A DFIR Blog
Section 1: Common Filetypes
Section 2: Tools
Application Bundles (.app)
Apple Disk Image (.dmg)
Mach-O (binary executable)
Package Files (.pkg)
typical structure –> To view right click, select “Show Package Contents”, or use find
Dashboard.app/
Dashboard.app/Contents
Dashboard.app/Contents/Info.plist --> Configuration Info (required; shows versions, bundle ID, owner, creator, etc.)
Dashboard.app/Contents/MacOS/ --> Directory where you typically store an executable
Dashboard.app/Contents/MacOS/Bashboard --> Executable (requried; but this could be a Mach-O, or a shell script)
Dashboard.app/Contents/PkgInfo
Dashboard.app/Contents/Resources/ --> Supporting Files
Dashboard.app/Contents/Resources/Dashboard.icns (icon files)
Dashboard.app/Contents/_CodeSignature --> Apple Dev Signing
Dashboard.app/Contents/_CodeSignature/CodeResources
Dashboard.app/Contents/version.plist
Note: Replace MacKeeper with the name of your macho, its here as a placeholder/example.
1. hdiutil attach MacKeeper.dmg
2. find the Info.plist
3. pliutil -p Info.plist | grep "CFBundleExecutable"
4. Identify the bin that will be executed, in this case its MacKeeper
5. cd /Volumes/MacKeeper/MacKeeper.app/Contents/MacOS/
6. file MacKeeper
7. lipo -info MacKeeper
8. lipo -detailed_info MacKeeper
Note: If there is more than one architecture listed, proceed to next step if needed. VirusTotal does analysis on both i386 and x86_64, so you could also get the information needed for analysis this way.
9. lipo -extract x86_64 -output MacKeeper_x86_64 MacKeeper
Note: This extracts the x64 version
10. file MacKeeper_x86_64
executable of mac world
File Signatures (magic #) [open with a hex editor]:
0xCAFEBABE - FAT binary
0xFEEDFACE - 32-bit
0xFEEDFACF - 64-bit
0xCEFAEDFE - 32-bit, Little Endian
0xCFFAEDFE - 64-bit, Little Endian
preference list files, or .plist files
- either a plain text .xml file, or a binary file
- view by copying to desktop, clicking on the file, and pressing the spacebar
- use three possible formats: XML, JSON, or a proprietary binary format called bplist
- use utility named plutil in macOS to convert between formats, or simply pretty-print a plist file regardless of its format
- The most notable key in the Info.plist file is the CFBundleExecutable key
<string> </string> - String tags contain alphanumeric character strings.
<real> </real> - Real tags contain a floating-point value.
<integer> </integer> - Integer tags contains an integer value.
<date> </date> - Date tags may contain an absolute date measured in seconds relative to Jan 1 2001 00:00:00 GMT. A positive value represents a date and time after Jan 1, 2001 date, and a negative value represents a date and time after Jan 1, 2001. A date and time value may be pulled from the local system clock.
<true /> or <false /> - True or false tags represent a YES value or a NO value respectively. These tags do not have end tags as they simply indicate YES or NO; they do not contain element data. A true or false tag is usually associated with <key></key> tags.
<data> </data> - Data tags store raw data such as a .jpg picture file, human-readable text, or another binary-encoded .plist file.
<array> </array> - .plist elements in an array container are structured as an ordered collection that can be randomly accessed. One array container may have one or many elements stored within. Any element value type may be stored in an array.
<dict> </dict> - A dictionary container usually includes several keys, each paired with a single .plist element. Element values in a dictionary may be a string, number, boolean value, date, data, array, or another dictionary.
eXtensible ARchiver (XAR) Archive
need to list & extract binary (malware) with xar & unar
likely contain multiple layers of compression
Ex:
1. Attach the .dmg, but dont execute: hdiutil attach *.dmg
2. List the contents of the .dmg: xar -t -v -f file.pkg
3. Create a temp dir: mkdir temp
4. Unpack the .dmg into temp: unar file.pkg -o temp
.pkg files typically include the following:
| Name | Required | Description |
|---|---|---|
| PackageInfo | Yes | This is a XML document that contains information about the package behavior and requirements. |
| Bom | Yes | This is the Bill of Materials for the files contained in the Payload archive. See mkbom (8). |
| Payload | Yes | This is an archive of the hierarchy of files to be installed. The hierarchy is saved as cpio archive compressed with gzip (or, recently, compressed as a concatenation of LZMA chunks). See cpio(1), ditto(1), gzip(1). |
| Scripts | Optional | This is an archive of scripts and additional resources. The hierarchy is saved as cpio archive compressed with gzip. See cpio(1), ditto(1), gzip(1). This file is optional. |
| RunAtStartup | Optional | This is a shell script that will be supposedly invoked on the next Mac OS X startup. |
See http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html for futher descriptions of each.
I set up my Mac Analysis VM with all these tools. Below is a bit about their installation & usage.
macOS package manager. Install clamav, strings, tree, etc.
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
brew install strings
brew install tree
brew install clamav
brew install unar
brew install volatility
brew install openssl
brew install exiftool
determine type of FILES.
file *.dmg
lipo -info file
lipo -detailed_info file
lipo -extract i386 -output newfile oldfile
calculated md5 hash sum
md5 *.dmg
calculate sha1 hash sum
shasum *.dmg
display code signature, including apple developer id
codesign -dvvv *.dmg
list symbol table from object files (requires xcode, developer tools), show variable & function names
nm *.dmg
mount .dmg to browse its directory structure
hdiutil attach *.dmg
list a directories structure
find .
eXtensible ARchiver
xar -t -v -f file.pkg
extract archive file contents
unar file.pkg -o somedir/
show whats inside a zip without opening
zipinfo file.zip
doesnt do unicode strings!
strings -a file
Big Endian, Unicode strings, from The Sleuth Kit.
srch_strings -V
srch_strings -a -t file
tree /Volumes/Application/
remove apple quarantine file property (@) to avoid XProtect (MacOS AV)
xattr -plx file
xattr -d file
Analyze Mach-o binaries
Display a hexdump of the data section: otool -v -d <mach-o exec>
Display Fat headers: otool -f <mach-o exec>
Display Mach-o headers: otool -h <mach-o exec>
Display shared libraries: otool -L <mach-o exec>
Display load commands: otool -l <mach-o exec>
Disassemble primary code section: otool -V -t <mach-o exec>
Display specified segment: otool -V -s <seg:sec> <mach-o exec>
Analyze .plist files
Print pretty (human readable): plutil -p Info.plist
Specify alternate extension for converted files: plutil -e extension
If writing JSON, output in human-readable form: plutil -r
Find the exe that will be executed: plutil -p Info.plist | grep "CFBundleExecutable"
Find the code signing identifier: plutil -p Info.plist | grep "CFBundleIdentifier"
Find the main nib: plutil -p Info.plist | grep "NSMainNibFile"
cd /usr/local/etc/clamav/
nano freshclam.conf.sample
# Add "#" to comment out "Example". Enable Logging. Change DB mirror to "US". Save As "freshclam.conf"
freshclam
clamscan file OR clamscan -r /
To check all files on the computer, displaying the name of each file:
clamscan -r /
To check all files on the computer, but only display infected files and ring a bell when found:
clamscan -ir --bell /
To scan all files on the computer but only display infected files when found and have this run in the background (Note - Display background process’s status by running the jobs command):
clamscan -ir / &
To check files in the all users home directories:
clamscan -r /home
To check files in the USER home directory and remove infected files (WARNING: Files are gone.):
clamscan -r --remove /home/USER
To see more options:
clamscan --help
To create a log (no logging by default):
clamscan -l clamav.log
Most used combo:
clamscan -ir file -l clamscan.log OR clamscan -ir /directory -l clamscan.log
Memory Forensics
cd /usr/local/Cellar/volatility/2.6_1/bin/vol.py
vol.py
MachOview --> Static, gui verison of file & lipo
monitor.app --> Dynamic, kext logging tool for network, filesystem, and process execution (procmon)
DB Browser for SQLite --> Dynamic/Static
Kextviewer
Hopper --> Disassembler, decompiler, debugger
Synalyzeit
Knock Knock
Wireshark
The Unarchiver --> gui version of unar
Sublime --> take notes with it
Fiddler2
MonoFramework -> required for Fiddler2
Rhino -> JS Debugger
Simulator -> iOS/iPad Emulator
download it
install it
on the desktop, double click "GetBrowserDBs.command" this will copy the needed db's to your desktop
launch DB Browser, open the db on your desktop
hit browse data tab and look for URLs for things that were downloaded
Download, install, view binaries
Web Debugging, Manipulation, & Security Testing
download from https://www.telerik.com/download/fiddler/fiddler-osx-beta
download and install Mono from www.mono-project.com/download/stable
note: Use directions from https://www.telerik.com/download/fiddler/fiddler-osx-beta
To run:
cd ~/Desktop/Tools/fiddler-mac
mono --arch=32 Fiddler.exe (wait a hot minute and it will launch from the dock... icon=green diamond)
Javascript Engine written in Java
Install:
brew install rhino
rhino
click download on pop-up to download Java from oracle
accept eula and download .dmg from the oracle
install .dmg
Ref: http://macappstore.org/rhino/
To diable gatekeeper see Ref 5.