Q&A: Mac OS X security and forensics

Sean Morrissey is currently employed by Paradigm Solutions as a Computer Forensic Analyst at the U.S. Department of State and was previously employed by CSC as a Developer/Instructor at the Defense Cyber Investigations Training Academy. He is the lead author of “Mac OS X iPod and iPhone Forensic Analysis”, and author of an upcoming book on iPhone forensic analysis. In this interview he discusses Mac OS X security in general as well as Mac forensics.

In your opinion, generally how mature is Mac OS X when it comes to security?
Mac security at this time is in its infancy. Apple has been operating under the false illusion that the Mac platform is invulnerable to attack, because historically most intrusions have targeted other operating systems.

Why? The prevalence of those operating systems on a vastly larger array of systems worldwide. Corporate and government systems use Microsoft Windows, many financial institutions have used OS2, ISPs use Linux and Windows, and the majority of home computers have Windows. So as a criminal organization, developing hacker, or state sponsored intruder, which OS, will get the most attention? Windows, the number one OS on the market, and the number one system that gets attacked.

Due to Apple’s inability to take security seriously enough, their systems are easy targets for the criminal element. First of all, the Keychain—the Mac OS password management system–is too easy to crack, and with this you have the keys to the kingdom. File Vault, advertised as a secure volume because of its encryption, is not that hard to crack. There are commercial and free tools that can defeat both the Keychain and File Vault.

Mobile Me, I can also foresee bad things from. If able to get your username and password, from either phishing, social engineering, or cracking the Keychain, I can use Mobile Me to remote connect to your Mac, locate and wipe your iPhone, and get the data from information synced.

Apple is getting better about securing its Operating System. It is also getting familiar with producing more updates in a timely fashion. In the past we would see updates only when Apple took a beating on any given vulnerability. Now the updates are coming out sooner, though still a bit slow, so it will be awhile before Apple security can be considered mature.

Based on your experience, what are the biggest misconceptions regarding Mac OS X security? Why?
The biggest misconception, as noted above, is that the Mac is more secure than Windows. This is because most of the malware, including viruses, were designed for Windows. However as of late, Apple has been getting the hacking community’s attention with the introduction of the iPhone. For example, the iPhone ties its verification process to Apple’s servers via iTunes, but hackers have easily redirected those to their own sites. This is partly because Apple has not policed its developer network. Everyone has access to the iPhone’s technologies, so the hacking community has used this against Apple. Hackers have used the SDK, the firmware, and now iTunes to create hacks. When you have groups like the iPhone and Chronic Dev teams pouring out hacks with hours of the release of an updated iPhone OS, it shows that Apple isn’t taking securing the OS seriously. Apple is trying, but its fixes are minor and sometimes futile.

The second misconception is that the iPhone is ready for the enterprise market. There have been many reports that corporate America is buying the device. The heralded hardware encryption was the answer to the iPhone’s past security failures. However, this again has been easily defeated by using the OS and the encryption scheme against itself.

This is a cat and mouse game that Apple is losing. When Apple looks at their operating systems with security in mind, then it will be ready for enterprise and government entities.

How did you get started with Mac and iPhone forensics in the first place?
Not only have I used Macs since the late 1980s, I also worked as an instructor and developer of forensic courses for the Department of Defense. With the direction of a great mentor, Thane Erickson–who pushed me to learn the Mac–I spent more than two years, 7 days a week, 12-16 hours a day studying the Mac and its operating system, OS X.

Now I own Macs, MacBooks, Mac Mini, Apple TV, numerous iPods, and every evolution of the iPhone. As with any system, if you know the Mac, you can understand it and be more effective as a forensic examiner of that system.

History also keeps me interested in Mac forensics. I have studied Apple from the beginning to present day. If you look over time and study how Apple develops products, it takes time, and they plan long term, not for short term gains. In fact, they give us glimpses of future products in present day products. We don’t notice them, but they are there.

Over time, Apple has gained a greater market share in its computer sales. User frustrations with Microsoft Vista and Apple’s own great marketing campaign have contributed to that increase. Furthermore, leading indicators show that within the next two years, the iPhone will explode with increases in sales and thus market share.

All of this will lead to more examinations that involve both Macs and iPhones. Mac forensics is my passion, I take it very seriously and look constantly for methods, tools, and policies that adhere to forensic science — not the concept of “get the data now, and forget the foundations of forensics.”

Is there a substantial difference when it comes to Mac forensics in comparison to forensic work on other operating systems?

Fundamentally as the science goes, no. There are the same basic kind of artifacts to be found as on any other operating system: email, Web related data, compound documents, images, etc. The difference is in how do you do the exam. Examiners’ first compunction is to use a Windows-based forensic tool for a couple of reasons: their lab doesn’t have a Mac, or examiners have a comfort zone established around EnCase and/or FTK.

But to do a proper exam of a Mac, the best is to use a Mac. Encase and FTK are getting better, but the Mac can properly interpret the artifacts better than a Windows forensic tool can. For this reason, more and more labs are purchasing Mac Pros. Maybe more importantly, on a Mac you can concurrently do an exam in both Apple and Windows environments. Also, the tools for the Mac are getting better. For instance, MacMarshall is a new and excellent tool that has tremendous capabilities. It does a lot of processes better and faster than Encase and FTK, which in turn reduces the time spent on Mac examinations. Blackbag and SubRosaSoft have made great strides in their tools, which use the power of the Mac and OS X to conduct exams.

How would you outline a typical forensic investigation that targets a Mac desktop machine?
The fundamentals of forensics apply. Since most Macs are used for personal reasons, not in corporate or government environments, crimes run a gamut. Also, as Macs take hold in the market, the bad guys will then target OS X as they have Windows and other OSs.

However, there are challenges with “typical” Mac forensic exams. First, the typical investigation for an organization starts with incident response. There isn’t a tool that can effectively gather volatile data without stomping all over hundreds of libraries and frameworks that get touched. Just using the terminal can have catastrophic effects.

Second, while responding to a Windows system places more and more emphasis on acquiring the RAM image, OS X will not allow access to memory, which makes getting RAM images impossible. Instead, the golden nuggets that we can get post response are the swap file and sleep image.

On the examination side of a Mac, imaging is no different than imaging any other system, so normal imaging methods can be utilized. In addition, dc3dd has been developed with a GUI interface to assist non-command-line users. However, most examiners don’t understand HFS+ file system and the OS X operating system enough to effectively locate and report artifacts on a Mac. The major forensic tools can see the data, but can’t parse them effectively.

So, while a JPEG is a JPEG and a Word document is still a Word document, things like binary property lists can only be analyzed on a Mac. Knowing where the artifacts are and how they are stored is important because there are differences in the evolutions of the OS X operating system and applications.

What tools and reading material would you recommend for those interested in Mac forensics?
Tools

• The Mac (and all incorporated tools). The Mac has native tools that can parse all the Data on a Mac image.
• Subrosasoft’s MacForensicsLab and MacLockPick. Both are Mac based. MacLockPick can be used to gather data from the Mac upon response. MacForensicsLab uses the power of the operating system to parse the file system and has an excellent carving tool.
• BlackBag Tech Tools. Black Bag is also a Mac based tool that has several modules which can effectively parse Mac Data.
• MacMarshal. The best Mac tool I’ve seen so far, it is right now the number 1 Mac tool. MacMarshall can parse user account information , Address Book, Safari, iChat, and can even crack File Vault. This is free to Law Enforcement.
• Cellebrite. Good tool for iPhone logical data extraction; it even features a ruggedized battery powered model.
• XRY. Another good tool that can gather logical data from the iPhone
• Device Seizure. Can gather logical data from the iPhone, and also can grab all the data from a suspect’s jailbroken phone.

Books

• OS X Internals – A great book that has a wealth of information about the OS X operating system
• Mac OS X, iPod, and iPhone Forensic Analysis – the only book that covers Mac forensics.
• The Mac Hackers Handbook – A great book on the Mac Hacker and his methods
• iPhone Forensic Analysis – (Due 2010)
• Defense Against the Black Arts: How Hackers do What They Do and How to Protect Against Them” – (Due 2010).

Papers

• Apple Tech Notes. This comes straight from Apple, so it has a lot of information on the HFS File System.