Scribd Logo
Carica

Benvenuto in Scribd!

  • Lecture 9

    Caricato da

    test2012
    21 visualizzazioni5 pagine
    aaaaa

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    aaaaa

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    21 visualizzazioni5 pagine

    Lecture 9

    Caricato da

    test2012
    aaaaa

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 5

    1 Mac File System Structure

    !  Mac OS X
    !  Darwin core
    !  composed of code developed by Apple and code derived from the
    BSD UNIX variant
    !  compatible with the Single UNIX Specification
    !  Extended Format File System (HFS+)
    OS X System Artifacts
    !  Introduced with Mac OS 8.1
    !  Supports much larger disks than HFS
    COMP 2555: Principles of Computer Forensics !  File Manager utility
    Autumn 2014
    http://www.cs.du.edu/2555 !  Reading, writing, and storing data to physical media
    !  Finder

    L9: OS X System Artifacts


    !  Keeps track of files and maintain users’ desktops

    2 Understanding HFS+ Volumes


    3 Understanding HFS+ Volumes

    !  A volume is any storage medium used to store files !  First 1024 bytes and last 512 bytes of volume are not
    !  Can be all or part of a hard disk used

    !  Allocation blocks !  Volume Header


    !  An allocation block is a group of consecutive bytes !  Contains metadata about the volume
    !  Smallest unit of allocated space (typical value: 4KB) !  E.g. location of other key structures in the volume
    !  Clusters in Windows and blocks in Linux !  Located at 1024 bytes from the start of the volume
    !  Identified by a 32-bit allocation block number !  An alternate volume header is stored at 1024 bytes
    before the end of the volume (second to last sector)
    !  Clumps
    !  A fixed-size set of contiguous allocation blocks
    L9: OS X System Artifacts

    L9: OS X System Artifacts


    !  Similar to a block group in Linux
    4 HFS+ File Structure
    5 HFS+ Special Files

    !  A file consists of at least two parts: !  HFS+ has five special files that store the file system
    !  Data fork structures required to access folders, files and attributes
    !  Contains data that the user creates !  Extents of these files are described in the Volume Header
    !  Resource fork
    Stores application information or supporting data for a file
    ! 
    !  $AllocationFile
    !  E.g. icons, context menus, etc.
    !  Bitmap that tracks which allocation blocks are in use
    !  Similar to alternate data streams in NTFS
    !  Is like any other file, so can be non-contiguous
    !  Allocation block corresponding to a fork are tracked as
    extents !  $StartupFile
    !  A set of contiguous allocation blocks (or clumps) !  Holds information to help boot systems that do not have
    knowledge of HFS+ file storage structures (B+-trees)

    L9: OS X System Artifacts

    L9: OS X System Artifacts


    !  Extents are represented by a number pair: {start, length}
    !  Similar to data runs in Windows !  Location extracted from Volume Header

    6 HFS+ Special Files


    7 HFS+ Structure

    !  $CatalogFile Byte offset Name Purpose


    !  Maintains information about the hierarchy of files and folders 0 Boot blocks Boot instructions
    on a volume
    1024 Volume Header HFS+ metadata
    !  Organized as a B-tree Not fixed Allocation file Tracks available free blocks
    !  Location of first extent of catalog file is in the Volume Header Not fixed Extents overflow file Tracks the extents of files that has more
    than eight extents
    !  $ExtentsFile
    Not fixed Catalog Information on the location of files/folders
    !  Information on first 8 extents of a file are part of the catalog
    Not fixed Attributes file Stores additional file attribute information
    record of a file; rest are maintained in this file
    Not fixed Startup file New in HFS+; file used to boot HFS+
    !  Also stores which allocation blocks are bad unaware systems
    !  $AttributesFile Not fixed, but Alternate Volume Backup of the Volume Header
    second to last Header
    !  Store extended attributes for files, e.g. other named forks
    L9: OS X System Artifacts

    L9: OS X System Artifacts


    sector
    Reserved (512 Last sector of the volume; used by Apple
    bytes) during manufacturing
    8 OS X System Artifacts
    9 OS X System Artifacts

    !  Like Linux, OS X places all volumes under the root !  Beneath the root directory are
    directory “/” !  Users: parent directory for user home directories
    !  Beneath the root directory are !  Volumes: parent directory for mounted volumes
    !  Applications: standard location for all installed OS X !  Similar to /mnt or /media in Linux
    applications !  bin and sbin: contains command-line utilities
    !  Library: supporting data that may be needed to be modified !  private: contains OS X versions of /tmp, /var and /etc
    during program execution
    !  E.g. preferences and recent items
    !  Network: items in the Network domain
    !  System: operating system specific files
    !  Like System32 in Windows

    L9: OS X System Artifacts

    L9: OS X System Artifacts


    10 OS X System Artifacts
    11 OS X System Artifacts

    !  Property lists !  System startup and services


    !  Files with a .plist extension !  The OS X kernel (core of the OS) is in /mach_kernel
    !  Applications store configurations in them !  System task that run in background are read from /System/
    !  Equivalent to registry files in Windows Library/LaunchDaemons and /Library/LaunchDaemons
    !  Typical OS X installation has thousands of them !  User-interactive launch tasks are read from /System/Library/
    !  Knowing which will be relevant to your examination is key LaunchAgents and /Library/LaunchAgents
    !  Format: XML or binary (use plutil tool)
    !  Kexts
    !  Bundles !  Extensions to the OS X kernel
    !  Directories whose contents are hidden from the end user’s !  E.g. third party hardware device extensions
    view !  Located in /System/Library/Extensions
    L9: OS X System Artifacts

    L9: OS X System Artifacts


    !  OS X applications are typically distributed as bundles
    12 OS X System Artifacts
    13 OS X System Artifacts

    !  Network configuration !  Swap files and hibernation data are stored under
    !  Stored in various plist files under /Library/Preferences/ /private/var/vm
    SystemConfiguration !  Swap files contains sections of memory
    !  preferences.plist has the hostname of the computer !  May persist on disk for some time
    !  com.apple.network.identification.plist has a running list of !  Hibernation files are “sleep images”
    previously assigned network addresses with time stamps !  Any technique used for processing unstructured data are
    !  com.apple.Bluetooth.plist contains list of Bluetooth devices applicable to these files
    ever paired with the system

    !  Installed applications !  System logs


    !  /Library/Receipts contains information about the applications !  Location: /private/var/log
    installed via the OS X installer (see InstallHistory.plist) !  Softwares may store logs in /Library/Logs

    L9: OS X System Artifacts

    L9: OS X System Artifacts


    !  Creation time of the .pkg files correspond to application
    install time

    14 OS X User Artifacts
    15 OS X User Artifacts

    !  /Library/Preferences/com.apple.loginwindow.plist file !  Library/Preferences/ includes preference data for


    contains information about the last user that logged into applications installed on the system
    the system !  includes items such as recently opened files, network
    !  OS X is fairly “tidy” locations and any configuration changes
    !  A user’s home directory is where most of the artifacts !  com.apple.quicktimeplayer.plist contains list of video files that
    generated directly or indirectly by a user will be found we opened in QuickTime
    !  com.apple.recentitems.plist contains recently opened files
    and applications
    !  User’s Library (Library directory in home directory)
    !  com.apple.DiskUtility.plist contains full path for disk images
    !  User specific artifacts such as log files, preference settings, opened in the system
    application artifacts, etc.
    !  Not a directory that users typically explore
    L9: OS X System Artifacts

    L9: OS X System Artifacts


    !  Nearly all artifacts will persist unless manually purged
    16 OS X User Artifacts
    17 OS X User Artifacts

    !  Library/Preferences/ includes preference data for !  Library/Application Support/MobileSync/Backup


    applications installed on the system contains one or more subdirectories with data synced
    !  com.apple.finder.plist has from an iPod, iPhone or iPad
    !  FXConnectToLastURL key: tells you the last server the system !  Again, lots of information about the device itself
    connected to via Finder
    !  Library/Logs has user-specific application logs
    !  FXDesktopVolumePositions key: gives an idea of the volumes ever
    mounted on the system !  Plain text log files
    !  FXRecentFolder key: user’s most recently viewed directories !  DiskUtility.log: user actions on a disk using DiskUtility
    !  com.apple.iPod.plist: list of Apple devices (iPod, iPhone, iPad)
    connected to the system !  .Trash hidden directory to store deleted files (like
    !  Includes a lot of information to identify the exact device (e.g. IMEI Recycle Bin)
    number of iPhone)
    .DS_Store file stores path to original file

    L9: OS X System Artifacts

    L9: OS X System Artifacts


    ! 

    18 References

    !  Ch 8: B. Nelson, A. Phillips and C. Steuart, Guide to


    Computer Forensics and Investigations. ISBN:
    978-1-435-49883-9

    !  HFS+ Volume Format: http://www.dubeyko.com/


    development/FileSystems/HFSPLUS/hexdumps/
    hfsplus_volume_header.html
    L9: OS X System Artifacts

    Potrebbero piacerti anche