the User considered important enough to be able to easily return to Favorites
31.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Information in the User’s Library Folder (cont’d) • This folder contains log files for many applications and usage information Logs • These folders contain email and files that were attached to emails received under this account Mail and Mail Downloads • This folder contains cell phones that have been connected to this computer under this account Phones • This folder contains information on servers that have been recently connected to including AFP and FTP sites Recent Servers • This folder contains the vital information on Safari’s usage including bookmarks, history Safari
32.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect User Accounts Information Check the non-admin and admin account to verify the additional user privileges or restrictions The following table shows the access provided to user accounts: User Account User Access Guest non-administrator Restricted user access (disabled by default) Standard non-administrator Non privileged user access Managed non-administrator Restricted user access Administrator Full computer configuration administration System administrator (root) Unrestricted access to the computer
33.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited User IDs Every user account has User ID, which is a number that uniquely identifies a user The user ID is a unique string of digits between 500 and 2,147,483,648 Use the user ID to track a user’s folder and file ownership The user ID is reserved for the root user and user IDs below 100 are reserved for system’s use
34.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering User Information from Plist Files • /Library/Preferences/com.apple.loginwindow.plist Auto-Login User and Last Login User • /Users/username/Library/Preferences/loginwindow.plist User Auto-Launch Items • /Library/Preferences/com.apple.preferences.accounts.plist Deleted Users
35.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use Spotlight for Keyword Search • The Documents, Movies, Music, and Pictures folders • The Trash of all users and each mounted volume •~/Library/Metadata/ •~/Library/Caches/Metadata/ •~/Library/Mail/ •~/Library/Caches/com.apple.AddressBook/Metadata/ •~/Library/PreferencePanes/ Spotlight will index and search in the following locations: •/Library/PreferencePanes/ •/System/Library/PreferencePanes/ •/Applications Spotlight also searches these non-Home folder locations by default: Mac OS X features Spotlight search technology that instantly allows you to find things on Mac
36.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Information Regarding Parental Controls for a Local Account Users are limited by using Parental Control preferences • Open System Preferences, then click Accounts, and collect the setting information • Click System tab and check “Simple Finder” setting • Click Content tab and check the settings to: • Limit access to adult websites automatically • Always allow these sites • Never allow these sites • Click Mail & iChat tab and check the setting to: • Only allow emailing and instant messaging • Send permission request • Click Time Limits tab and check the setting • Click Logs tab and check the setting Parental Control Preferences:
37.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Parental Controls: Screenshot
38.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File Vault and MacOS X Security • FileVault is the security technology available in MacOS to secure a user's home directory • It encrypts user's home directory using 128 bit AES encryption to a Sparse image DMG file FileVault Preference Pane: Figure: File vault preference pane
39.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cracking the File Vault Crack protection password to access FileVault encrypted Home directory • John the Ripper • THC Hydra • crowbarDMG • Mac Marshal • MacLockPick II Tools • Brute force • Dictionary attack • Hybrid Attack (brute force with a dictionary attack) Cracking methods that can be used:
40.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited POSIX Permissions Portable Operating System Interface (POSIX) controls access to files and folders Check the types of standard POSIX permissions given to each user or group • Read & Write • Read Only • Write Only • None POSIX provides four types of permission:
41.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing POSIX Permissions POSIX access permissions can be assigned to the following category of users: • Owner- who creates an item has Read & Write permissions • Group- who needs the same access to files and folders into group accounts • Everyone- who can log in to the file server Steps to view the current permission settings: • Open Terminal • Run the ls command: •$ ls -l
42.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing ACL Permissions ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user Each ACE contains the following components: • User—owner, group, and other • Action—read, write, or execute • Permission—allow or deny the action Steps to view ACL permission: • Select an object in the Finder • Select the menu item File > Get Info, or press Cmd+I • Open the section Ownership & Permissions in the information panel
43.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Log Files Log files maintains a log of the user activity on the system and the log entry itself would show the crime The Console utility, found in the /Applications/Utilities store logs
44.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Log Files (cont’d) Some of the log files are as follows: Log File Uses /var/log/crashreporter.log Application Usage History, information is written here when an application crashes only /var/log/cups/access_log Printer Connection Information /var/log/cups/error_log Printer Connection Information /var/log/daily.out Network Interface History /var/log/samba/log.nmbd Samba (Windows based machine) connection information ~/Library/Logs Any logs in this area will be specific to the user of this Home directory; application-specific logs will be found here
45.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac OS X Log Files (cont’d) Log File Uses ~/Library/Logs/DiscRecording.log Log of CD or DVD media burned using the Finder; this is specific to the user of this Home directory ~/Library/Logs/DiskUtility.log Log of CD or DVD media burned using the Finder, mount and unmount history of ISO or DMG image files, Permission Repair history, and hard disk partition information ~/Library/Logs/iChatConnectionErrors Log files here contain information of past iChat connection attempts; data such as username, IP address, and date & time of the attempt ~/Library/Logs/Sync Log files here will contain information on .Mac syncing, mobile devices such as iPods, and cell phones, and date & time of the activities
46.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Locating the iChat Configuration File iChat configuration settings are stored in the configuration files iChat components and their corresponding configuration file location is as follows: Component Location jabberd2 (startup script) /etc/jabberd/jabberd.cfg router (inter-module message routing) /etc/jabberd/router.xml resolver (domain resolution) /etc/jabberd/resolver.xml sm (session manager) /etc/jabberd/sm.xml C2S (client-to-server communications) /etc/jabberd/c2s.xml S2S (server-to-server communications) /etc/jabberd/s2s.xml
47.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checking Instant Messaging Configuration Plist Files Check following Plist files for various instant messaging services’ configuration settings: • /Library/Preferences/com.apple.iChat.AIM.plist • /Library/Preferences/com.apple.iChat.plist • /Library/Preferences/com.apple.iChat.SubNet.plist • /Users/username/Library/Preferences/com.aol.aim.plist • /Users/username/Library/Preferences/com.adiumX.adiumX.plist • /Users/username/Library/Preferences/com.apple.iChat.AIM.plist • /Users/username/Library/Preferences/com.apple.iChat.plist • /Users/username/Library/Preferences/com.apple.SubNet.plist • /Users/username/Library/Preferences/com.skype.skype.plist • /Users/username/Library/Preferences/com.yahoo.messenger3.plist • /Users/username/Library/Preferences/com.yahoo.messenger3.Users.screenname.plist
48.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing iChat Logs • The iChat service log is located in /var/log/system.log • The iChat file proxy log is located in /private/var/jabberd/log/proxy65.log • The iChat multiuser conference log is located in /var/jabberd/log/jcr.log iChat logs are located in the following locations: • Open Server Admin and connect to the server • Click the triangle to the left of the server • Click iChat • Click Logs and then choose a log from the View pop-up menu Steps to view iChat logs:
49.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering Safari Information Files Information /Users/username/Library/Safari/Bookmarks.plist User's bookmarks /Users/username/Library/Safari/Downloads.plist Contents of the user's Downloads window in Safari /Users/username/Library/Safari/History.plist Safari browser history /Users/username/Library/Safari/LastSession.plist Defines the last browsing session (window and tabs that were open) The following files provide important forensics information on browsing activities:
50.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checking Wi-Fi Support To check the Wi-Fi support setting, open the /System/Library/Extensions folder The information will help to know about the wireless access to the system Check the following files: • AppleAirPort.kext • AppleAirPort2.kext • AppleAirPortFW.kext
51.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Checking Bluetooth Support To check the system has enabled Bluetooth support or not, open the /System/Library/Extensions folder This information provides clues about the Bluetooth attack on the system Check the following files: • IOBluetoothFamily.kext • IOBluetoothHIDDriver.kext Check /Library/Preferences/com.apple.Bluetooth.plist file for obtaining bluetooth history
52.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gathering Information from Printer Spool (CUPS) Browse to the web page http://localhost:631/
53.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vulnerable Features of Mac Hidden Extensions • File extensions are kept hidden from the user • Trojan can exploit this to hide its own true nature Bundle Architecture • Bundle is a special folder that allows multiple resources to be contained in one single folder • It makes the process of creating a virus easier since it greatly assists the process of installing multiple executables into one program Unprotected Application Folder • The programs that a user relies upon are stored unprotected inside a folder called /Applications • The common application running on the system can be modified and replaced with the viruses Centralized Open Address Book • A Mac OS X provides Address Book which contains instant messaging addresses, email addresses, phone numbers, and physical addresses • The addresses in the address book will be used for spreading the virus • For example: “ILOVEYOU”, the “Love Bug worm” spreads by interrogating users’ contacts and emailing its copies
54.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensics: Imaging
55.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Imaging a Target Macintosh • Target Disk Mode • LiveCD method • Drive Removal Mac system imaging techniques are as follows:
56.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Target Disk Mode In target disk mode, the target computer acts as an external firewire hard drive Steps for a Target Disk Mode acquisition: • Turn off Disk Arbitration on your forensic Macintosh • Shut down your forensic Macintosh • Start the target Macintosh • Connect the target Macintosh to your forensic Macintosh through a firewire cable • Boot your forensic Macintosh either to your forensic partition or with Disk Arbitration turned off • Enter the Terminal and check for your attached Target Disk Mode Macintosh
57.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Target Disk Mode (cont’d) Determine which disk to acquire and create a digital fingerprint of the target device by running MD5 hash Use the MD5 command md5 /dev/disk0 > /Evidence/targetMacintosh.md5_start Use dd to make the acquisition of the raw disk as follows: •dd if=/dev/rdisk1 conv=noerror,sync of=/Evidence/targetMacintosh.dd Create a second digital fingerprint of the target device to show nothing has been altered by the dd process •md5 /dev/disk0 > /Evidence/targetMacintosh.md5_end Power down your forensic Macintosh Power down the target Macintosh Disconnect the firewire cable
58.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited LiveCD Method LiveCD method involves booting the target Macintosh with a known, forensically sound CD It can include a custom tailored Linux distribution such as Helix, SMART, or a Knoppix variant A LiveCD method for acquisition of a Macintosh is sometimes the preferred method
59.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Drive Removal Physical drive removal is the complicated part of a Macintosh examination Use a physical write blocking device for the acquisition Once the disk drive is physically write-blocked, an imaging process can begin with the help of any tool Possible failures of this system: • Bad cable between the drive and the physical write blocking device • Bad cable from the physical write blocking device to the forensic computer • Imaging tool that does not recognize the file system of the target Macintosh
60.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquiring the Encrypted User Home Directory While copying Encrypted User Home Directory file, set the "Locked" property in the window • This will prevent the file from any further changes Steps to successfully acquire Encrypted User Home Directory: • Open a shell in the terminal with root privileges • Example "sudo sh" • Copy the file from its present location to your Evidence Collection directory • Example "cp /Users/dogcow/dogcow.sparseimage /Evidence" • Take ownership of the file • Example "chown yourusername /Evidence/dogcow.sparseimage" • Set the Locked flag to prevent any changes to this file • Example "chflags uchg /Evidence/dogcow.sparseimage”
61.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited .Mac and Related Evidence .Mac is an Internet resource; its features include email, web site hosting, and iDisk storage of files A user may store files here, Backup files, Address Book entries, Safari bookmarks, and Quicken data Figure: Mac plist Window
62.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Quick View Plus Quick view plus tool supports information created in Windows, Macintosh, Internet, and DOS formats It helps to access the information from sources such as e-mail attachments, the Web, legacy document stores • It maintains the formatting of the original documents • It integrates with the latest browser and e-mail applications • All or a portion of any viewed file can be copied and then pasted into an application • It is possible to transfer data between Windows, Macintosh and DOS word processing and presentation programs Features:
63.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cover Flow Cover Flow is a three-dimensional graphical user interface which allows users to visually rummage through files and digital media library Figure: Cover Flow
64.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Customizing Cover Flow: Screenshot Figure: Customizing Cover Flow
65.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensic Tools
66.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited gpart gpart ignores the primary partition table and scans the disk (or disk image, file) for several file system/ partition types This is done by resembling the sequence of sectors with the beginning of a file system or partition type
67.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited gpart (cont’d) File system known to gpart: File system Description beos BeOS filesystem type bsddl FreeBSD/NetBSD/386BSD disklabel sub-partitioning scheme used on Intel platforms ext2 Linux second extended filesystem fat MS-DOS FAT12/16/32 "filesystems" hpfs IBM OS/2 High Performance filesystem hmlvm Linux LVM physical volumes lswap Linux swap partitions minix The Minix operating system filesystem type ntfs MS Windows NT filesystem qnx4 QNX 4.x filesystem rfs The Reiser filesystem (version 3.5.X, X > 11)
68.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacLockPick MacLockPick uses the setting files to keep track of contacts, activities and history It extracts and saves the data to its own flash drive It can be used to extract: • Internet login password, WiFi, AppleShare • File and Folder details such as creation, modification, and the most recently accessed dates • Instant Messaging details • Email account details • Web History and Preferences • Hardware Preferences
69.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File Juicer File Juicer finds and extracts images, video, audio or text from files It saves the images in its original format • JPEG • PNG • GIF • PDF • BMP • WMF • EMF • PICT • MOV • MP4 • MP3 It finds and extracts the following file types :
70.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File Juicer: Screenshot Source: http://www.macupdate.com/images/screens/uploaded/16101_scr.png
71.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacAnalysis MacAnalysis is a security auditing/cracker prevention application • Reverse IP • Port Scan • Services Scan • Name Scan • OS Fingerprinting • POP3/SMTP/FTP Brute Force • Network Info • IP Monitoring • DUP Broadcast Scanning • Telnet client • Buffers Overflow It can perform the following functions:
72.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacAnalysis: Screenshot
73.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition MacQuisition is a forensic acquisition tool used to safely and easily image Mac source drives using the source system • Easily identify the source device • Configure destination location • Image directly over the network • Use the command line • Log case, exhibit and evidence tracking numbers and notes • Automatically generate MD5, SHA1 and SHA 256 hashes Features:
74.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition Steps Step 1: Source Identification Step 3: Case Information
75.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MacQuisition Steps (cont’d) Step 5: Imaging /Status Information
76.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FTK Imager • Making an exact copy of a drive or folder • Taking an MD5 or SHA-1 digital signature of a drive or file • Determining properties of drives, folders or files • Viewing files FTK Imager is used for:
77.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensic Tools dd_rescue images the drives or files from the attacked system and also overcomes the bad sectors or other errors while imaging the drives md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA- 256, Tiger, or Whirlpool message digests on an arbitrary number of files
78.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mac Forensic Tools (cont’d) Foremost is used to recover files based on their headers, footers, and internal data structures that can work on image files, such as those generated by dd, Encase or directly on a drive Mac forensic lab acquires bit-by-bit replica of the original media, while maximizing data recovery, even with corrupted media and Forensic images are created with integrated segmenting and granular hashing LinkMASSter tool with ‘Forensic Mac Acquisition’ option allows to acquire data from unopened Mac computer through 1394B or USB ports
79.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Mac OS consists of unique file systems and applications HFS+ and HFS are the two file systems found on Macintosh Open Firmware Password helps to physically secure the computer Disk Arbitration needs to be enabled for Disk Utility to function The home directory is the area to find all of the evidence for any case, barring system- wide log and settings files
80.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
81.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Descargar ahora