Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Custom Search
Our Sponsors
Vulnerability Assessment and Macintosh Forensics
Laboratory forensics has traditionally been a look at the hard drive of a suspect Macintosh. The examination is a thorough look into the active and unallocated areas of the hard drive(s) of the system with a report generated in the end reconstructing the usage of the Macintosh. This traditional approach to digital forensics has quickly become a part of the overall process, rather than the process itself. With the adoption of encryption, network communications, “hacking”, file sharing, etc., a need arises for a more complete story of what the Macintosh “is” doing, rather than just what is “was” doing. This approach to digital forensics can be looked at as Live Digital Forensics because you, the examiner, are looking at a Macintosh that is still functioning.
As part of creating this Live Digital Forensics report, a company called Tenable Network Security has developed a product called Nessus. Nessus is a well-developed, mature, vulnerability scanner that is available on the Macintosh, Windows and Linux platforms. Simply put, Nessus scans a target for known vulnerabilities. Tenable maintains a database of all know security flaws for a huge number of operating systems as well as applications that can be run on them. Although Nessus was developed for system administrators to secure their systems and networks, we as digital forensic examiners can use this same functionality to make a report on a potentially compromised system to report on how it could have been compromised, and how it could not.
Getting Tenable Nessus (http://www.nessus.org/nessus) is very easy. It is available free for home use with “HomeFeeds” and you will get its full functionality to try on your home system. When you decide that Tenable Nessus is right for your business or agency, you will need to step up to “ProfessionalFeeds”. It is a small price to pay for such a useful product.
Once you have downloaded the installation of Nessus, you will wind up with a DMG containing an installer. Run this installer, as it is straight-forward and easy to use. After completion, you will have a folder in your Applications folder called “Nessus”.
Nessus Application Window
The most important first step is to run the “Nessus Server Manager”. This is where you will apply your registration key and update your plugins. If you have not registered, you will not be able to download the latest plugins, which makes your scan and subsequent report useless. Register your product!
Here is a look at the Nessus Server Manager interface. It is very simple and easy to use. Exactly what we like in applications.
Nessus Server Configuration Window
As you can see, there is not much to the server. Starting the server at boot time is a personal preference. If you are not going to be using Nessus often, then there is no need to start the server at boot time of your Macintosh. You will need to manually start the server when you are ready to perform a scan. Performing a daily plugin update is, in my opinion, a great feature to have turned on. Your vulnerability scan is only as good as your last update. Lastly, allowing remote users to connect to your server is a personal preference. It might be a moot point if you are behind a firewall, or have not configured any other user accounts besides your own. I typically have this unchecked until I explicitly need it.
Now let’s get to the real power, yet the real simplicity of Tenable Nessus. Launch the “Nessus Client” and you will see an interface similar to this one.
Nessus Client First Run Window
Nessus comes configured with two scans ready to go. I have already connected to my Nessus server so the “Scan Now” button is available. Let’s take a look at the “Default scan policy” before scanning, to make certain it will be useful when scanning a Macintosh computer.
Nessus Client Default Scan Policy (Mac OS X details)
As you can see from the window, the Mac OS X security checks are quite comprehensive. If I had scrolled the window lower, you would see that the plugins are checking for Mac OS X 10.5.6 for instance. I suggest you look inside to see the long list of patches that Nessus will be checking for during its scan of the target Macintosh.
After you have looked at the “Default scan policy”, let’s add a target to scan. A target for our example is a single Macintosh computer.
Nessus Client Configuration of Target to Scan
After adding a Target, click on ‘Save’ and your scan window should now look like this:
Nessus Client with Target Configured Window
The set up of Nessus is that easy. You can now scan your Target for vulnerabilities by clicking on the ‘Scan Now’ button.
Using Nessus is truly a straight-forward application. It is also a very clear application to understand in the results from the generated report as seen from the next capture.
Nessus Client Report
Nessus has found in this particular scan a number of potential vulnerabilities based upon open ports. This Macintosh is my own iMac G4 and I have fully patched it with all available downloads from Apple. If I had neglected a particular update, it would have been noted here.
How does this apply to Digital Forensics?
As you can see from everything we just went thru, Tenable Nessus is designed for the System Administrator or Network Administrator for locking down systems (hardening). As an examiner, our job is to reconstruct a “story” of what happened for presentation in a court or to the corporate bosses. Telling the “story” of what happened on a Macintosh just became easier when you know how a person can gain access to it. When you can determine from a solid analysis that a Macintosh did not have a known access point or vulnerability, it makes your story become clearer for presentation. In an environment where you are responding to servers that must remain live, this tool is just one of many that can be used for your Live Digital Forensic examination and analysis.
Along with all things good, there has to be a downside. Nessus can make your examination difficult if you don’t understand what you are doing!
This is the one part of Nessus that is difficult. If you don’t understand what is being presented in the Report, you can make mistakes, false claims, or illogical conclusions. Let’s take message from the scan we just ran:
Nessus Client Report Details
The iMac G4 I scanned is being reported as having a Kerberos ticket server running on port 88. Is this a vulnerability? Did someone hack my iMac and set this up? Is it a normal service from Apple as a part of Mac OS X? Well, the answer is yes to all of those if someone did actually hack my iMac, but otherwise, Kerberos single sign-on is normal as long as the service is supposed to be running on the Macintosh that was scanned. On this Mac, I expected it. The reason it is being reported is the open port. So what am I trying to say with this example? Understand your results! When something is listed in the Nessus report, it means you have some research to do to complete your examination. The results in the report do not speak for themselves, you must do that part.
For more information about Nessus, here are some valuable links that have been provided by Tenable Network Security for this article:
Laboratory forensics has traditionally been a look at the hard drive of a suspect Macintosh. The examination is a thorough look into the active and unallocated areas of the hard drive(s) of the system with a report generated in the end reconstructing the usage of the Macintosh. This traditional approach to digital forensics has quickly become a part of the overall process, rather than the process itself. With the adoption of encryption, network communications, “hacking”, file sharing, etc., a need arises for a more complete story of what the Macintosh “is” doing, rather than just what is “was” doing. This approach to digital forensics can be looked at as Live Digital Forensics because you, the examiner, are looking at a Macintosh that is still functioning.
Sponsored Advertisement
As part of creating this Live Digital Forensics report, a company called Tenable Network Security has developed a product called Nessus. Nessus is a well-developed, mature, vulnerability scanner that is available on the Macintosh, Windows and Linux platforms. Simply put, Nessus scans a target for known vulnerabilities. Tenable maintains a database of all know security flaws for a huge number of operating systems as well as applications that can be run on them. Although Nessus was developed for system administrators to secure their systems and networks, we as digital forensic examiners can use this same functionality to make a report on a potentially compromised system to report on how it could have been compromised, and how it could not.
A word of caution: When a system has been compromised, many times a “hacker” will patch flaws after the compromise has occurred. Be careful using a Nessus report in saying that a system is not vulnerable. The Nessus results show how a system is CURRENTLY vulnerable.
Getting Tenable Nessus (http://www.nessus.org/nessus) is very easy. It is available free for home use with “HomeFeeds” and you will get its full functionality to try on your home system. When you decide that Tenable Nessus is right for your business or agency, you will need to step up to “ProfessionalFeeds”. It is a small price to pay for such a useful product.
Once you have downloaded the installation of Nessus, you will wind up with a DMG containing an installer. Run this installer, as it is straight-forward and easy to use. After completion, you will have a folder in your Applications folder called “Nessus”.
Nessus Application Window
The most important first step is to run the “Nessus Server Manager”. This is where you will apply your registration key and update your plugins. If you have not registered, you will not be able to download the latest plugins, which makes your scan and subsequent report useless. Register your product!
Here is a look at the Nessus Server Manager interface. It is very simple and easy to use. Exactly what we like in applications.
Nessus Server Configuration Window
As you can see, there is not much to the server. Starting the server at boot time is a personal preference. If you are not going to be using Nessus often, then there is no need to start the server at boot time of your Macintosh. You will need to manually start the server when you are ready to perform a scan. Performing a daily plugin update is, in my opinion, a great feature to have turned on. Your vulnerability scan is only as good as your last update. Lastly, allowing remote users to connect to your server is a personal preference. It might be a moot point if you are behind a firewall, or have not configured any other user accounts besides your own. I typically have this unchecked until I explicitly need it.
Now let’s get to the real power, yet the real simplicity of Tenable Nessus. Launch the “Nessus Client” and you will see an interface similar to this one.
Nessus Client First Run Window
Nessus comes configured with two scans ready to go. I have already connected to my Nessus server so the “Scan Now” button is available. Let’s take a look at the “Default scan policy” before scanning, to make certain it will be useful when scanning a Macintosh computer.
Nessus Client Default Scan Policy (Mac OS X details)
As you can see from the window, the Mac OS X security checks are quite comprehensive. If I had scrolled the window lower, you would see that the plugins are checking for Mac OS X 10.5.6 for instance. I suggest you look inside to see the long list of patches that Nessus will be checking for during its scan of the target Macintosh.
Note to users: As you will see when you open the list of plugins, Nessus is a very capable vulnerability scanner that looks at many different operating systems. In this example, we are looking at a Macintosh and doing a basic analysis of the results only. Tenable Nessus is a much more comprehensive program than this short document will discuss.
After you have looked at the “Default scan policy”, let’s add a target to scan. A target for our example is a single Macintosh computer.
Nessus Client Configuration of Target to Scan
After adding a Target, click on ‘Save’ and your scan window should now look like this:
Nessus Client with Target Configured Window
The set up of Nessus is that easy. You can now scan your Target for vulnerabilities by clicking on the ‘Scan Now’ button.
Using Nessus is truly a straight-forward application. It is also a very clear application to understand in the results from the generated report as seen from the next capture.
Nessus Client Report
Nessus has found in this particular scan a number of potential vulnerabilities based upon open ports. This Macintosh is my own iMac G4 and I have fully patched it with all available downloads from Apple. If I had neglected a particular update, it would have been noted here.
How does this apply to Digital Forensics?
As you can see from everything we just went thru, Tenable Nessus is designed for the System Administrator or Network Administrator for locking down systems (hardening). As an examiner, our job is to reconstruct a “story” of what happened for presentation in a court or to the corporate bosses. Telling the “story” of what happened on a Macintosh just became easier when you know how a person can gain access to it. When you can determine from a solid analysis that a Macintosh did not have a known access point or vulnerability, it makes your story become clearer for presentation. In an environment where you are responding to servers that must remain live, this tool is just one of many that can be used for your Live Digital Forensic examination and analysis.
Along with all things good, there has to be a downside. Nessus can make your examination difficult if you don’t understand what you are doing!
This is the one part of Nessus that is difficult. If you don’t understand what is being presented in the Report, you can make mistakes, false claims, or illogical conclusions. Let’s take message from the scan we just ran:
Nessus Client Report Details
The iMac G4 I scanned is being reported as having a Kerberos ticket server running on port 88. Is this a vulnerability? Did someone hack my iMac and set this up? Is it a normal service from Apple as a part of Mac OS X? Well, the answer is yes to all of those if someone did actually hack my iMac, but otherwise, Kerberos single sign-on is normal as long as the service is supposed to be running on the Macintosh that was scanned. On this Mac, I expected it. The reason it is being reported is the open port. So what am I trying to say with this example? Understand your results! When something is listed in the Nessus report, it means you have some research to do to complete your examination. The results in the report do not speak for themselves, you must do that part.
For more information about Nessus, here are some valuable links that have been provided by Tenable Network Security for this article:
- Nessus homepage: http://www.tenablesecurity.com/nessus/
- Nessus FAQ: http://www.tenablesecurity.com/plugins/index.php?view=faq
- Information on the Home and ProfessionalFeed subscriptions: http://www.tenablesecurity.com/plugins/index.php?view=feed
- Download for Nessus: http://www.tenablesecurity.com/download/
- Discussion Forum for Nessus: https://discussions.nessus.org/index.jspa
- Tenable/Nessus BLOG (Technical): http://blog.tenablesecurity.com
- Nessus Demo Videos: http://www.tenablesecurity.com/demos/