Interview: Examining the seedy world of Mac OS X Forensics - Macenstein

Interview: Examining the seedy world of Mac OS X Forensics

We all know that good guys use Macs, and the bad guys use PCs, right? Well, so do law enforcement agencies, which is why nearly 100% of the training given to law enforcement’s digital forensic specialists has traditionally dealt with how to handle a Windows machine at a crime scene. But what about the one or two “bad Apples” (pun intended) out there? What if you are a first responder to a crime scene and you find a MacBook sitting there amidst all the piles of “Mary Jane” and illegally pirated copies of Beethoven’s Big Break? What do you do? Or worse yet, what if YOU are the Bad Apple, and you want to try to protect your MacBook from the Feds during your next raid? How should you go about it?

Well, luckily for both good and evil Mac users alike, Ryan R. Kubasiak, Dave Melvin, and Reggy Chapman รขโ‚ฌโ€œ three Certified Forensic Computer Examiners (and Apple Certified Support Professionals) with some pretty impressive (yet top-secret) law enforcement forensic credentials have started an online resource dedicated to Macintosh digital forensics, and it’s free to the internet community. Mac OS X Forensics aims to arm all of you would-be CSI officers with an overview of the various Mac OS system and security features, and how best to poke around in a system you feel may contain data you need.

“The field of digital forensics is still growing by leaps and bounds,” says Kubasiak, “but the Macintosh side is still quite small. It is very difficult to find qualified and interested individuals when it comes to the Macintosh operating system.”

Technologies such as FileVault, Boot camp, Back to My Mac, and even something as simple as “Spaces” might throw off a newbie to the Mac platform looking to check out your data. As a seasoned Mac user, you may think you know how to protect your data in case of laptop theft or seizure, but odds are you’re wrong. Ryan’s site provides the info and links to various tools and steps needed to gain access to most areas of your system, even encrypted ones. Do you know what the terms “sparseimage” and “hdiutil” refer to? Ryan does, and a quick look at the “Files” section of his page makes for a very interesting read, as it provides links to a slew of goodies you can use to crack a Mac’s security. Knowing how these tools work can help you build better passwords and employ better security techniques that can increase the security of your Mac, AND make Ryan’s job harder when he is called in to take you down. ๐Ÿ™‚

We took a moment to sit down with Ryan Kubasiak of Mac OS X Forensics and go over some of the basics of the Mac forensics game, and how you can go about protecting your data.

Macenstein: Obviously, how secure a Mac is against a forensic search depends almost entirely on how savvy the user is, but In general, how secure is the Mac as an operating system compared to Windows?
Ryan: Getting to the data is “typically” a matter of getting to the hard drive. How is the computer physically secured? That is not a matter of the OS. Once we are beyond that, we need to see if the hard drive has security such as encryption native to its mechanics. Once we are beyond that, we can then look at the OS X and Windows approach. OS X uses FIlevault to secure data to a user’s Home folder. Windows XP uses Encrypted File System to allow a user to secure any folder, but it is atypical to find it in use and it is easily defeated. Window Vista Ultimate uses Bitlocker and whole disk encryption.

Which one is better from a forensic standpoint? Neither or both! On the Mac, if Filevault is used properly, it is nearly impossible to decrypt and gain access to the secure data. On Windows Vista, the same is true. So, in that sense, they are equally great and almost impossible to defeat. With both, there are ways that each allow the user to be sloppy with passwords and security keys. In that sense, they each are weak and allow forensic examiners to gain access. Neither have flaws where we gain backdoor access.

Macenstein: So, any perceived difficulty in searching a Mac over a Windows machine is due more to the forensic specialist’s unfamiliarity with the Mac OS than any real edge in security technologies the Mac may employ natively?
Ryan: Yes! Because many examiners are not properly trained in Macintosh data, it is difficult to interpret what is being seen. It is not possible to fully examine a Macintosh computer from a Windows based examination tool. Yet, that is what many examiners are familiar with and will attempt such a feat. The “bundles” and “packages” on a Mac will look distinctly different inside a Windows examination tool, as an example.

Macenstein: What types of information are authorities most often looking to uncover on a Mac?
Ryan: Although every case is different, many cases have common threads. Timeline information is important for user activity. It is important to be able to state not only “who”, but also “when” and “how”. The operating system and file system employs time stamps generously throughout the system. Applications use time stamps generously and so do internet browsers.

Macenstein: What are your favorite tools for pulling information off a Mac?
Ryan: Subrosasoft’s MacForensicLab and BlackBag Mac Forensic Suite are the premier tools on the Mac for forensics. Along with these tools, I also use third party tools like File Juicer, MacFUSE/NTFS-3g, MacLockPick II, VLC, Quicktime Pro and Emailchemy. With all cases, having the native application that the suspect was using is imperative so a full compliment of applications to match the Mac being analyzed is a must.

Macenstein: Is there ever information/encryption o the Mac that cannot be cracked by investigators?
Ryan: Absolutely. Filevault cannot be cracked. It doesn’t have a weakness where we can get in within minutes. An analysis takes advantage of the user in gaining access to encrypted data. If a user has chosen to use FileVault, I can still analyze the remainder of the data. The analysis will include making a “dictionary” of the Macintosh and then attempting a brute force attack against the FileVault encrypted Home folder.

Macenstein: So, what’s the most interesting Mac-related case you’ve worked on to recover data?
Ryan: The most interesting would have to be the one that survived an arsonist. The iMac was intentionally set ablaze yet the hard drive survived and the data was recoverable. The cases get more interesting by the year. Just when I thought I had seen the most disgusting person on the planet, there is a new person to take that honor. Probably the more interesting is when a person’s “secret” is uncovered during an examination and it comes out during testimony.

Macenstein: What are 3 tips for paranoid users wishing to hide sensitive information from a forensics specialist like yourself?
Ryan: #1 Don’t brag about what you just did. #2 Stop watching TV as a digital forensic educational tool. #3 Secure erase your computer after every use.

Macenstein: Seems practical. So, speaking of TV forensics, how annoyed are you by the depiction in TV and Movies of how easy it is for hackers to decrypt top secret government information and other data? Usually it is a disheveled 20-something slacker who just types about 6 keys and says “I’m in”. That has GOT to annoy you.
Ryan: A movie has to be done in 2 hours somehow! Its not a big deal. ๐Ÿ™‚

Macenstein: You’re a bigger man than me. Thanks Ryan.

Check out Mac OS X Forensics here.

6 Responses to “Interview: Examining the seedy world of Mac OS X Forensics”
  1. jonro says:

    Great interview! Please do more of these in the future. Anyway, I’ve got to go put a couple of things in a FileVault partition…

  2. iShervin says:


  3. Javier says:

    Wow, Doc? Ho much you RULE?

    Nice interview, I agree with jonro, you should do mor of these in the future. And Man, you are hilarious. I linked a few days ago to your post about the App Store Milestone on my blog, and I stated that reading you is as clever, funny and hilarious as reading Truman capote doing a nerd column in Wired. I feel reassured by your interview closing.

  4. imajoebob says:

    I’m a bit concerned with what is, by superficial appearance, a web site explaining more effective ways to get inside someone’s computer. Training law enforcement is fine (with limitations heretofore ignored), but should be done in a more discreet fashion.

    Sure, I’m probably paranoid, but a little paranoia is a healthy thing. Especially with recent history.

  5. imajoebob says:

    Oh. As one born in the “Land Of Steady Habits,” a very nice new look.

  6. aranhamo says:

    I loved the interview and agree that you should do more like this. I work in forensics software, and the website is great. The resources there will do a lot to help us improve our software to help investigators examine Macs.

Leave A Comment


Click here to inquire about making a fortune by advertising your game, gadget, or site on Macenstein.