FORENSIC MEMORY ANALYSIS FOR APPLE OS X THESIS Andrew F. Hay AFIT/GCO/ENG/12-17 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government. This material is declared a work of the United States Government and is not subject to copyright protection in the United States. AFIT/GCO/ENG/12-17 FORENSIC MEMORY ANALYSIS FOR APPLE OS X THESIS Presented to the Faculty Department of Electrical and Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science Andrew F. Hay, BS June 2012 APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED AFIT/GCO/ENG/12-17 FORENSIC MEMORY ANALYSIS FOR APPLE OS X Andrew F. Hay, BS Approved: AFIT/GCO/ENG/12-17 Abstract Analysis of raw memory dumps has become a critical capability in digital forensics because it gives insight into the state of a system that cannot be fully represented through traditional disk analysis. Interest in memory forensics has grown steadily in recent years, with a focus on the Microsoft Windows operating systems. However, similar capabilities for Linux and Apple OS X have lagged by comparison. The volafox open source project has begun work on structured memory analysis for OS X. The tool currently supports a limited set of kernel structures to parse hardware information, system build number, process listing, loaded kernel modules, syscall table, and socket connections. This research addresses one memory analysis deficiency on OS X by introducing a new volafox module for parsing file handles. When open files are mapped to a process, an examiner can learn which resources the process is accessing on disk. This listing is useful for determining what information may have been the target for exfilitration or modification on a compromised system. Comparing output of the developed module and the UNIX lsof (list open files) command on two version of OS X and two kernel architectures validates the methodology used to extract file handle information. iv Acknowledgments I would like to thank my research advisor, Dr. Gilbert Peterson, for sharing his extensive knowledge throughout this process and always freely offering advice when I needed it most. Without his support for my eccentric research interests this work would not have been possible. Andrew F. Hay v Table of Contents Page Abstract .............................................................................................................................. iv Acknowledgments ................................................................................................................v List of Figures .................................................................................................................. viii List of Tables ..................................................................................................................... ix I. Introduction ......................................................................................................................1 1.1 Research Objectives and Assumptions ...................................................................3 1.2 Methodological Approach ......................................................................................4 1.3 Research Implications ............................................................................................5 II. Literature Review ............................................................................................................7 2.1 Digital Forensics .....................................................................................................7 2.2 Incident Response ...................................................................................................9 2.3 Memory Forensics ................................................................................................13 2.4 Mac Memory Acquisition .....................................................................................18 2.5 Structured Memory Analysis ................................................................................21 2.6 Summary ...............................................................................................................30 III. Methodology ...............................................................................................................31 3.1 System Design ......................................................................................................32 3.2 Key Kernel Structures ..........................................................................................36 3.3 Project Volafox .....................................................................................................44 3.4 File Handle Module Implementation ....................................................................48 3.5 Open Issues ...........................................................................................................64 3.6 Summary ...............................................................................................................71 IV. Results and Analysis ....................................................................................................72 4.1 Module Evaluation Methodology .........................................................................72 4.2 Results ..................................................................................................................83 4.3 Summary ...............................................................................................................95 vi V. Conclusions and Recommendations ............................................................................96 5.1 Research Conclusions ...........................................................................................96 5.2 Significance of Research ......................................................................................99 5.3 Recommendations for Future Research ..............................................................100 5.4 Summary .............................................................................................................102 Appendix A. Regular Builds OS X 10.4.4 – 10.7.3 .........................................................103 Appendix B. Full Structure Diagram ...............................................................................105 Appendix C. Python struct Library ............................................................................106 Appendix D. Full UML Diagram .....................................................................................108 Appendix E. Full Test Results .........................................................................................109 Appendix F. Hardware Capture Summary .......................................................................123 Appendix G. Complete Source Code: lsof.py ............................................................124 Bibliography ....................................................................................................................150 vii List of Figures Page Figure 1. mach_kernel executable. .............................................................................. 27 Figure 2. Volatility linux_list_open_files output (Cohen & Collett, 2008). .... 32 Figure 3. UNIX list open files (lsof) command. ........................................................... 33 Figure 4. C struct relationship overview. .......................................................................... 36 Figure 5. Symbol table and process list. ........................................................................... 37 Figure 6. Memory-mapped files (txt). ............................................................................ 38 Figure 7. File descriptor table. .......................................................................................... 39 Figure 8. Virtual node (vnode). ...................................................................................... 41 Figure 9. struct proc. ................................................................................................ 43 Figure 10. Abstraction crossover. ..................................................................................... 44 Figure 11. volafox package diagram. ................................................................................ 45 Figure 12. UML 1 – process list and file descriptors. ....................................................... 50 Figure 13. UML 2 – vnode interface and memory-mapped files. .................................... 51 Figure 14. struct proc template, 10.6 x86. ............................................................... 53 Figure 15. Simplified abstract class Struct (no error handling). ............................ 54 Figure 16. Concrete class Devnode. ................................................................................. 55 Figure 17. Template generation function. ......................................................................... 56 Figure 18. 10.7 x64 template for struct ubc_info. ................................................. 58 Figure 19. Manual offset calculation for 64-bit struct ubc_info (annotated). ....... 58 Figure 20. Template output from printstructs.py. ................................................ 60 Figure 21. Template testing. ............................................................................................. 61 Figure 22. volafox usage statement. ................................................................................. 62 Figure 23. volafox lsof command branch. ........................................................................ 63 Figure 24. lsof method stub added to class volafox. ......................................................... 63 Figure 25. volafox user output. ......................................................................................... 64 Figure 26. lsof user output. ............................................................................................ 64 Figure 27. volafox proc_info output. .......................................................................... 65 Figure 28. Suiche process list output (2010). ................................................................... 66 Figure 29. ps name keywords. ......................................................................................... 67 Figure 30. launchd name keywords. ............................................................................. 67 Figure 31. ps session keywords. ...................................................................................... 68 Figure 32. class Session testing modification. ........................................................ 68 Figure 33. struct session address. ......................................................................... 68 Figure 34. /dev directory size. ........................................................................................ 70 Figure 35. volafox open files listing. ................................................................................ 71 Figure 36. lsof handle duplication. ................................................................................ 81 Figure 37. Simplified lsof.py unpacktype() function. ...................................... 106 viii List of Tables Page Table 1. volafox modules and their Volatility equivalents. .............................................. 25 Table 2. volafox commands with associated symbols and kernel structures. ................... 29 Table 3. UNIX lsof output fields. .................................................................................. 34 Table 4. Open file data locations. ..................................................................................... 42 Table 5. Template interface fields. ................................................................................... 53 Table 6. Manual hex sizing. .............................................................................................. 59 Table 7. Field differences versus file type. ....................................................................... 79 Table 8. OS X 10.6.8 x86 test case summary. .................................................................. 86 Table 9. OS X 10.6.0 Server x64 test case summary. ....................................................... 87 Table 10. OS X 10.7.3 x86 test case summary. ................................................................ 88 Table 11. OS X 10.7.0 x64 test case summary. ................................................................ 89 Table 12. OS X 10.6.8 combined real-world results (8 samples). .................................... 91 Table 13. OS X 10.7.x combined real-world results (2 samples). .................................... 93 Table 14. struct.unpack format characters. ........................................................... 107 Table 15. OS X 10.6.8 x86 controlled test case results (1 sample). ............................... 109 Table 16. OS X 10.6.0 Server x64 controlled test case results (1 sample). .................... 110 Table 17. OS X 10.7.3 x86 controlled test case results (1 sample). ............................... 111 Table 18. OS X 10.7.0 x64 controlled test case results (1 sample). ............................... 112 Table 19. OS X 10.6.8, model X6A real-world results (1 sample). ................................ 113 Table 20. OS X 10.6.8, model DR2 real-world results (1 sample). ................................ 114 Table 21. OS X 10.6.8, model VUW real-world results (1 sample). .............................. 115 Table 22. OS X 10.6.8, model AGU real-world results (1 sample). ............................... 116 Table 23. OS X 10.6.8, model U35 real-world results (1 sample). ................................ 117 Table 24. OS X 10.6.8, model X8A real-world results (1 sample). ................................ 118 Table 25. OS X 10.6.8, model DB5 real-world results (1 sample). ................................ 119 Table 26. OS X 10.6.8, model ATM real-world results (1 sample). .............................. 120 Table 27. OS X 10.7.0, model 0P2 real-world results (1 sample). ................................. 121 Table 28. OS X 10.7.2, model 18X real-world results (1 sample). ................................ 122 ix
Description: