Mac İncelenmesi (Mac Forensic)
Mac İncelenmesi (Mac Forensic)
MAC FORENSIC
/Users/<USERNAME>/Library/Preferences/AddressBookMe.plist
Kullanıcı parolası hash kayıtları
[10.6]/var/db/shadow/hash/[10.7]/private/var/db/dslocal/nodes/Default/users/<USERNAME>.plist [10.8]/private/var/db/dslocal/nodes/Default/users/<USERNAME>.plist
Kullanıcı Keychain (bir çok parola kaydı barındırır )
/Users/<USERNAME>/Library/Keychains/login.keychain
Sistem Keychain
/Library/Keychains/FileVaultMaster.keychain => Ana parolayı kullanmak için FileVaultRecoveryKey içerir ( /Library/Keychains/System.keychain /Library/Keychains/applepushserviced.keychain
Çöp Kutusu
/Users/<USERNAME>/.Trash /.Trashes
GÜNLÜK ARAÇ BİLGİSİ
Adres Listesi
/Users/<USERNAME>/Library/ApplicationSupport/AddressBook/MailRecents-v4.abcdmr
Takvim (Spotlight araması üzerinden)
/Users/<USERNAME>/Library/Calendars/Calendar\Cache
/Users/<USERNAME>/Library/Mail/V2/MailData/Envelope\Index
/Users/<USERNAME>/Library/Mail/V2/IMAP-username@mail.test.com/xxxx.mbox
/Users/<USERNAME>/Library/ApplicationSupport/Microsoft/Office/Office2011AutoRecovery
var/spool/cups/[http://sud0man.blogspot.fr http://sud0man.blogspot.fr/2013/01/american-series-are-usefull-in.html]
/Users/<USERNAME>/Library/Preferences/widget-com.apple.widget.stickies.plist
/Users/<USERNAME>/Library/ApplicationSupport/Evernote/accounts/Evernote/xxxxxxxx/content/
CHAT
/Users/<USERNAME>/Library/Application\Support/Skype/xxxxxxxx/main.db
/Users/<USERNAME>/Library/Messages/
/Users/<USERNAME>/Documents/iChats/
/Users/<USERNAME>/Library/Application\Support/Adium\2.0/Users/Default/Logs/
iDEVICES
/Users/<USERNAME>/Library/Application\Support/MobileSync/Backup/<UUID>/3d0d7e5fb2ce288813306e4d4636395e047a3d28
/Users/<USERNAME>/Library/Application\Support/MobileSync/Backup/<UUID>/2041457d5fe04d39d0ab481178355df6781e6858
/Users/<USERNAME>/Library/ApplicationSupport/MobileSync/Backup/<UUID>/ff1324e6b949111b2fb449ecddb50c89c3699a78
/Users/<USERNAME>/Library/ApplicationSupport/MobileSync/Backup/<UUID>/31bb7ba8914766d4ba40d6dfb6113c8b614be442
WEB TARAYICILARI
[HISTORY]/Users/<USERNAME>/Library/Safari/History.plist][COOKIES]/Users/<USERNAME>/Library/Cookies/Cookies.plist [COOKIES]/users/<USERNAME>/Library/Cookies/Cookies.binarycookies [DOWNLOADS]/Users/<USERNAME>/Library/Safari/Downloads.plist
/Users/<USERNAME>/Library/Caches/com.apple.Safari/WebpagePreviews/
[HISTORY]/Users/<USERNAME>/Library/Application\Support/Firefox/Profiles/xxxxxxxx.default/places.sqlite [COOKIES]/Users/<USERNAME>/Library/Application\Support/Firefox/Profiles/xxxxxxxx.default/cookies.sqlite [DOWNLOADS]/Users/<USERNAME>/Library/Application\Support/Firefox/Profiles/xxxxxxxx.default/downloads.sqlite
[HISTORY]/Users/<USERNAME>/Library/Application\Support/Google/Chrome/Default/History[COOKIES]/Users/<USERNAME>/Library/Application\Support/Google/Chrome/Default/Cookies[DOWNLOADS]/Users/<USERNAME>/Library/Application\Support/Google/Chrome/Default/History
[HISTORY]/Users/<USERNAME>/Library/Application\Support/com.operasoftware.Opera/History[HISTORY]/Users/<USERNAME>/Library/Opera/global_history.dat [COOKIES]/Users/<USERNAME>/Library/Application\Support/com.operasoftware.Opera/Cookies[COOKIES]/Users/<USERNAME>/Library/Opera/cookies4.dat [DOWNLOADS]/Users/<USERNAME>/Library/Application\Support/com.operasoftware.Opera/History[DOWNLOADS]/Users/<USER>/Library/Opera/download.dat
/Users/<USERNAME>/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*
OLAY İNCELEMESİ
[OnLionandMountainLion] $sudo grep -i 'BOOT_TIME'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'BOOT_TIME'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'
[OnLionandMountainLion] $sudo grep -i 'SHUTDOWN_TIME'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'SHUTDOWN_TIME'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i 'hibernate_setup(0) took'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'hibernate_setup(0) took'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'[OnLion] $sudo grep -i 'PMScheduleWakeEventChooseBest'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'PMScheduleWakeEventChooseBest'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i 'Wake reason'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'Wake reason'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'[OnLion] $sudo syslog -T utc+2-F raw -f /var/log/asl/2013.07.08.*|grep 'Message Wake'|grep -i 'Jul 8'|cut -d ]-f 2|sed -e 's/\ \[Time/g'
[OnMountainLion] $sudo grep -i 'Application App:"loginwindow"'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'Application App:"loginwindow"'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'[OnLion] $sudo grep -i 'loginwindow'/var/log/windowserver.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i -B 9'The authtok is incorrect.'/var/log/system.log|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}' $sudo bzgrep -i -B 9'The authtok is incorrect.'/var/log/system.log.*|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'[OnLion] $sudo grep -i -B 9'The authtok is incorrect.'/var/log/secure.log|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}' $sudo bzgrep -i -B 9'The authtok is incorrect.'/var/log/secure.log.*|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
[OnMountainLion] $sudo grep -i -A 1'Establishing credentials'/var/log/system.log|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}' $sudo bzgrep -i -A 1'Establishing credentials'/var/log/system.log.*|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'[OnLion] $sudo grep -i -A 1'Establishing credentials'/var/log/secure.log|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}' $sudo bzgrep -i -A 1'Establishing credentials'/var/log/secure.log.*|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'}}}
[OnMountainLionandLion] $sudo stat -f '%Sa %N'/System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul 8'|external_bin/grep_gnu_lion 2013|egrep -i 'IOUSBFamily.kext|IOUSBMassStorageClass.kext' $sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'IOUSBFamily.kext|IOUSBMassStorageClass.kext'| awk '{print $7,$6,$8,$9}'
[OnMountainLion] $sudo grep -i 'USBMSC'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}' $sudo bzgrep -i 'USBMSC'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'[OnLion] $sudo grep -i 'USBMSC'/var/log/kernel.log|grep -i 'Jul 8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}' $sudo bzgrep -i 'USBMSC'/var/log/kernel.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'
[OnLionandMountainLion] $sudo grep -i 'fsevents'/var/log/system.log|grep -i 'Jul 8' $sudo bzgrep -i 'fsevents'/var/log/system.log.*|grep -i 'Jul 8'
[OnLionandMountainLion] $sudo stat -f '%Sa %N'/System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul 8'|external_bin/grep_gnu_lion 2013|egrep -i 'IOFireWireFamily.kext|IOFireWireIP.kext' $sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'IOFireWireFamily.kext|IOFireWireIP.kext'| awk '{print $7,$6,$8,$9}'
[OnLionandMountainLion] $sudo grep -i 'fw'/var/log/system.log|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'fw'/var/log/system.log.*|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}'
[OnLionandMountainLion] $sudo stat -f '%Sa %N'/System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul 8'|external_bin/grep_gnu_lion 2013|egrep -i 'iPodDriver.kext|IOFireWireSBP2.kext' $sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'iPodDriver.kext|IOFireWireSBP2.kext'| awk '{print $7,$6,$8,$9}'
[OnLionandMountainLion] $sudo grep -i 'ttys'/var/log/system.log|grep -i 'Jul 8'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g'|sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}' $sudo bzgrep -i 'ttys'/var/log/system.log.*|grep -i 'Jul 8'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g'|sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'
[OnMountainLion] $sudo grep -i 'sudo\['/var/log/system.log|grep -i 'Jul 8' $sudo grep -i 'sudo\['/var/log/system.log.*|grep -i 'Jul 8'[OnLion] $sudo grep -i 'sudo\['/var/log/secure.log|grep -i 'Jul 8' $sudo grep -i 'sudo\['/var/log/secure.log.*|grep -i 'Jul 8'
[OnMountainLion] $sudo grep -i 'incorrect password attempts'/var/log/system.log|grep -i 'Jul 8' $sudo bzgrep -i 'incorrect password attempts'/var/log/system.log.*|grep -i 'Jul 8'[OnLion] $sudo grep -i 'incorrect password attempts'/var/log/secure.log|grep -i 'Jul 8' $sudo bzgrep -i 'incorrect password attempts'/var/log/secure.log.*|grep -i 'Jul 8'
[OnLionandMountainLion] $sudo praudit -xn /var/audit/current|egrep 'create user|modify password|delete user'-A 3|grep -i 'Jul 8'-A 3|sed 's/\&apos\;/"/g'
[OnLionandMountainLion] $sudo find /Applications-maxdepth 3-type f -exec ls -lu {}\;|grep Info.plist |grep -i '8 Jul'|grep -v root|awk '{$7=""}1' $sudo stat -f '%Sa %N'/Applications/*/*/*|external_bin/grep_gnu_lion -i 'Jul 8' $sudo find /Applications/-name "Info.plist"-type f -exec stat -f '%Sa %N'{}\;|grep 'Jul 8'
[OnLionandMountainLion] $sudo find /path_to_file -type f -exec stat -f '%Sm %N''{}'+|grep -i 'Jul 8'|grep 2013for example, path_to_file=["/System/Library/XPCServices/","/System/Library/LaunchAgents/","/Library/LaunchAgents/","/Users/<USERNAME>/Library/LaunchAgents/","/System/Library/LaunchDaemons/","/Library/LaunchDaemons/"]
[OnLionandMountainLion] $sudo find /path_to_directory -type f -exec stat -f '%SB %N''{}'+|grep -i 'Jul 8'|grep 2013for example, path_to_directory=["/Users/<USERNAME>/Library/Preferences/com.apple.loginitems.plist","/etc/passwd"]
[OnLionandMountainLion] $sudo find /path_to_directory -type f -exec stat -f '%Sa %N''{}'+|grep -i 'Jul 8'|grep 2013for example, path_to_directory=["/Users/<USERNAME>","/Volume/Supersecret"]
[OnLionandMountainLion] grep /Users/<USERNAME>/Library/Mail/V2/IMAP-YYYY\@mail.XXXX.fr/INBOX.mbox/-type f -name *.emlx -exec stat -f '%Sa %N''{}'+|grep -i 'Jul 8'|grep 2013
[OnMountainLion] $sudo grep -i 'DNS+'/var/log/system.log|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'DNS+'/var/log/system.log.*|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i 'DNS-'/var/log/system.log|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'DNS-'/var/log/system.log.*|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i 'en'/var/log/system.log|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'en'/var/log/system.log.*|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}'[OnLion] $sudo egrep -i 'frequent transitions|network configuration changed'/var/log/system.log|grep -i 'Jul 8' $sudo bzegrep -i 'frequent transitions|network configuration changed'/var/log/system.log.*|grep -i 'Jul 8'
[OnLionandMountainLion] $sudo defaults read /Volumes/Macintosh\ HD/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist| sed 's|\./|`pwd`/|g'| sed 's|.plist||g'|grep 'LastConnected'-A 3|grep -A 32013-07-08
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -s FreeWifi_secure16:10:18:47:f2:4d-83 5 Y -- WPA(802.1x/AES/AES) Livebox-eaXX 00:1d:6a:45:06:eb -79 6 Y FR WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP) Freebox-4862XX f4:ca:e5:e1:ec:ac -88 8 Y -- WPA(PSK/AES/AES) FreeWifi22:48:94:aa:8d:e2 -84 11 Y -- NONE FreeWifi f4:ca:e5:8b:46:91-85 11 Y -- NONE Réseau Wi-Fi de toto 5c:96:9d:69:36:92-85 60,+1 Y FR WPA2(PSK/AES/AES) Réseau Wi-Fi de toto 5c:96:9d:69:36:91-66 11 Y FR WPA2(PSK/AES/AES) FreeWifi f4:ca:e5:e1:ec:ad -86 8 Y -- NONE FreeWifi_secure00:24:d4:ca:02:5e-85 7 Y -- WPA2(802.1x/AES,TKIP/TKIP) 2 IBSS networks found: SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group) HP01C65B f6:3f:43:f9:3f:92-85 1 N EU NONE HP0142F9 02:2d:8d:e6:9f:e0 -65 10 N EU NONE
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay""P@ssword8888" ==> good pre-shared key (no error message)
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay""P@ssword12345"Failed to join network yellowstay. ==> bad pre-shared key (error message)
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -z
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g'| sed 's|.plist||g'|grep 'LastConnected'-A 3
for i in $(seq 130); do sleep 1&&/usr/sbin/screencapture /tmp/screen$i.png;done>/dev/null2>&1
3,265 total views, 1 views today