- Pac 4 Mac Forensics Framework For Mac Download
- Pac4mac Forensics Framework For Mac Os
- Pac 4 Mac Forensics Framework For Mac
Here are 20 of the best free tools that will help you conduct a digital forensic investigation. Whether it’s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what’s “under the hood” of a system. This is by no means an extensive list and may not cover everything you need for your investigation. You might also need additional utilities such a file viewers, hash generators, and text editors – checkout for some of these. My articles on, and might also come in handy since they contain a bunch of tools that can be used for Digital Forensic Investigations (e.g.
BackTrack and the SysInternals Suite or the NirSoft Suite of tools). Even if you may have heard of some of these tools before, I’m confident that you’ll find a gem or two amongst this list.
The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats.
SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more. When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window. CrowdResponse is a lightweight console application that can be used as part of an incident response scenario to gather contextual information such as a process list, scheduled tasks, or Shim Cache.
Using embedded YARA signatures you can also scan your host for malware and report if there are any indicators of compromise. To run CrowdsResponse, extract the ZIP file and launch a Command Prompt with Administrative Privileges. Navigate to the folder where the CrowdResponse.exe process resides and enter your command parameters. At minimum, you must include the output path and the ‘tool’ you wish to use to collect data.
For a full list of ‘tools’, enter CrowdResponse64.exe in the command prompt and it will bring up a list of supported tool names and example parameters. Once you’ve exported the data you need, you can use CRconvert.exe to convert the data from XML to another file format like CSV or HTML. Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more. If you are using the standalone Windows executable version of Volatility, simply place volatility-2.x.standalone.exe into a folder and open a command prompt window.
From the command prompt, navigate to the location of the executable file and type “volatility-2.x.standalone.exe –f –profile= ” without quotes – FILENAME would be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to use to extract information. Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump for TCP connection information. The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.
Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a Windows box. When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.
FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer. Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.
When you launch FTK Imager, go to ‘File Add Evidence Item’ to load a piece of evidence for review. To create a forensic image, go to ‘File Create Disk Image’ and choose which source you wish to forensically image. 06 Linux ‘dd’ dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora).
This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive. Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world. Tip: A modified version of dd is available from – dc3dd includes additional features that were added specifically for digital forensic acquisition tasks. To use dd, simply open a terminal window and type dd followed by a set of command parameters (which command parameters will obviously depend on what you want to do). The basic dd syntax for forensically wiping a drive is: dd if=/dev/zero of=/dev/sdb1 bs=1024 where if = input file, of = output file, bs = byte size Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 with the size of the byte blocks you want to write out.
The basic dd syntax for creating a forensic image of a drive is: dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up the help manual for the dd command. CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more. When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar. ExifTool is a command-line application used to read, write or edit file metadata information.
It is fast, powerful and supports a large range of file formats (although image file types are its speciality). ExifTool can be used for analysing the static properties of suspicious files in a host-based forensic investigation, for example. To use ExifTool, simply drag and drop the file you want to extract metadata from onto the exiftool(-k).exe application and it will open a command prompt window with the information displayed. Alternatively, rename exiftool(-k).exe to exiftool.exe and run from the command prompt.
Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. Database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.
Use ‘File Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where you can begin to navigate through the hex manually or press CTRL + F to run a search. Bulkextractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts). Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e.
If you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data). Bulkextractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BEOutput”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above. DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available.
It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.
When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFT to disk. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.
Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic).
Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others. Once you’ve installed Xplico, access the web interface by navigating to and logging in with a normal user account. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has finished decoding, use the navigation menu on the left hand side to view the results.
I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my article. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file. This tool is useful when you need to prove that a user (or account) performed an action he or she said they didn’t. When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on.
Sort by action time or use the search button to start investigating what actions were taken on the machine. DSi USB Write Blocker is a software based write blocker that prevents write access to USB devices. This is important in an investigation to prevent modifying the metadata or timestamps and invalidating the evidence.
When you run DSi USB Write Blocker, it brings up a window that allows you to enable or disable the USB Write Blocker. Once you make changes and exit the application, you can keep an eye on the status from the padlock icon in the taskbar. When performing an analysis of a USB drive, enable the USB Write Blocker first and then plug the USB drive in. If you are looking for a command line alternative, check out ‘USB Write Blocker for ALL Windows’. This tool works by updating a registry entry to prevent USB drives from being written to. To run the tool, you simply execute the batch file and select Option 1 to put the USB ports into read-only mode. RedLine offers the ability to perform memory and file analysis of a specific host.
It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile. When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you already have a memory dump file available, you’ll need to create a collector to gather data from the machine and let that process run through to completion.
Once you have a memory dump file to hand you can begin your analysis. PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital forensic tasks such as viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, and more. When you boot into PlainSight, a window pops up asking you to select whether you want to perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.
HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more. From the HxD interface start your analysis by opening a file from ‘File Open’, loading a disk from ‘Extras Open disk’ or loading a RAM process from ‘Extras Open RAM’ HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more. Note: The HELIX3 version you need is 2009R1.
This version was the last free version available before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a useful addition to your digital forensics toolkit. When you boot using HELIX3, you are asked whether you want to load the GUI environment or install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-based screen will appear giving you the option to run the graphical version of the bundled tools.
Paladin Forensic Suite is a Live CD based on Ubuntu that is packed with wealth of open source forensic tools. The 80+ tools found on this Live CD are organized into over 25 categories including Imaging Tools, Malware Analysis, Social Media Analysis, Hashing Tools, etc. After you boot Paladin Forensic Suite, navigate to the App Menu or click on one of the icons in the taskbar to get started. Note: A handy Quick Start Guide for Paladin Forensic Suite is available to view or download from the Paladin website as well as the taskbar within Paladin itself. USB Historian parses USB information, primarily from the Windows registry, to give you a list of all USB drives that were plugged into the machine.
It displays information such as the name of the USB drive, the serial number, when it was mounted and by which user account. This information can be very useful when you’re dealing with an investigation whereby you need to understand if data was stolen, moved or accessed. When you launch USB Historian, click the ‘+’ icon on the top menu to launch the data parse wizard.
Select which method you want to parse data from (Drive Letter, Windows and Users Folder, or Individual Hives/Files) and then select the respective data to parse. Once complete you will see information similar to that shown in the above image. Andrew Zammit Tabona January 15, 2014 at 8:42 pm David Williams – Thank you. I am not aware of any of these tools being used specifically to fix a user profile that cannot be loaded. In this situation, you’re probably better off creating a new user profile and copying the data (e.g. NTUSER.DAT, NTUSER.DAT.LOG, NTUSER.INI) from the old profile to the new profile. Alternatively you could login to the machine using safe mode and try fixing the profile using regedit.exe.
Bilal Bokhari – Many thanks for your feedback. Much appreciated! Glad you found the article useful. Vijay – Other than using FTK Imager (for example) to create a logical image of a remote folder, I’m afraid I cannot think of any open source / freeware forensic tools for remote data capture that I’ve come across. You are more likely to find such a feature in a a commercial product.
Masoud Al Tawqi – Thanks for the suggestion. We’ll definitely consider such an article but unfortunately there aren’t many open source / freeware forensic tools specifically for mobile devices. One that comes to mind is iPhone Analyzer (available from: ) or you could look at the list available in the DEFT Linux Live CD. One thing to note is that most software-based commercial mobile forensics tools have evaluation editions available for you to try and these tend to be more feature-rich than the open source / freeware alternatives. Kalimuthu – Thanks. Glad you found it useful! To answer your question, it really depends how the user accessed these applications.
It won’t show that the internet history was cleared or that the MRU list was deleted but it might show that the user logged on, and that regedit.exe and iexplore.exe were executed for example. Quoting from the LastActivityView website, “the following actions and events are currently supported by LastActivityView: Run.EXE file:.EXE file run directly by the user, or by another software/service running in the background. Select file in open/save dialog-box: The user selected the specified filename from the standard Save/Open dialog-box of Windows. Open file or folder: The user opened the specified filename from Windows Explorer or from another software. View Folder in Explorer: The user viewed the specified folder in Windows Explorer.
Software Installation: The specified software has been installed or updated. System Started: The computer has been started. System Shutdown: The system has been shut down, directly by the user, or by a software that initiated a reboot. Resumed from sleep: The computer has been resumed from sleep mode.
Network Connected: Network connected, after previously disconnected. Network Disconnected: Network has been disconnected Software Crash: The specified software has been crashed. Software stopped responding (hang): The specified software stopped responding. Blue Screen: Blue screen event has been occurred on the system.
User Logon: The user logged on to the system. User Logoff: The user logged off from the system. This even might caused by a software that initiated a reboot. Restore Point Created: Restore point has been created by Windows operating system. Windows Installer Started Windows Installer Ended”. Andrew Zammit Tabona February 16, 2014 at 1:23 pm Jerri Corbett – Thanks for your comment. As I mentioned in a previous reply to Masoud Al Tawqi, unfortunately there aren’t many open source / freeware forensic tools specifically for mobile devices.
One that comes to mind is iPhone Analyzer (available from: ) or you could look at the list available in the DEFT Linux Live CD. One thing to note is that most software-based commercial mobile forensics tools have evaluation editions available for you to try and these tend to be more feature-rich than the open source / freeware alternatives. Dee Brown – Thanks for your feedback! I am not aware of any forensic software that specifically allows you to find concealed data in BIOS chips. If you wanted to analyze a BIOS chip for hidden data you could use a tool to dump the contents of the BIOS to disk/USB and then use a Hex Editor to view the data (some BIOS flash tools allow you to take a backup of the BIOS to RAM/disk before updating). It would be pretty difficult to determine what data is actually ‘hidden’ but a good method of analysis would be to do a side-by-side comparison of a chip you think has hidden data with one of the same type that you know doesn’t have hidden data. Jane Messil July 16, 2016 at 1:26 am If I load an image file (in my case a PNG photocopy of a document which contains some personal details) into Gimp, and I ‘fill’ with black (i.e.
As if to redact) the areas of the image that contain sensitive information, and I then overwrite the original file, is there any way that the original untouched image can be recovered or gleamed? Such as low level bit analysis or? In this case I’m only concerned with once I’ve redacted specific parts of the photocopy image and overwritten the original untouched version of the file that once I send via email this edited PNG to somebody, they will not be able to use any tools to “guesstimate” what was blanked out. If so what tools and techniques are behind that, and how can I mitigate this?
Leave a Reply Your email address will not be published. Required fields are marked. Comment Name. Email.
Website Notify me of follow-up comments by email. Notify me of new posts by email. GDPR. By using this form you agree with the storage and handling of your data by this website (please check to indicate agreement) If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email from the email address you used when submitting this form.
Rapid growth of the usage of OS X has inspired forensic researchers to analyze devices such as the iPad, iPhone and Mac deeply. Therefore, OS X forensics, starting from Jonathan Zdziarski in 2008, became a very hot topic. However, most of the research and trainings are focused on file system analysis.
Pac 4 Mac Forensics Framework For Mac Download
Although there are some methods: eg Volatility, Volafox, Memoryze for Mac, Mac Memory Reader, MacLockPick and Rekall, able to analyze mac memory, mac memory analysis is relatively strange. This paper is to demonstrate a fast track of mac memory forensics via studying the evidence of a very popular social networking application ‘WeChat’. INTRODUCTION ‘ Memory Forensics is the art of analyzing computer memory (RAM) to solve digital crimes ’ defined by Michael Hale Ligh, Andrew Case and, Jamie Levy. Computer forensics science is not only a science but an art.
With the wide use of smart phones and the internet, most people communicate with their friends using mobile social networking applications ‘Facebook and Whatsapp’. Meanwhile, WeChat is the most famous chatting platform in China and the areas nearby, especially Hong Kong. These applications provide not only the smart phone version but also the desktop version. Therefore, we could not ignore any possibility of evidence (either file system or memory) from a desktop machine. As memory analysis would be an important intersection, this paper will perform this ‘Art’of science to examine the memory dump from a Mac machine, by acquisition, process analysis and data collection through an example of running WeChat on OS X. ENVIRONMENT According to the research of Desktop Operation System from Net Application as of April 2014, the market share of Mac OS X is around 8% which is followed by the latest operation system Windows 8.
With the effect from the ‘end-of-life’ of Windows XP, Mac OS X might occupy more market share afterwards. Now, it is a good time to study much more of the OS X attributes. In this paper, a Mac machine with MountainLion OS X 10.8.3 installed was selected as a testing platform. The application ‘WeChat’ was downloaded from the official website of ‘Weixin’.
ACQUISITION Two acquisition methods are suggested and preformed in this research. One is MacLockPick 3.0 from MacForensicsLab and the other is OSXPmem from Rekall Memory Forensics Framework. MacLockPick 3.0 MacLockPick is a cross-platform forensics triage which could capture the live data such as system information and process in the field.
It also supports gathering information from iPhone and iPad using Apple Mobile Sync application. LE version includes Apple Keychain Extractor. Usage The MacLockPick 3.0 is come with a USB Flash Drive with many of built-in Plugins. It could be configured in the MacLockPick Manager depended on the examiner ’ s preference. A process of ‘WeChat’ was identified by the MacLockPick. It executed under the path /Application/WeChat.app/Contents/MacOS/WeChat on 2014-05-19.
OSXPmem Memory is volatile. All the data were gone if the machine is powered off. Although there is an alternative to recover the lost memory, for example ‘hibfil.sys’ in Windows OS, the best way is to acquire the memory dump as soon as possible.
The latest version of OSXPmem is RC3, developed by Rekall Memory Forensics Framework. It is an open source memory acquisition tool for Mac OS X which supports up to OS version 10.9. The default format is ELF Usage Super user privilege is required while dumping the memory. $sudo su./osxpmem mac-memory.dump ANALYSIS Volatility Forensics Framework Once the process is identified, analysis progress is required. Volatility 2.3.1 is fully supporting the analysis on mac memory. It requires corresponding OS profiles while performing the process.
The archive of the pre-built profiles up to version Mountain Lion 10.8.3 could be downloaded from its official website. Usage $ vol.py –f –profile= Volatility is a powerful memory forensics tool and delivers both Linux and Windows versions. It supports Windows, Linux and Mac memory. However, it builds in only 20 Windows operation system profiles. The user should know and select the correct profile when processing. Of course, a custom-profile for Linux or Mac OS might be created, if necessary.
Rekall Memory Forensics Framework Another analysis tool is Rekall Memory Forensics Analysis Framework. The project is officially launched at the end of year 2013. The distribution is available from Internet. Likes Volatility, it processes with corresponding OS profile, but it could detect automatically. For OS X, it supports up to version 10.9.x. The profile repository contains over 300 different OS profiles. You could also create your favor profile for your own use.
Pac4mac Forensics Framework For Mac Os
WeChat application has been identified by the MacLockPick at a live system as shown in Figure 4. It was executed from the path /Applcication/WeChat.app/Contents/MacOS/WeChat on 2014-05-19 as shown in Figure 4 & 9. Rekall then parses the relevant information from the memory directly.
Pslist shown that the PID of WeChat is 267 which connected to the IP Address 203.205.143.143:8080 as shown in Figure 9, 10 & 11. Usage $ rekall — help $ rekall – f WeChat Analysis User Account WeChat account has its Weixin ID, starting from “wxid”(n25y16.). The user nickname (The Poker Geek), registered email address (@live.hk) and phone number (+8526974) are now recovered from the memory. The interesting point is that the password of the user is a hashed MD5 plaintext followed by the login name. Contact List The contact list contains the Weixin ID (wxid), Nickname, the source of the buddy logo. The logo of the user “Dark Knight”is located at the server.
Message Upon searching, the conversation between the buddy (wxid32v314) and the user (wxidn25y26y) are recovered. File Transfer When a buddy wants to send out a file, eg video clip to the user, the file will be uploaded to the server. The user’s device will be notified by a message ‘ sent you a video’, together with a ‘cdnvidoeurl’(later known as a FileID). File (2.mp4) downloaded by the user The user clicked on the icon and downloaded it from the server.
The file will be eventually saved at the path /User/xxxxx/Library/Containers/com. Tencent.xin/WeChat/Data/././video/2.mp4, as a mpeg 4 format with a file name starting from a number, ie the second file is 2.mp4. Therefore, the file could be recovered from the physical Mac machine. The file based on the “FileID”was downloaded by the user at 22:04:07 hrs +8 on 2014-05-19. CONCLUSION This demonstration showed you how to tackle the mac memory. Other than the above mentioned mac memory forensics tools, Volafox, Memorize for Mac and Mac Memory Reader are used for the mac memory acquisition and analysis. Volatility and Rekall might not be the best memory forensics tools in the market but they provide the related effective and efficient solution to the forensics examiners or investigators.
Pac 4 Mac Forensics Framework For Mac
During the examination, we could understand much on the mac memory also reveal the security issue of the ‘WeChat’. Kelvin, the author of this paper (also known as Forensics Ninja), has over 10 years experience in computer forensics and investigation for Law Enforcement. He has delivered speeches and workshops in DFRWS EU, DefCon, APWG and HTCIA (APAC). References 1, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, 2014 2 Johannes S.