Welcome to the newest issue of eForensics! This month we would like to devote our magazine to MacOS. This type of software is used by a huge number of people in the United States (at least half of American households contain one Apple device) and all over the world, so we assume that not only digital forensics specialists and enthusiasts might be interested in this topic, but also the community of Apple lovers.
We’re proud to present an article by Howard Oakley entitled “MacOS unified log as a help and hindrance to forensic examination”, that is the first full description of the unified log published anywhere. Also, Brock Bell has prepared a paper for you about his tool Darwin-Collector.sh, that he developed to automate the collection of key files for MacOS investigations. Another surprise is Cecilia Pohlar’s article about the importance of knowledge in Mac Forensics.
But of course that’s not all! We also raised the issues not related to the Bitten Apple. Adam Karim, whom you probably remember from Metadata Forensics, prepared an article which gives a clear understanding how forensic investigators can attack and recover passwords for EFS, and gain information about Windows logon passwords using FTK and PRTK, whereas Claudia Chepkor copes with the topic of Skype Forensics on Android phone.
However, this issue contains not only technical articles. Amanda Lee Mahan is the author of the “The Analyst’s Perspective: Examining Child Exploitation Material”. This article can be difficult to read for more sensitive readers but it’s definitely worth a look. Like one of our betatesters said – it’s a real eye-opener. Check it out yourself.
We would like to thank all authors, reviewers and proofreaders for participating in this project. We’re extremely excited about this edition! If so are you, let’s dive in!
Hope you’ll have a great read,
and the eForensics Mag
TABLE OF CONTENTS
MacOS Unified Log as a Help and Hindrance to Forensic Examination
by Howard Oakley
This paper gives an overview of the macOS unified log, its tools, and approaches that can be valuable for forensic purposes. The unified log has also been part of Apple’s other operating systems since iOS 10, tvOS 10, and watchOS 3; although much of this is relevant to their logs, the focus here is on macOS.
Journaling on the Fourth Extended File System – Part 1
by Divya Lakshmanan
How many of us write in a journal every day? Formulating our idea of an enriched life, transcribing our dreams and documenting those that have already manifested into existence. A journal is beheld as an archetype of a person’s subconscious chatter. A peek into a person’s journal warrants insight into the minutes of his life – of past events and future dreams.
Darwin-Collector.sh – Community Scripts and Tools: A Debugged Thought Process
by Brock Bell
While the forensics and incident response community are fantastic and innovative, the uptick in utilization of tools is not without risk. Further building onto the risk, there has been a global push to get more professionals into these service lines to meet an exploding demand. Combining the surge in new information and supporting tools with the more sizable and less experienced work force creates an interesting risk.
Defeating Encrypting File System (EFS) using FTK and PRTK – Step by Step
by Adam Karim
Anti-forensics professionals, or criminals, use encryption technology to make it difficult or impossible for forensic examiners to decrypt files, folders and hard drives. Even if the forensic examiners have access to the computer, it will be difficult to gain access evidence that is encrypted without the user’s password. This article gives digital investigators a clearer understanding how forensic investigators can attack and recover passwords for Encrypting File System (EFS) and gaining information about Windows logon passwords using both FTK (Forensic Toolkit) and PRTK (Password Recovery Toolkit).
The Importance of Knowledge in Mac Forensics
by Cecilia Pohlar
Apple file systems can be an enigma in the forensics field. The traditional focus on training forensic investigators for Windows machines rather than Apple machines is related to the limited amount of software available to run on Apple machines and the number of Windows users compared to Apple users. That said, the growing number of Apple users illustrates how investigators should have working proficiency in both Windows and Mac operating systems in order to be an effective investigator.
The Analyst’s Perspective: Examining Child Exploitation Material
by Amanda Lee Mahan
I must say that writing this article made me panic a little. I thought about the day that I would no longer be able to do my job. I can’t see doing something else at this point. Also, I purposely left out how we do our job. Why would I give the enemy a hand-up?
Using DTMF (Dual Tone Multi Frequency) decoder to get intelligence about the mobile number of SOC/NOC operators while doing APT attack against security centers
by Amitay Dan
Launching an APT (Advanced persistent threat) attack against CERT SOC, or other emergency enters, can be started by one simple phone call. In this article, I will explain how this might be done, and why it’s important to secure IVR (Interactive voice response) systems from leaking tones, and how to use it for starting an attack.
Skype Forensics Forensic Investigations of Skype Application on Android Device
by Claudia Jematia Chepkor
The Skype application enables users to communicate regardless of their geographical location. Apart from its standard usage, cyber criminals use them to commit cyber related crimes that sometimes go unnoticed. As such, Skype forensics artefacts may play an important role in correlating evidence as part of a larger investigations.
Drones forensics at NIST
Interview with Steve Watson
Why did I choose Oxygen Forensic Detective
by Alen Gojak
Mobile device forensics is quite different from other branches of digital forensics; it is more complex, it takes more investments and continuous training. The reason is a great diversity of hardware and operational systems, great number of available apps that are not supported from forensics software, and strong encryption, which can postpone or permanently disable the forensic investigation.