Insights Blog

BlackBag White Paper – Mac Forensics, The Case for Native Analysis

Mac OS X and iOS Growth

iOS Adoption and OS X Maturation
Apple continues to innovate ahead of its competitors.  First the iPhone changed the smart phone game overnight with a unique touch interface and uniform body, breeding numerous copycat devices.  Now we see many market analysts claiming 2012 to be the year of the tablet, a much ballyhooed unicorn of a device which finally took shape with Apple’s game-changing iPad.  While consumer sales have proven tablet naysayers wrong, more surprising has been been the stellar rate of adoption by enterprise.  80% of the Fortune 100 are already deploying or piloting the iPad.  During the quarter ending June 25, 2011, Apple sold 20.34 million iPhones and 9.25 million iPads.
These numbers are bolstered by an even rosier outlook by market analysts.  A recent report by Gartner Group projected that despite huge gains by Google’s Android platform, iOS will remain the dominant tablet platform, with an estimated market share in excess of 47%.  Regardless of how accurate these projections become, it’s clear that the iOS platform will be a force in the enterprise and consumer markets. This logically will lead to a surge in forensic cases involving evidence created and stored on iOS devices along with paired laptop and desktop computers.
In addition to the startling success of iOS devices such as the iPhone and iPad, Mac OS X continues to make strong gains, and according to Gartner, recently cracked the 10% market share threshold amongst PC makers in North America.  Apple’s success within the consumer market is slowly penetrating the corporate space as more CTO’s accept and support the OS X platform within the enterprise.
Given recent momentum and the pace of innovation at Apple, iOS devices and OS X computers have become important tools in today’s computing culture.  The forensic community, both vendors and law enforcement, have historically focused on Windows analysis and the understandable volume associated with the dominance of the Windows platform.  While third party application providers have developed software to work across both Mac and Windows platforms, the operating systems and their underlying data structures and file systems are starkly different.  The truest and best forensic analysis will always occur in a native environment, and therefore it’s important that investigators understand the benefits of using native analysis.  The remaining portion of this paper will highlight several important examples supporting native analysis within the Mac environment (i.e., using a Mac running Mac OS X to analyze OS X and iOS suspect systems).

The Case for Native Mac Analysis

Viewing and understanding the data in the same way that the suspect created and used the data is an important step in any forensic investigation.  Regardless of the software used to analyze the data, this ‘native perspective’ ensures the best possible understanding for the analyst, and eventually the reviewer, of the forensic reports.  Performing a forensic investigation of Mac data while running Windows is inherently relying on the Windows operating system to interpret Mac data. While Windows may be able to read several common file types, there may be significant amounts of data that it completely misses or misinterprets. This creates significant opportunity for error in the investigation results.  Using native applications and the Mac operating system, the examiner is able to open and view the files exactly as the original user created and viewed them. This type of comprehensive analysis simply cannot be achieved using a platform other than Mac OS X.
Mac OS X creates and supports the use of several disk image formats including dmg, sparse image, and sparse bundle, as well as FileVaulted sparse bundle and Time Machine backup files.   All of these formats can be ‘mounted’ for analysis, offering the truest view as to how the user interacted with his or her data.  By locking these files, then mounting them to preserve the evidence, investigators have easy access to not only the suspect’s files, but also the suspect’s software applications.  This is especially important for viewing obscure software files which may require software that is not loaded on the analyst’s system.  Even the unallocated space for deleted files can be accessed from the mounted volume (assuming an entire physical disk was imaged and placed within a .dmg container).

When mounted, a disk image looks like any other mounted volume, except for the different icon.

Quick Look
There may be times when the investigator needs to quickly see the image contents without waiting for parsing or indexing of the entire disk image.  Mac OS X Quick Look is ideal for such instances, offering an instant content snapshot without having to actually open the file.  This feature can save significant time when there is a need to view files quickly (especially pictures) and traverse a file directory in search of a specific item of interest.  In the example below, an entire document is displayed via the Quick Look feature without starting the application or opening the document.  While of course intended for the average Mac user, this feature is uniquely valuable for forensic examiners.

Bundled Files
Mac bundle files can cause unnecessary frustration for investigators using Windows to perform their analysis.  Applications such as Apple’s Keynote (the PowerPoint equivalent for Macs) use  a bundled file format which is natively seen as a single file on a Mac (note: not all versions use this format).  However, Windows does not inherently recognize the format and will open the file as a number of files and folders instead of the single file that it is (hence the bundle term).  Keynote is only one example, but several third party Mac OS X applications utilize bundled file types. Without the use of Mac OS X for analysis, it can be extremely difficult to accurately see the suspect’s data as content instead of jumbled files. This may result in viewing inaccurate file counts because of the excessively interpreted files and folders.  The example below shows how a Windows system improperly views the Keynote file as several files and folders (left image), while the Mac properly identifies the file as one presentation (right image).

Resource and Data Forks
Mac OS X uses resource and data forks to store disparate pieces of information within the file system. While the Mac OS is designed to understand and view the relationship of the resource and data fork as one, Windows commonly separates the two forks into separate files, providing inaccurate information about the file in question and file counts. The data in the resource fork can provide very important information, including the file’s extended attributes such as color, locked, bundles, invisible, and alias information. In some instances, Windows computers have shown that both resource and data forks were equal in size when, in reality, the resource forks were zero KB in size. Such inaccurate information can not only mislead the investigator, but also cause confusion for attorneys and the court involved in the case.
Case-Sensitive File Systems
The iPhone and all other iOS devices use the regular Mac HFS+ file system, but additionally are set as case sensitive. This means that multiple files of the same name can exist in the same space as long as their names differ by case sensitivity. Only an OS that is set up to recognize such a file system can properly handle the file names without making changes to them. The Mac OS allows you to set up your computer with a case-sensitive file system or its built-in tools allow the user to create a case-sensitive disk image where files exported from an iOS device can be stored (left image below). Built-in tools allow creation of a disk image with a case-sensitive format. Case-sensitive file systems allow files spelled the same to co-exist in the same space as exemplified by the image on the right below.

These represent only a few examples of the dangers associated with non-native forensic analysis. Mac OS X is a starkly unique platform, and Apple used much of its architecture to design the iOS, which powers the proliferation of iPhones and iPads in the marketplace. Investigators will ultimately save time and money by utilizing the Mac OS X platform in their Mac and iOS forensic analysis to avoid any interpretations by another operating system such as Windows.

BlackBag Team
Latest posts by BlackBag Team (see all)