mardi 3 septembre 2013

Pac4Mac - Forensics Framework for Mac OS X and more ...

Update : http://sud0man.blogspot.fr/2014/02/new-version-of-mac-os-x-forensics.html


Pac4Mac (Plug And Check for Mac OS X) is a portable Forensics framework (to launch from USB storage) allowing extraction and analysis session informations in highlighting the real risks in term of information leak (history, passwords, technical secrets, business secrets, ...). Pac4Mac can be used to check security of your Mac OS X system or to help you during forensics investigation.

Main interface


Pac4Mac is based on the information leaks that I detailed in the section mac-security-tips and also on my works detailed in my paper and presentation.

Mindmap Pac4Mac features (PDF format)

Mindmap

Pac4Mac tutorials to understand how it works: Tutorials x5 (strongly recommended before to launch Pac4Mac)

Pac4Mac source codehttps://code.google.com/p/pac4mac/ and README (recommended before to launch Pac4Mac)


Pac4Mac features:

 Developed in Python 2.x (natively supported)
 Framework usage
 Support of OS X 10.6, 10.7, 10.8 and 10.9(not tested)

 Data extraction through:
  • User or Root access
  • Single Mode access
  • Target Mode access (Storage media by Firewire or Thunderbolt)

3 dumping modes : Quick, Forensics, Advanced (sample here):
  • Dumping Users / User Admin

  • Dumping Mac's Identity (os version, owner)

  • Dumping Miscellaneous files (Address book, Trash, Bash history, stickies, LSQuarantine, AddressBook, Safari Webpage Preview, Office Auto Recovery, WiFI access history, …)
  • Dumping content of current Keychain (security cmd + securityd process)
  • Dumping Users Keychains

  • Dumping System Keychains

  • Dumping password Hashes

  • Live Cracking hashes password
s
  • Dumping Browser Cookies (Safari, Chrome, Firefox, Opera)

  • Dumping Browser Places (Safari, Chrome, Firefox, Opera)

  • Dumping Browser Downloads history (Safari, Chrome, Firefox, Opera)

  • Dumping printed files

  • Dumping iOS files backups

  • Dumping Calendar and Reminders / Displaying secrets
  • Dumping Skype messages / Displaying secrets on demand
  • Dumping iChat, Messages(.app), Adium messages
  • Dumping Emails content (only text)

  • Dumping Emails content of all or special Mail Boxes
  • Adding root user
  • Dumping RAM
  • Cloning local Disk
  • Dumping system logs, install, audit, firewall
>Please to see mindmap to know differences between Quick mode, Forensics mode, Advanced mode. The last is my favourite.

DMA access features (exploitation of Firewire and Thunderbolt interfaces)
  • Unlock or bypass in writring into RAM
  • Dumping RAM content
  • Exploit extracted data (see Analysis module)

Analysis module in order to easily exploit extracted data by one of dumping modes-
  • Exploit Browser History
 x 4 (Displaying recordings, Local copy for usurpation)
  • Exploit Browser Cookies
 x 4 (Displaying recordings, Local copy for usurpation)
  • Display Browser Downloads
 x 4 (Displaying recordings)
  • Exploit Skype Messages
 (Displaying/Recording all recorded messages, with secret information or containing a special keyword)
  • Exploit iChat, Messages(.app), Adium messages (in the next version)
  • Exploit Calendar Cache
 (Display/Recording all recorded entries, with secret information or containing a special keyword)
  • Exploit Email Messages (Displaying/Recording all recorded messages, with secret information or containing a special keyword / )
  • Exploit RAM memory Dump
 (Searching Apple system/applications/Web Passwords)
  • Exploit Keychains
 (Display content Keychain
, Crack Keychain files)
  • Crack Hashes passwords

  • Exploit iOS files
 (Accessing to iPhone without passcode, reading secrets through iTunes backups)
  • Display Stickies Widgets

  • Display Printed Documents
  • Display prospective passwords 
(displaying all found passwords during dump and analysis phases)

Integration of post-intrusion features
  • Hard Disk/RAM image
  • System dump to help to analyse compromission
    • Logs system, syslog, install, firewall, audit

    • System usernames

    • Names and creation dates of launched agents, daemons, applications

    • Scheduled tasks

    • Plist of Mac OS X known malwares

    • Loaded drivers

    • Network connections

    • Active Processes

    • Used ressources (files, libraries, …)

    • Strange files (SUID, important size, …)

    • Last dates of WiFI connections
  • Integration of CheckOut4Mac in order to quickly detect recent malicious activities or if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party (based on USB connections, adding users, attempt to unlock session, access to emails, modification of files, etc.). 
    • Source : http://sud0man.blogspot.fr/2013/07/checkout4mac-v01.html
    • Startup activities (Startup dates, Stopping dates, Hibernation dates, Out of hibernation dates)
    • Session activities (Locked session dates, Attempt to unlock session without success, Unlocked session with success)
    • Physical activities (USB connections, USB plugged devices, File system events, Firewire connections with another machine or storage media, Firewire connections with another machine or storage media, Firewire connections to dump RAM)
    • Privileges escalation activities (Opened/Closed TTY terminals, ROOT commands executed with success, Attempt to execute commands with SUDO without success, User, password modification and creation
    • Applications activities (Opened applications)
    • File activities (Modified files like autorun App, LaunchAgents or LaunchDaemons, Added files like trojan or malware App, Accessed files like your secret files, Accessed Mails last access dates)
    • Network activities (Ethernet/WiFI connections, WiFI access points (last connection dates))

 Each launched action is logged and can be easily reviewed
 Easy to add new target (file, directory user, command, …) to extract (with db files and fonctions)
 All passwords found during dump or analysis are displayed
 All passwords found during dump or analysis are stored in common database(human readable format) and used for the next steps
 Multi-users extraction (from root session, single mode and Target Mode)
 Support of 4 browsers (Safari, Chrome, Firefox, Opera)
 Multi-profiles extraction (eg: Firefox, Skype)

Pac4Mac screenshots (and here):
Dumping Modes

Analysis Module

Exploit Keychain

Scenario Example (Keychain)

More screenshots here

1 commentaire:

  1. The mind maps are diagrams containing a central concept with branches for related topics.So if you need to solve a complex problem or plan the next step,one of these Mind Mapping Apps may be just what you need.

    Thanks
    Silvester Norman

    Change MAC Address

    RépondreSupprimer