The need for timely identification, interpretation and meaningful analysis of electronic media has never been more critical. The ever-changing threat environment presented by cyber criminals and technological advances has required modern investigative processes to include on scene forensic triage. Investigators are faced with the challenges of capturing volatile data, preserving potential evidence and maintaining the integrity of the electronic crime scene while ensuring the data remains viable and accessible for further investigative efforts. The success of these operations is measured in minutes not days.
MacLockPick 3.0 represents a new generation of forensic triage aimed at providing IT professionals, eDiscovery experts, and law enforcement officers a single tool that transcends the concerns of a particular operating systems. Whether the suspect (or the investigator) uses Microsoft Windows, Mac OS X or Linux, you can perform your field triage in the same way using the same tool.
MacLockPick 3.0 for Microsoft Windows, Apple Mac OS X, and Linux is a fully cross platform tool that allows digital forensics professionals and eDiscovery experts to perform field triage on live computers running a wide variety of operating systems. Similarly, once completed, the results of the field triage operation can analyzed on a wide variety of computers.
Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly; sometimes this is quite literally difference between life and death for the victim.
MacLockPick 3.0™ is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspect's computer that is running (or sleeping). Once the MacLockPick 3.0 software is run, it will extract the requisite data providing the examiner fast access to the suspect's critical information that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick 3.0 is minimally evasive, providing results that can hold up in a court of law.
• Extract iPhoto information based on camera type with filters for meta data and file filters
• Upgraded iPhone, iPad, iOS, and Mac OS X Lion support
• Upgraded plugin application support
• Increased speed in processing suspect machines
• Additional focus on Apple technologies
• User selectable order of plugin execution
MacLockPick 3.0 is designed to capture information that might be considered valuable to an IT manager, an E-Discovery professional, or a digital forensics law enforcement officer. Such information includes details about the system, activities of the user of that system, and the online history of that user.
Through the use of a plugin architecture MacLockPick 3.0 can be configured to collect almost any kind of information depending on the needs of the investigator. This information might include files of a specific type, chat logs, phone records, browser history, passwords, accounts, and system state data.
MacLockPick 3.0 is built on a plugin architecture in order to allow the investigator greater control over which processes are run in the field. These plugins are broken into 5 different categories;
The following is a partial list of the plugins currently being shipped with MacLockPick 3.0. This list is far from complete and is here as an example of the inherent product capabilities.
a) Law Enforcement Only
The following two plugins are only available to law enforcement customers.
NTLM and Lan Man Password Grabber - This plugin utilizes pwdump6 (unmodified) from fizzgig. pwdump is the name of various Windows programs that output the LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM). The hashes extracted can be used to extract the passwords using brute force, dictionary, or rainbow table attacks once the MacLockPick 3.0 logs have been returned to the lab for further analysis.
Apple Keychain Extractor - The keychain extractor takes advantage of the default state of the central password repository on Apple Mac OS X. All passwords stored in the keychain are extracted and detailed in the log files.
Apple iPhone - Gather information stored by the Apple iPhone and other devices using the Apple Mobile Sync system on Windows and Mac OS X computers. Information captured includes (but is not limited to) the following;
The iPhone is an Internet-enabled multimedia mobile phone designed and marketed by Apple Inc. It has a multi-touch screen with virtual keyboard and buttons, but a minimal amount of hardware input. The iPhone's functions include those of a camera phone and portable media player (equivalent to the iPod) in addition to text messaging and visual voicemail. It also offers Internet services including e-mail, web browsing, and local Wi-Fi connectivity. The first generation phone hardware was quad-band GSM with EDGE; the second and third generations use UMTS and HSDPA.
Clipboard - Capture any text contents or graphics found in the clipboard.
Any text that is found will be stored in the logs. Any graphics will be converted to jpeg form and saved to the output log folder.
Valuable information is often accidentally left in the clipboard by the suspect.
Firefox - Create a summary of online activity of the suspect when/if they use Firefox version 2 and/or 3. Information captured includes (but is not limited to) the following;
Mozilla Firefox is a web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation. Firefox has achieved recorded usage share of web browsers as of late, making it the second-most popular browser in current use worldwide, after Internet Explorer.
Internet Explorer -
Create a summary of online activity of the suspect when/if they use Internet Explorer. Information captured includes (but is not limited to) the following;
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. It has been the most widely used web browser since 1999, attaining a peak of about 95% usage share during 2002 and 2003 with IE5 and 6 but steadily declining since.
Network - An analysis of the network activity on the suspect's computer. This information includes ARP tables, interfaces, and netstat activity.
ARP converts an Internet Protocol (IP) address to its corresponding physical network address. ARP is a low-level network protocol, operating at Layer 2 of the OSI model. From a forensics point of view the ARP table shows what computers were connected to the suspect's machine on their local area network at the time of analysis.
Interface tables describe what interfaces are in use on the system and what the individual MAC address is for each of them. The Media Access Control (MAC) address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number.
Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems. It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.
Processes - Use the OS to list all active applications running on the suspect's computer at the time of analysis. This module is important in determining if malware is present as well as any active tools used by the suspect.
Note: This will not show background and system processes. OS specific plugins are included for this purpose.
Apple Safari -
Create a summary of online activity of the suspect when/if they use Safari. Information captured includes (but is not limited to) the following;
Safari is a web browser developed by Apple Inc. and included in Mac OS X. It was first released as a public beta on January 7, 2003, and is the default browser in Mac OS X v10.3 and later. It is also the native browser on the Apple iPhone and iPod touch. Safari for Windows was released on June 11, 2007. Windows XP, Windows Vista and Windows 7 are supported.
Screen shot - Capture and save a screen shot of the main screen on the suspect's system. The plugin will temporarily hide MacLockPick 3.0 during the process and save the file to your output folder along side the captured logs database.
Skype - Create transcripts of communications the suspect has made using Skype. Information captured includes (but is not limited to) the following;
Skype is a software program that allows users to make telephone calls over the Internet. Calls to other users of the service are free of charge, while calls to land lines and cell phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing.
System Information - Create a profile of the hardware in use by the suspect. Information captured includes (but is not limited to) the following;
USB Flash Drive History - USB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They're small, portable, and often contain evidence that can be helpful to an investigation.
When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.
Windows Registry - This module will extract all settings from the registry on Microsoft Windows systems.
The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.
Malware On Mac OS X - Viruses, Trojans, and Worms
This document discusses the technologies used in malware. These include viruses, Trojans and worms. The specific intention is to bring forth detailed discussion on how this affects the Apple Mac OS X platform. The document outlines a potential framework for a Mac OS X malware suite. The document closes with recommendations on what Apple Inc, and users of Mac OS X can do to defend against such technology.
Much like with other applications these days, MacForensicsLab makes it possible to bookmark files and directories for reference and examination at a later time in the case. The bookmarks can be viewed and managed from the ‘Bookmarks’ window and are accessible at any time by selecting “Show All Bookmarks …” from the Bookmarks menu, or by using the keyboard shortcut [apple key] + [option] + [b].
Copyright © 2006 - 2015 MacForensicsLab Inc.
Phone +1 (510) 870-7883 - Fax +1 (510) 868 3407
Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.
Forensics Technologies - designed to perform investigations, for law enforcement and eDiscovery professionals.
MacForensicsLab - The only effective cross-platform weapon in the war on Cyber Crime and Digital Terrorism, with unique tools designed to combat identity theft and child pornography.