Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit

Jesse Varsalone Technical Editor Ryan R. Kubasiak, Sean Morrissey Lead Authors Walter Barr James "Kelly" Brown Max Caceres Mike Chasman James Cornell Contents

About the Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit DVD xix Chapter 1 Tiger and Leopard Mac OS X Operating Systems 1 Introduction 2 First Responders and Specialized Examiners 2 Digital Examination 3 Techniques for Examination 4 Live Macintosh Examination 4 Single User Mode 4 Boot CD/DVD Methods 5 Target Disk Mode 5 Macintosh History 5 Macintosh Aspects 6 Is It a Mac? 7 File System Overview 8 Operating Systems 10 Data Files 12 Macintosh Technologies 17 The Desktop 17 Back to My Mac 19 Guest Account 20 Time Machine 21 FileVault 22 UNIX and the FreeBSD System 22 BootCamp, Microsoft Windows on a Mac? 22 Target Disk Mode 22 Disk Structure 23 Apple Partition Map 23 GUID Partition Table 25 Summary 28 Solutions Fast Track 28 Frequently Asked Questions 30 x Contents

Chapter 2 Getting a Handle on Mac Hardware 31 Introduction 32 MacBooks and Desktop Computers 34 MacBook Air 36 MacBook Pro 37 Mac Mini 38 iMac 38 Mac Pro and PowerMac 39 lPods 41 iPod Classic 41 iPod Nano 42 iPod Shuffle <45 iPod Touch 45 iPhones 46 Other Hardware 48 AirPort Express and AirPort Extreme 48 Apple TV 49 Time Capsule 50 Summary 52 Solutions Fast Track 52 Frequently Asked Questions 54 Chapter 3 Mac Disks and Partitioning 55 Introduction 56 Disk Utility 56 Disk Info 57 Mounting 59 DMG Files 59 Info 60 Locking 61 Un-mounting 61 Ejecting 61 First Aid 62 Repairing Disk Permissions 63 Verifying Disk Permissions 63 Erasing a Disk 63 Security Options 64 Don't Erase Data 65 Zero Out Data 65 7-Pass Erase 66 35-Pass Erase 67 Contents xi

Volume Format Options 67 Mac OS Extended 67 Mac OS Extended (Journaled) 67 Mac OS Extended (Case-Sensitive) 68 Mac OS Extended (Case-Sensitive, Journaled) 68 MS-DOS File System 68 Unix File System 68 Partitioning 69 Volume Schemes 70 Volume Labels 71 Splitting a Partition 71 Locked for Editing Setting 71 Reverting to a Previous Volume Scheme 72 RAID 72 RAID Sets 72 Mirrored RAID Set 75 Striped RAID Set 76 Concatenated RAID Set 76 RAID Options 77 RAID Mirror AutoRebuild 77 RAID Block Size 77 Restore 77 Creating a Disk Image 77 Converting an Image 78 Verifying a Disk Image 80 Restoring an Image File to a Disk 81 Restoring a Disk from a Web Server 82 Changing the Startup Disk 82 Target Disk Mode 84 Terminal Window - Apple Partition Map 86 Summary 87 Solutions Fast Track 88 Frequently Asked Questions 90 Chapter 4 HFS Plus File System 93 Introduction 94 HFS Plus Volumes 94 Specifications 94 Structures 95 Size Limitations 97 xii Contents

Forks 98 Data Fork 98 Resource Fork 98 Additional Forks 98 Permissions 99 HFS Wrapper 100 HFSJ 106 HFSX 107 Boot Blocks 107 Startup File 107 Volume Header 107 Alternate Volume Header ^_ 112 Allocation File 113 B*-trees 113 Catalog File 116 Extents Overflow File 121 Attributes File 121 Summary 124 Solutions Fast Track 124 Frequently Asked Questions 126 Chapter 5 FileVault 127 Introduction 128 FileVault Overview 128 Acquiring an Unlocked FileVault 136 Decrypting a Locked FileVault 141 Summary 143 Solutions Fast Track 143 Frequently Asked Questions 145 Chapter 6 Time Machine 147 Introduction 148 Configuring and Using Time Machine 149 Customizing Time Machine 150 Issues of Importance to Investigators 154 Restoring Files from Time Machine 155 Restoring System Settings 157 Forensic Implications 158 Time Machine Volumes 161 Time Machine with FileVault Enabled 165 Summary 167 Contents xiii

Solutions Fast Track 167 Frequently Asked Questions 168 Chapter 7 Acquiring Forensic Images 169 Introduction 170 Setting Up an Analysis Mac 170 The Setup Process, Step by Step 171 Imaging a Mac with a Mac 174 Physical Disks and Slices 175 The DiskArbitration Daemon 178 Connecting the Mac to Be Acquired 179 Acquisition Process, Step by Step 181 Pitfalls and Benefits of Imaging Using the dd Utility 183 Imaging a Mac with a Live CD 184 Summary 187 Solutions Fast Track 187 Frequently Asked Questions 189 Chapter 8 Recovering Browser History 191 Introduction 192 Recovering Items fromWeb Cache 192 ~/Library/Caches/Safari 192 ~Library/Safari 196 Recovering Items from plist Files 196 Bookmarks.plist 196 Downloads.plist 200 Historyplist 201 LastSession. plist 206 Webpagelcons.db. 206 Cookies.plist 208 Summary 210 Solutions Fast Track 210 Frequently Asked Questions 211 Chapter 9 Recovery of E-mail Artifacts, iChat, and Other Chat Logs 213 Introduction 214 Popular E-mail Applications 214 MobileMe (.Mac) and Web-Based E-mail 215 Recovery of E-mail Data 217 Address Book 230 xiv Contents

Popular Chat Applications 234 Recovery of Chat Data 234 Summary 238 Solutions Fast Track 238 Frequently Asked Questions 240 Chapter 10 Locating and Recovering Photos 241 Introduction 242 Defining a Photo on a Macintosh 242 lPhoto 244 Recovering Images 252 Spotlight and Shadow Files 256 Summary 259 Solutions Fast Track 259 Frequently Asked Questions 261 Chapter 11 Finding and Recovering Quicktime Movies and other Video 263 Introduction 264 Defining a Movie on a Macintosh 264 iMovie 267 Recovering Video 274 Summary 280 Solutions Fast Track 280 Frequently Asked Questions 282 Chapter 12 Recovering PDFs, Word Files, and Other Documents 283 Introduction 284 Microsoft Office 284 Office 2004 284 Office 2008 289 Object-Oriented XML Format 289 OpenOffice for Mac 292 Portable Document Format (PDF) 292 Text Documents 293 Recovering Office Files, PDFs, and Other Documents 294 Default Locations of Office Artifacts 295 Entourage 295 Summary 311 Solutions Fast Track 311 Frequently Asked Questions 312 Contents xv

Chapter 13 Forensic Acquisition of an iPod 313 Introduction 314 Documenting the Seizure of an iPod 314 Apple lPods 315 Using Open Source Acquisition Tools 319 Disabling the Disk Arbitration Daemon (Tiger) 320 Reenabling the Disk Arbitration Daemon (Tiger) 320 Disabling the Disk Arbitration Daemon (Leopard) 321 Reenabling the Disk Arbitration Daemon (Leopard) 322 Creating an Image 322 Live CDs 322 Verifying the Integrity of the Raw Data 322 Imaging the iPod Device with dc3dd 323 Using Proprietary Acquisition Tools 324 Imaging the iPod Device within FTK Imager 324 Image the iPod Device using EnCase 329 Imaging the iPod Device Using BlackBag's BBTImagerLite 330 Summary 332 Solutions Fast Track 332 Frequently Asked Questions 333 Chapter 14 iPod Forensics 335 Introduction 336 Analyzing iPod Partitioning 336 Analyzing the iPod Image File on a Mac 339 Mounting an iPod Image File on a Mac 339 Viewing Hidden Folders and Files 340 Examining iPod Files and Folders 343 Calendars 344 Contacts 346 Desktop Files 346 iPod Control 347 iTunes 348 Notes 349 Photos 349 Recordings 350 iPods as External Storage Devices 351 Viewing iPod Artifacts from a Corresponding Mac 351 Summary 353 Solutions Fast Track 353 Frequently Asked Questions 354 xvi Contents

Chapter 15 Forensic Acquisition of an iPhone 355 Introduction 356 iPhone & iPod Touch Forensic Concerns 358 Methods to Acquire Data from an iPhone 359 iTunes Sync 359 Hacking the iPhone 360 Disassembly 360 iPhone & iPod Touch Logical Acquisitions 360 Backup a Logical Copy of the iTunes Sync Folder 361 Acquiring a Physical Image of an iPhone 363 /dev/rdiskO (Disk) 364 /dev/rdiskOsl (Slice 1) 364 /dev/rdisk0s2 (Slice 2) 365 Step 1 -Jailbreak the iPhone 366 Step 2 - Disabling the Power and Screen Lock Feature 372 Step 3 - Install UNIX Utilities on the iPhone (Choose the Cydia Installer) 372 Step 4 - Install the SSH Daemon on the iPhone 374 Step 5 - Install netcat on the iPhone 374 Step 6 - Set Up a Peer-To-Peer Wireless Network between an iPhone and iMac 376 Step 7 - Establish a Secure Shell or SSH Connection to an iPod 380 Step 8 — Ping Your Listener System 381 Step 9 - Set Up the Listener 382 Step 10 — Start the Imaging Process 382 Analysis of the iPhone Image 383 iPhone Firmware 2.1 385 Terminology 389 Baseband 389 Unlocking 390 Jailbreaking 390 SIM Card 390 Summary 391 Solutions Fast Track 391 Frequently Asked Questions 393 Chapter 16 iPhone Forensics 395 Introduction 396 iPhone Functions 396 iPhone Partitioning 398 Contents xvii

First Partition 398 First Partition Folder Structure 400 The Second Partition or Data Partition 408 Library 420 Address Book 421 Boss Prefs 424 Caches 425 Mobile Calendar 426 Call History 426 Cookies 427 Keyboard 428 Background/Wallpaper Image 429 Logs 429 Mobile Mail 429 Mobile Maps 436 Notes 437 Preferences 439 Mobile Safari 441 SMS (Short Message Service) 443 Voicemail 443 YouTube 445 Media Folder 446 iTunes_Control 451 iPhotos 452 Bash History 452 Root 453 Address Book 454 Caches 454 Calendar 454 Lockdown 454 Preferences 455 Run 455 Stash 455 Tmp 455 Carving 456 SubRosaSoft's MacForensicsLab 456 Access Data's Forensic Tool Kit 457 Non-Jailbreaking Method of iPhone Analysis 458 Property Lists From the Suspect's Mac 470 Contents

Other Non-Jailbreak Methods of iPhone Forensics 472 iPhone SIM Card 473 Nmap the iPhone 473 Summary 474 Solutions Fast Track 474 Frequently Asked Questions 475 Appendix A Using Boot Camp, Parallels, and VMware Fusion in a MAC Environment 477 Introduction 478 Boot Camp 479 Dual-Booting Mac and Windows 480 Dual-Booting Mac and Linux 489 Parallels 490 Configuring Parallels 490 Installing an Operating System 491 Windows 491 Linux 494 OS X 10.5.x Server 505 Boot Camp in Parallels 515 Coherence 517 VMware Fusion 518 VirtualBox 518 Summary 520 Solutions Fast Track 520 Frequently Asked Questions 521 Appendix В Capturing Volatile Data on a Mac 523 Introduction 524 Volatile Data Collection 524 Volatile Data Collection on an Unlocked System 524 Volatile Data Collection on a Locked System 527 The FireWire "Attack" 528 Msramdmp 528 Summary 538 Solutions Fast Track 538 Frequently Asked Questions 539 Index 541