Katana Forensics has updated its FREE time converter application. This time it converts Mac Absolute Time and Unix Epoch Time. Most can’t distinguish which is which. This updated app already knows and converts the values on the fly. Just copy and paste. Visit http://www.katanaforensics.com and get the FREE application. Another tool for your war chest.
My good friend Shafik Punja asked “Remember how you showed me to take a Lantern case file and bring it into Encase?” I responded that I did remember showing him how to do it. Shafik he asked me to place this blog so that others can benefit from this as well. So here it is using a case folder using the new Lantern 2. This will also work using FTK. Unfortunately I do not have FTK running in my VM, so this method can also work the same way. For this demonstration I am using Parallels. Just like it better now, but again, if you have VMware Fusion, this will work also.
1. Acquire an iDevice using Lantern.
2. Start you Windows virtual machine
3. Depending on your VM software, set up file sharing
4. Copy the Lantern case file (the icon that looks like a briefcase) and bring it into Windows. As you see in the following figure, the case file looks like a file folder. The Lantern case file in 2.0 is an Apple/Mac package. Basically a folder. Windows 7 sees this package as a folder.
5. Open You windows base forensic tool, in this demonstration open Encase and create a case.
6. Then just drag and drop the Lantern folder into Encase as seen below,
7. Then you can run whatever process you care to do at this time. It is just that simple!
For older Lantern version 1 case files. It is essential a Zip file. Just unzip the files and bring them into Encase or FTK using the same method as described above. If you have any questions drop me an email. firstname.lastname@example.org
Here is a short PDF on imaging the MacBook Air wth WinFE+FTK Imager
Just finished writing an article on Imaging the MacBook Air for Digital Forensics Magazine!! Hope it helps those that were pondering this issue.
The MacBook Air was introduced in 2008 and was the thinnest and lightest Mac ever made. It didn’t have much of a following until 2010 when the New Mac Book Air was announced. Sales of this generation was a good sign for Apple and the life cycle of this model.
Back in 2009 I developed methods to image the Apple Air. The older Airs, had both Serial ATA and SSD drived with 64GB and larger. future generations were typically the same but had larger hard drives. The latest generation has SATA DIMM drives, a first of it’s kind.
There were 3 basic ways to image the Air.
1. Remove the drive from the Air and image using adapters and normal free imaging tools
2. To use a Linux boot disk like SPADA 4. This method was helpful because it removed the necessity to have a USB hub. All that was needed, was to Load SPADA into ram, connect an external drive, and image.
3. was to install OS X 10.5 to an external hard disk, make sure disk arbitration was turned off, and the image using command line binaries like dcfldd or dc3dd. Now we can use this method again but using OS X 10.6 on the new SATA DIMM drives on the new Mac Airs.
I will later detail all these methods so that all examiners will have the knowledge to image any Air that they encounter and using free methods. The external Hard drive will necessitate the purchasing of OS X.
Come back and see how to handle these devices!!!!
In OS X everyone should be concerned with File Vault passwords. Cracking File Vault isn’t that difficult.
1. there is an end around that investigators need to try first.
a.In the /private/var/vm folder, sits the sleep image and swap files. the sleep image is a system image similar to Windows Hiberfile. The difference is that there is a wealth of information that can be gleaned from the sleepimage. Since the subject matter is File Vault, we will limit the dicussion to it. Passwords for file vault can ( and emphasize can, not always) be found in the sleep image. Since everything is mostly plain text, a simple search can locate not only File Vault passwords, but a multitude of passwords.
b.So how do we find them. Well, there are two ways. from the command line create a grep expression that looks for text after “longname”. This will locate all user name and passwords from the sleepimage. Look at all the hits. the hits with the passwords, will have theuser name followed by “password” and the actual password in plain text. for example,
strings -8 /var/vm/sleepimage | grep -A 4 -i longname
c.For windows examiners, Encase can be used to locate them as well. First from the tree pane navigate and locate the sleepimage. Blue check the sleep image and create a keyword for “longname”. Run the keyword search and minimize the search to the single blue checked sleepimage. Look at all the hits. the hits with the passwords, will have the user name followed by “password” and the actual password in plain text.
2. If the passwords can’t be located then your going to have to use some tools that can crack File Vault. There are a couple of tools that can assist in this. One, well you have to be LE and if you email me, you can get it to you free. George Starcher has also created crowbarDMG.
3. If passwords are not located in either the swapfile or sleep image, there are two other methods to crack file vault.
- Crack the user’s login passwords locate at /private/var/db/shadow/hash
- Crack the KeyChains themselves. ( The keychains are unencrypted except for the passwords themselves. Many items of interest can be located just by using strings.)
- Attack File vault itself.
One possible command line fix, which I haven’t verfied in use with OS X v10.5.8
sudo pmset -a hibernatemode NUMBER
0 – no sleepimage is used, and RAM contents are kept alive.
1 – only sleepimage is used, and RAM contents are purged.
3 – RAM is kept alive and a sleepimage is used when power reaches critical levels.
5 – only sleepimage is used, but with secure virtual memory enabled.
7 – both live RAM and sleepimage are used, but with secure virtual memory enabled.
Apple can fix this and improve the security of OS X.
Credit goes to Johnny Long who originally identified this vunerability 4 years ago.
And to my mentor Thane Erickson, Thanks for your leadership and guidance.