Mac İncelenmesi (Mac Forensic)
Mac İncelenmesi (Mac Forensic)
Popüler olan Windows’un incelenemesi için ülkemizde belli başlı bir çok yazılım bulunmakta iken Mac ile alakalı çok fazla seçenek olmadığı gibi dosya sisteminin farklı olmasından kaynaklanan zorluklar bulunduğu aşikardır. Bu bölümde Mac Os X işletim sisteminin Adli Bilişim yönüyle incelenmesi yani sanal makinada açılmış sistemde komut kodlarını Terminal(Komut konsolu)’e yazmanız halinde karşınıza açıklamaları veren ve incelemeyi hayli kolaylaştıracak bilgiler çıkacaktır. Aşağıda örnek olarak 8 Temmuza ( Jul 8 ) ait sorgulamalar yapılmıştır. Tarihi Jan,May,Dec şeklinde kısaltarak değiştirebilirsiniz.
MAC FORENSIC
Mac kimliği (isim, adres, tel, vs.)
/Users/<USERNAME>/Library/Preferences/AddressBookMe.plist
Kullanıcı parolası hash kayıtları
[10.6]/var/db/shadow/hash/[10.7]/private/var/db/dslocal/nodes/Default/users/<USERNAME>.plist [10.8]/private/var/db/dslocal/nodes/Default/users/<USERNAME>.plist
Kullanıcı Keychain (bir çok parola kaydı barındırır )
/Users/<USERNAME>/Library/Keychains/login.keychain
Sistem Keychain
/Library/Keychains/FileVaultMaster.keychain => Ana parolayı kullanmak için FileVaultRecoveryKey içerir ( /Library/Keychains/System.keychain /Library/Keychains/applepushserviced.keychain
Çöp Kutusu
/Users/<USERNAME>/.Trash /.Trashes
GÜNLÜK ARAÇ BİLGİSİ
Adres Listesi
/Users/<USERNAME>/Library/ApplicationSupport/AddressBook/MailRecents-v4.abcdmr
Takvim (Spotlight araması üzerinden)
/Users/<USERNAME>/Library/Calendars/Calendar\Cache
Kullanıcı e-postaları, /metin şeklinde (Spotlight araması üzerinden)
/Users/<USERNAME>/Library/Mail/V2/MailData/Envelope\Index
Kullanıcı e-postaları, tamamı (mBox dosyası)
/Users/<USERNAME>/Library/Mail/V2/IMAP-username@mail.test.com/xxxx.mbox
Kurtarma servisi tarafından açılmış ofis dosyaları
/Users/<USERNAME>/Library/ApplicationSupport/Microsoft/Office/Office2011AutoRecovery
Son basılan yazıcı çıktıları
var/spool/cups/[http://sud0man.blogspot.fr http://sud0man.blogspot.fr/2013/01/american-series-are-usefull-in.html]
Stickies Widget (Not uygulaması) ile oluşturulan notlar
/Users/<USERNAME>/Library/Preferences/widget-com.apple.widget.stickies.plist
Evernotes uygulaması notları
/Users/<USERNAME>/Library/ApplicationSupport/Evernote/accounts/Evernote/xxxxxxxx/content/
CHAT
Skype mesaj arşivi (yazışma kayıtları)
/Users/<USERNAME>/Library/Application\Support/Skype/xxxxxxxx/main.db
Mesaj arşivi /iChat (yazışma kayıtları)
/Users/<USERNAME>/Library/Messages/
iChat arşivi (yazışma kayıtları)
/Users/<USERNAME>/Documents/iChats/
Adium uygulaması arşivi (yazışma kayıtları)
/Users/<USERNAME>/Library/Application\Support/Adium\2.0/Users/Default/Logs/
iDEVICES
iDevice SMS ( iTunes ile alınmış yedek arşiv dosyaları)
/Users/<USERNAME>/Library/Application\Support/MobileSync/Backup/<UUID>/3d0d7e5fb2ce288813306e4d4636395e047a3d28
iDevice Takvim ( iTunes ile alınmış yedek arşiv dosyaları)
/Users/<USERNAME>/Library/Application\Support/MobileSync/Backup/<UUID>/2041457d5fe04d39d0ab481178355df6781e6858
iDevice Arama geçmişi ( iTunes ile alınmış yedek arşiv dosyaları)
/Users/<USERNAME>/Library/ApplicationSupport/MobileSync/Backup/<UUID>/ff1324e6b949111b2fb449ecddb50c89c3699a78
iDevice SMS ( iTunes ile alınmış yedek arşiv dosyaları)
/Users/<USERNAME>/Library/ApplicationSupport/MobileSync/Backup/<UUID>/31bb7ba8914766d4ba40d6dfb6113c8b614be442
WEB TARAYICILARI
Safari Cookie ve diğer arşivleri
[HISTORY]/Users/<USERNAME>/Library/Safari/History.plist][COOKIES]/Users/<USERNAME>/Library/Cookies/Cookies.plist [COOKIES]/users/<USERNAME>/Library/Cookies/Cookies.binarycookies [DOWNLOADS]/Users/<USERNAME>/Library/Safari/Downloads.plist
Safari Önizlemeleri (anlık ekran alıntıları):
/Users/<USERNAME>/Library/Caches/com.apple.Safari/WebpagePreviews/
Firefox
[HISTORY]/Users/<USERNAME>/Library/Application\Support/Firefox/Profiles/xxxxxxxx.default/places.sqlite [COOKIES]/Users/<USERNAME>/Library/Application\Support/Firefox/Profiles/xxxxxxxx.default/cookies.sqlite [DOWNLOADS]/Users/<USERNAME>/Library/Application\Support/Firefox/Profiles/xxxxxxxx.default/downloads.sqlite
Chrome
[HISTORY]/Users/<USERNAME>/Library/Application\Support/Google/Chrome/Default/History[COOKIES]/Users/<USERNAME>/Library/Application\Support/Google/Chrome/Default/Cookies[DOWNLOADS]/Users/<USERNAME>/Library/Application\Support/Google/Chrome/Default/History
Opera
[HISTORY]/Users/<USERNAME>/Library/Application\Support/com.operasoftware.Opera/History[HISTORY]/Users/<USERNAME>/Library/Opera/global_history.dat [COOKIES]/Users/<USERNAME>/Library/Application\Support/com.operasoftware.Opera/Cookies[COOKIES]/Users/<USERNAME>/Library/Opera/cookies4.dat [DOWNLOADS]/Users/<USERNAME>/Library/Application\Support/com.operasoftware.Opera/History[DOWNLOADS]/Users/<USER>/Library/Opera/download.dat
QuarantineEventsV (Tarayıcı ya da iChat arşivi içerebilir)
/Users/<USERNAME>/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*
OLAY İNCELEMESİ
Mac OS X sisteminde son aktiviteler nasıl hızlı bir şekilde tespit edilebilir? Bu konuda bash komutları ile sistem logları analiz edilebilir.
[OnLionandMountainLion] $sudo grep -i 'BOOT_TIME'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'BOOT_TIME'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'
[OnLionandMountainLion] $sudo grep -i 'SHUTDOWN_TIME'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'SHUTDOWN_TIME'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i 'hibernate_setup(0) took'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'hibernate_setup(0) took'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'[OnLion] $sudo grep -i 'PMScheduleWakeEventChooseBest'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'PMScheduleWakeEventChooseBest'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i 'Wake reason'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'Wake reason'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'[OnLion] $sudo syslog -T utc+2-F raw -f /var/log/asl/2013.07.08.*|grep 'Message Wake'|grep -i 'Jul 8'|cut -d ]-f 2|sed -e 's/\ \[Time/g'
[OnMountainLion] $sudo grep -i 'Application App:"loginwindow"'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'Application App:"loginwindow"'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3}'[OnLion] $sudo grep -i 'loginwindow'/var/log/windowserver.log|grep -i 'Jul 8'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i -B 9'The authtok is incorrect.'/var/log/system.log|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}' $sudo bzgrep -i -B 9'The authtok is incorrect.'/var/log/system.log.*|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'[OnLion] $sudo grep -i -B 9'The authtok is incorrect.'/var/log/secure.log|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}' $sudo bzgrep -i -B 9'The authtok is incorrect.'/var/log/secure.log.*|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
[OnMountainLion] $sudo grep -i -A 1'Establishing credentials'/var/log/system.log|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}' $sudo bzgrep -i -A 1'Establishing credentials'/var/log/system.log.*|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'[OnLion] $sudo grep -i -A 1'Establishing credentials'/var/log/secure.log|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}' $sudo bzgrep -i -A 1'Establishing credentials'/var/log/secure.log.*|grep -i 'Jul 8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'}}}
[OnMountainLionandLion] $sudo stat -f '%Sa %N'/System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul 8'|external_bin/grep_gnu_lion 2013|egrep -i 'IOUSBFamily.kext|IOUSBMassStorageClass.kext' $sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'IOUSBFamily.kext|IOUSBMassStorageClass.kext'| awk '{print $7,$6,$8,$9}'
[OnMountainLion] $sudo grep -i 'USBMSC'/var/log/system.log|grep -i 'Jul 8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}' $sudo bzgrep -i 'USBMSC'/var/log/system.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'[OnLion] $sudo grep -i 'USBMSC'/var/log/kernel.log|grep -i 'Jul 8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}' $sudo bzgrep -i 'USBMSC'/var/log/kernel.log.*|grep -i 'Jul 8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'
[OnLionandMountainLion] $sudo grep -i 'fsevents'/var/log/system.log|grep -i 'Jul 8' $sudo bzgrep -i 'fsevents'/var/log/system.log.*|grep -i 'Jul 8'
Başka bir bilgisayar ya da veri depolama aygıtından yapılan Firewire bağlantısı (son bağlanma tarihleri)
[OnLionandMountainLion] $sudo stat -f '%Sa %N'/System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul 8'|external_bin/grep_gnu_lion 2013|egrep -i 'IOFireWireFamily.kext|IOFireWireIP.kext' $sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'IOFireWireFamily.kext|IOFireWireIP.kext'| awk '{print $7,$6,$8,$9}'
[OnLionandMountainLion] $sudo grep -i 'fw'/var/log/system.log|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'fw'/var/log/system.log.*|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}'
[OnLionandMountainLion] $sudo stat -f '%Sa %N'/System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul 8'|external_bin/grep_gnu_lion 2013|egrep -i 'iPodDriver.kext|IOFireWireSBP2.kext' $sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'iPodDriver.kext|IOFireWireSBP2.kext'| awk '{print $7,$6,$8,$9}'
[OnLionandMountainLion] $sudo grep -i 'ttys'/var/log/system.log|grep -i 'Jul 8'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g'|sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}' $sudo bzgrep -i 'ttys'/var/log/system.log.*|grep -i 'Jul 8'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g'|sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'
[OnMountainLion] $sudo grep -i 'sudo\['/var/log/system.log|grep -i 'Jul 8' $sudo grep -i 'sudo\['/var/log/system.log.*|grep -i 'Jul 8'[OnLion] $sudo grep -i 'sudo\['/var/log/secure.log|grep -i 'Jul 8' $sudo grep -i 'sudo\['/var/log/secure.log.*|grep -i 'Jul 8'
[OnMountainLion] $sudo grep -i 'incorrect password attempts'/var/log/system.log|grep -i 'Jul 8' $sudo bzgrep -i 'incorrect password attempts'/var/log/system.log.*|grep -i 'Jul 8'[OnLion] $sudo grep -i 'incorrect password attempts'/var/log/secure.log|grep -i 'Jul 8' $sudo bzgrep -i 'incorrect password attempts'/var/log/secure.log.*|grep -i 'Jul 8'
[OnLionandMountainLion] $sudo praudit -xn /var/audit/current|egrep 'create user|modify password|delete user'-A 3|grep -i 'Jul 8'-A 3|sed 's/\&apos\;/"/g'
[OnLionandMountainLion] $sudo find /Applications-maxdepth 3-type f -exec ls -lu {}\;|grep Info.plist |grep -i '8 Jul'|grep -v root|awk '{$7=""}1' $sudo stat -f '%Sa %N'/Applications/*/*/*|external_bin/grep_gnu_lion -i 'Jul 8' $sudo find /Applications/-name "Info.plist"-type f -exec stat -f '%Sa %N'{}\;|grep 'Jul 8'
[OnLionandMountainLion] $sudo find /path_to_file -type f -exec stat -f '%Sm %N''{}'+|grep -i 'Jul 8'|grep 2013for example, path_to_file=["/System/Library/XPCServices/","/System/Library/LaunchAgents/","/Library/LaunchAgents/","/Users/<USERNAME>/Library/LaunchAgents/","/System/Library/LaunchDaemons/","/Library/LaunchDaemons/"]
[OnLionandMountainLion] $sudo find /path_to_directory -type f -exec stat -f '%SB %N''{}'+|grep -i 'Jul 8'|grep 2013for example, path_to_directory=["/Users/<USERNAME>/Library/Preferences/com.apple.loginitems.plist","/etc/passwd"]
[OnLionandMountainLion] $sudo find /path_to_directory -type f -exec stat -f '%Sa %N''{}'+|grep -i 'Jul 8'|grep 2013for example, path_to_directory=["/Users/<USERNAME>","/Volume/Supersecret"]
[OnLionandMountainLion] grep /Users/<USERNAME>/Library/Mail/V2/IMAP-YYYY\@mail.XXXX.fr/INBOX.mbox/-type f -name *.emlx -exec stat -f '%Sa %N''{}'+|grep -i 'Jul 8'|grep 2013
[OnMountainLion] $sudo grep -i 'DNS+'/var/log/system.log|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'DNS+'/var/log/system.log.*|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i 'DNS-'/var/log/system.log|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'DNS-'/var/log/system.log.*|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}'
[OnMountainLion] $sudo grep -i 'en'/var/log/system.log|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}' $sudo bzgrep -i 'en'/var/log/system.log.*|grep -i 'Jul 8'|grep 'network changed'|awk '{print$1,$2,$3}'[OnLion] $sudo egrep -i 'frequent transitions|network configuration changed'/var/log/system.log|grep -i 'Jul 8' $sudo bzegrep -i 'frequent transitions|network configuration changed'/var/log/system.log.*|grep -i 'Jul 8'
[OnLionandMountainLion] $sudo defaults read /Volumes/Macintosh\ HD/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist| sed 's|\./|`pwd`/|g'| sed 's|.plist||g'|grep 'LastConnected'-A 3|grep -A 32013-07-08
Hali hazırdaki bağlanabilen WiFI ağları nasıl gösterilir:
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -s FreeWifi_secure16:10:18:47:f2:4d-83 5 Y -- WPA(802.1x/AES/AES) Livebox-eaXX 00:1d:6a:45:06:eb -79 6 Y FR WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP) Freebox-4862XX f4:ca:e5:e1:ec:ac -88 8 Y -- WPA(PSK/AES/AES) FreeWifi22:48:94:aa:8d:e2 -84 11 Y -- NONE FreeWifi f4:ca:e5:8b:46:91-85 11 Y -- NONE Réseau Wi-Fi de toto 5c:96:9d:69:36:92-85 60,+1 Y FR WPA2(PSK/AES/AES) Réseau Wi-Fi de toto 5c:96:9d:69:36:91-66 11 Y FR WPA2(PSK/AES/AES) FreeWifi f4:ca:e5:e1:ec:ad -86 8 Y -- NONE FreeWifi_secure00:24:d4:ca:02:5e-85 7 Y -- WPA2(802.1x/AES,TKIP/TKIP) 2 IBSS networks found: SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group) HP01C65B f6:3f:43:f9:3f:92-85 1 N EU NONE HP0142F9 02:2d:8d:e6:9f:e0 -65 10 N EU NONE
Kablosuz bağlantılara giriş (şifresi bilinen/bilinmeyen şekilde test) :
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay""P@ssword8888" ==> good pre-shared key (no error message)
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay""P@ssword12345"Failed to join network yellowstay. ==> bad pre-shared key (error message)
WiFI bağlantısı gösterme:
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -z
WiFI geçmişi gösterme (son bağlantı, tarih, SSID, vs.):
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g'| sed 's|.plist||g'|grep 'LastConnected'-A 3
Her saniyede bir ekran görüntüsü alma ve alınanları depolama (130 saniye toplamda):
for i in $(seq 130); do sleep 1&&/usr/sbin/screencapture /tmp/screen$i.png;done>/dev/null2>&1
KAYNAK:
https://code.google.com/p/mac-security-tips/wiki/ALL_THE_TIPS adresinde bulunan yazının çevirisidir.