Live Forensics Mac OS X (I)

In Uncategorized

When dealing with expert or forensic reports, the reports must be objective, testable and reproducible. This last requirement, although desirable, is not always possible, for example, in the case of medical forensics or in the IT world, when a first acquisition of volatile data is made. But, this needn’t be an issue if the process followed is correctly documented.

Even so, a forensic analyst will not always be able to make an “online” analysis before creating the binary image, maybe because the system is switched off, destroyed or simply because the case load does not allow for it at that particular moment. For this reason, once the corresponding copies have been taken, it is possible to start the system up in a virtual environment. Although not exactly reproducing the conditions before the acquisition, this could serve as an aid and complement “offline” analysis. It also could be reproducible afterwards.

This method is typically used for analysis of Windows and *nix systems, but is perhaps less widely used in the case of Apple desktop operating systems. For that reason, we will show the necessary steps to create and start up a Virtual machine, from a physical disk image of the system under analysis. We will firstly look at VirtualBox and continue in a second post with VMWare.

The whole process has been made on a Linux Ubuntu 10.04 distribution, but could be made from Windows in the same way or even on Mac OS X. In this case we would need the following:

  • Qemu
  • VirtualBox 3.2.6 or later.
  • A processor with virtualization technology

The first step is to convert the RAW image that was obtained from the physical machine beforehand, to a virtual disk compatible with VirtualBox. For that Qemu can be used in the following way:

 $sudo qemu-img convert –f raw imagen.dd –O vdi imagen.vdi

This could also be done via VirtualBox itself:

 $VBoxManage convertfromraw <filename> <outputfile>

Depending on the size of the disk, this could take from some minutes, up to various hours.

Next a new virtual machine is created and configured. This can be done from the command line in the following way:

 $VBoxManage createvm --name MacOSX --ostype MacOS_64 --register --basefolder /VirtualMachines
$VBoxManage modifyvm MacOSX --memory 1024
$VBoxManage modifyvm MacOSX --accelerate3d on --vram 32
$VBoxManage storagectl MacOSX --add sata --controller IntelAHCI --name SATAController
$VBoxManage storagectl MacOSX --add ide --controller PIIX4 --name IDEController
$VBoxManage storagectl MacOSX --name SATAController --hostiocache on
$VBoxManage storagectl MacOSX --name IDEController --hostiocache on
$VBoxManage modifyvm MacOSX --usb on --keyboard usb --mouse usb
$VBoxManage storageattach MacOSX --storagectl SATAController --type hdd --port 0 --device 0 --medium /VirtualMachines/HDDs/imagen.vdi
$VBoxManage modifyvm MacOSX --firmware efi64
$VBoxManage setextradata MacOSX VBoxInternal2/EfiGopMode 4
$VBoxManage setextradata MacOSX VBoxInternal2/SmcDeviceKey "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"

and the machine is started up as follows:

 $VBoxManage startvm MacOSX 

(*)Where MacOSX is the name given to the virtual machine and /VirtualMachines is the directory where it will be stored.

Of course, it is also possible to create a virtual machine in VirtualBox through the graphical interface assistant, selecting Mac OS X Server as the operating system and afterwards modifying the configuration in the following way:

  • System/Motherboard: Uncheck “Floppy Disk”
  • System/Acceleration: Disable “Nested Paging”
  • Display/Video: Set to more than 32 MB of memory and select “Enable 3D acceleration”
  • Storage/IDE Controller & SATA Controller: Select “Use host I/O cache”
  • USB: Enable the USB controller

    After this setup, completely close the interface and any other related process and open the configuration file .vbox (before .xml) in /VirtualMachines/MacOSX with a text editor and add the following in the <ExtraData> section:

     <ExtraDataItem name="VBoxInternal2/EfiGopMode" value="4"/> 
    <ExtraDataItem name="VBoxInternal2/SmcDeviceKey" value="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"/>

    Finally, start the machine to be able to proceed with the “online” analysis and obtain data such as active processes, capture network traffic, etc..

    Santiago Vicente
    S21sec e-crime

    Recommended Posts
    • Brent

      Thanks for the sensible critique. Me and my neighbor were just preparing to do a little research about this. All I hear could be a bunch of whining regarding one thing that you might fix if you werent too busy probing for attention.

    Leave a Comment