Macintosh OS X Boot Process and Forensic Software

1

Chapter 1

Macintosh OS X Boot Process and Forensic Software

Solutions in this chapter:

The Boot Process

The Macintosh Boot Process

Macintosh Forensic Software

■

■

■

˛ Summary

0000779308.INDD 10000779308.INDD 1 4/4/2008 12:53:59 PM4/4/2008 12:53:59 PM

www.syngress.com

2 Chapter 1 • Macintosh OS X Boot Process and Forensic Software

Introduction “The computer for the rest of us” was never considered much of a hacker’s platform. The original Mac didn’t even have arrow keys (or a control key, for that matter), forcing the user to stop what he was doing, take his hands off the keyboard, and use the mouse. The Mac’s case was sealed so tight, a special tool known as the “Mac cracker” was made to break it open. It was a closed machine, an information appliance. The expansionless design and sealed case of the Mac stood in stark contrast to the Apple II that came before it.

With its rich graphical interface and ease of use, the Mac became the standard for graphic artists and other creative types. Custom icons and desktop patterns soon abounded. The users that embraced the Macintosh for its simplicity began using ResEdit (Resource Editor) to modify system fi les and to personalize their machines. The Mac developed a fanatical following, and you could rest assured that each fanatic’s system was unique, with the icons, menus, program launchers, windows, sounds, and keyboard shortcuts all scrutinized and perfected to meet his personal needs. My Color Classic even played Porky Pig’s “That’s all folks” each time it shut down (although the novelty wore off on that one pretty quick…).

Mac OS X was met with some trepidation. It broke every program and system modifi cation, it didn’t have a proper Apple menu — and what on earth was this “dock”? Jef Raskin, who gave the Mac its name, wrote of Mac OS X, “Apple has ignored for years all that has been learned about developing UIs. It’s unprofessional, incompetent, and it’s hurting users.” Bruce Tognazzini, founder of the Apple Human Interface Group, even penned an article titled “Top 10 Reasons the Apple Dock Sucks.”

Mac OS X was an entirely different operating system. Most classic Mac OS appli-cations were compatible, but only when operating inside a special run-time environ-ment. All system extensions and user interface modifi cations were permanently lost. For many users, these changes are what made the computer “theirs” and they replied heavily upon their customizations to effi ciently get work done. The loss was tremen-dous. And it was worth it.

Preemptive multitasking, symmetric multiprocessing, multithreading, and protected memory... Protected memory was the one I wanted most.

At a 1998 keynote, Steve Jobs showed off a mere dialog box, to great applause. The dialog read: “The application Bomb has unexpectedly quit. You do not need to restart your computer.” I take it for granted on Mac OS X, but as I write this, I’m recalling occasions when Internet Explorer brought my entire system down multiple times in a single day.

0000779308.INDD 20000779308.INDD 2 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com

Macintosh OS X Boot Process and Forensic Software • Chapter 1 3

Protected memory doesn’t do much good when all your apps are running in the Classic Environment and the user interface did indeed leave a lot to be desired. But with each revision, Mac OS X has improved dramatically. The Macintosh has become “the computer for everybody.” For novices, it remains the easiest computer there is. For enthusiasts, as in the old days, there is a vast array of third party applications, utilities, and customizations, to tweak and improve the way the OS works. For hackers and programmers, there’s the command line and the BSD Unix compatibility layer.

All the power, all the tools, and all the geekery of Linux is present in Mac OS X. Shell scripts, X11 apps, processes, kernel extensions… it’s a UNIX platform. It’s even possible to forgo Apple’s GUI altogether and run KDE. Why you’d want to is another matter. While its UNIX core is what has made Mac OS X a viable platform for hackers and programmers, it’s the user interface that has made it popular.

Apple’s Terminal application is perpetually running on my PowerBook, but so is iTunes, iCal, and a slew of Dashboard Widgets.

The Boot Process In this section we will look at the startup process that most computers go through and how the fundamental operating systems get loaded and started. You will see that computers start with tiny steps that build on each other, getting larger until the entire system is loaded and running. Only then can you, the end user, issue commands that the computer interprets and understands.

One of the most popular analogies for how a computer starts up is the amnesia scenario. For a moment look around you at the things you use everyday: telephones, pencils, coffee cups, and so on. Now imagine that you closed your eyes and when you opened them you didn’t recognize any of those things, and didn’t know how they worked. That is what happens inside a computer when you press the reset or the power button.

At the most fundamental level, computers understand only two things: true and false. The process of getting the computer from being a completely blank state to a fully running operating system is one of the fundamental items that every investigator should understand.

After looking at how a Macintosh boots, we will look at some of the tools that are available for analyzing Macintosh systems using both the Macintosh and Windows operating systems.

The term “boot,” depending on whom you talk to, came either from the old phrase, “Pulling one’s self up by the bootstraps,” or just from the word “bootstrap,”

0000779308.INDD 30000779308.INDD 3 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


meaning the leather tabs you use to pull on your boots. Either way it is a part of computer history and lore and is commonly used as the computer term for the initial startup of the system. All systems that are able to run Microsoft or Linux operating systems use the same boot up process. Once the computer completes this initial startup the specifi c operating system will load what it needs to continue. First we will look at the boot process in detail.

The Macintosh Boot Process In this section, we will briefl y examine the way an Apple Macintosh computer boots. The information here is for the Mac OS X version of their operating system using Intel based microprocessors. Older Motorola chipset Macintosh computers use a much different boot process.

OS X uses Open Firmware that is very much like the BIOS noted earlier. The Open Firmware that Apple uses in the Macintosh is based on the IEEE-1275 standard.

EFI and BIOS: Similar but Different Just like any other computer on the market, when the power switch is activated on a Macintosh, the system goes through a Power On Self Test (POST), resets the micro-processor, and starts the execution of initialization code, which is the Open Firmware instead of BIOS.

Like the BIOS, Extensible Firmware Interface (EFI) checks the confi guration of the machine and loads any device ROMs that it fi nds into memory. It then looks for a default boot device… and here is where it gets interesting. There are numerous optional startup functions that EFI can perform based on user input. Single keys, known as “snag keys,” can be pressed that will allow the system to boot from specifi c devices.

Pressing the C key will attempt to boot from the CD/DVD-ROM drive.

Pressing the D key will attempt to boot from the fi rst hard disk drive.

Pressing the N key will attempt to boot from the Network Interface Controller (NIC).

Pressing the Z key will attempt to boot from the ZIP drive.

■

■

■

■

0000779308.INDD 40000779308.INDD 4 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


It is also possible to enter the EFI interactive console mode by pressing the cmd-opt-O-F key combination during power up. (Note: If you are like me and just tried this before reading on, typing mac-boot at the prompt will let the Macintosh fi nish booting.) You should read a good source of Open Firmware/EFI commands before trying the console mode. An excellent mirror of the Open Firmware Working Group is at http://bananjr6000.apple.com/1275/ .

The EFI program is located in the BOOT.efi fi le. This is the portion of the boot loading process that loads the OSX kernel and starts the user interface.

DARWIN To many die-hard Macintosh users the move to OS X wasn’t immediately seen as a move to the open source UNIX environment. It wasn’t long before they realized their beloved Mac was now a UNIX machine. When you look at the roots of OS X, a large number of open source modules and programs were obtained from other groups includ-ing Carnegie Mellon, FreeBSD, GNU, Mach, Xfree86, NEXTSTEP, and OPENSTEP.

The OS X Kernel In a nutshell the real OS X is when the combination of several components come together. XNU is the actual OS X kernel name on the boot drive. It is comprised of the following modules:

Mach Provides the service layer to the kernel

n BSD Provides the primary system program interface

I/O Toolkit Provides driver support

LIBSA & LIBKERN Kernel libraries

The Platform Expert A motherboard-specifi c hardware abstraction layer

Apple I/O components The unique Mac interfaces

Apple uses proprietary components to invoke the Macintosh look and feel to the open source products listed. Carbon, Cocoa, Quartz, OpenGL, QuickTime, and the Aqua interfaces are just a few of the unique interfaces that make the Macintosh so special.

■

■

■

■

■

■

0000779308.INDD 50000779308.INDD 5 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


Macintosh Forensic Software Only recently has the Macintosh begun to be accepted in the forensic community. Listed next are just a few of the tools that can make forensics of OS X systems easier.

As with all forensic tools, the examiner should have a solid understanding of how tools work and should be able to prove by demonstration that each fi nding produced by the tool can be duplicated in a court of law.

BlackBag Forensic Suite BlackBag Technologies, Inc. is one of the few providers of forensic software for the Macintosh platform. Its Macintosh Forensic Suite is a collection of 26 modules that can be launched individually or from the Forensic Suite Toolbar (see Figure 1.1 ).

Notes from the Underground…

Bad Guy Won’t Give You The Password? No Problem! If you need to investigate a Macintosh that is running OS X and you need to access a program on a booted forensic copy of the subject’s drive, and he won’t give you his login password, don’t worry. If you have any version of the Macintosh OS X boot CD or DVD, place that in the examination system and hold down the C key to boot from the CD/DVD drive.

When the system asks if you want to install/reinstall OS X, choose the Password Reset Utility from the drop-down menus at the top of the screen. You will be shown a list of users and you can pick one or all of them and change the password of the accounts to something you know. Problem solved!

0000779308.INDD 60000779308.INDD 6 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


Directory Scan The Directory Scan utility allows you to view all the fi les and folders on a Macintosh volume (see Figure 1.2 ). A volume can be any mounted storage device including USB or Firewire devices. All fi les, including invisible fi les, can be examined to include Data Fork/Resource Fork data sizes, Creator and Type codes, and all important date/time stamps.

Figure 1.1 The Forensic Suite Toolbar Is a Fast Way to Launch Programs in the Suite

0000779308.INDD 70000779308.INDD 7 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


You can select individual fi les and folders for export to a new directory for further examination as well as printing a comprehensive report on all the fi les viewed or selected in the main window.

FileSpy When you need to take a quick look inside of a fi le that has forks, FileSpy is a good tool (see Figure 1.3 ). This utility allow you to view either fork in a fi le, see the relative sizes of each fork, and move to any sector of a fi le directly. The utility even includes an ASCII fi lter to aid in fi le viewing.

Notes from the Underground…

Data and Resource Forks The Macintosh fi le system is unique in that every fi le contains two parts known as Forks. The Resource Fork typically contains program components like pref-erences for the fi le, special menus or icons, special controls or buttons and the last window position.

The Data Fork typically contains the data that the user supplied or created as part of the fi le. It is not uncommon to fi nd that one fork is empty. Knowing how these two forks interact can be of great benefi t during tough investiga-tions of Macintosh computers.

More information can be found at the Apple Developer Connection: The Data Fork and the Resource Fork: http://developer.apple.com/documentation/mac/MoreToolbox/MoreToolbox-11.html.

Figure 1.2 A Fully Expanded Directory Scan Window Can Be Quite Large

0000779308.INDD 80000779308.INDD 8 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


HeaderBuilder Because the header is a calculated portion of Macintosh fi les, changing the header or repairing one can be time and math intensive using a traditional hex editor. HeaderBuilder makes this an easy task by allowing you to make the changes and then generate the CRC32 checksum and the MD5 hash of the fi le immediately (see Figure 1.4 ).

Figure 1.3 FileSpy Allows You to See the Raw EXIF Data in a JPG File

0000779308.INDD 90000779308.INDD 9 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


Other Tools Other utilities in the Forensic Suite include:

Breakup Splits large folders or fi les into more manageable sizes.

Comment Hunter Looks in the Comment fi elds of Mac fi les for keywords.

DCFLDDassistant Launches the Macintosh version of DCFLDD.

File Searcher Looks for specifi c fi lenames or Type/Creator codes.

GraphicView Uses the QuickTime engine to view fi les or movies.

HFS Extractor Converts image fi le formats (Sfaeback, Linux, DD, FWB).

ImageBuster Searches image fi les for keywords.

ListBuilder Allows you to create keyword lists in native languages (Spanish, Russian, etc.).

LockMaster Allows you to quickly lock or unlock a large number of fi les/folders.

MacCarver Lets you carve image fi les from within a container.

PhantomSearch Allows you to capture all the invisible fi les of a volume.

■

■

■

■

■

■

■

■

■

■

■

Figure 1.4 HeaderBuilder Makes Changing Headers Easy and Shows MD5 Hashes Quickly

0000779308.INDD 100000779308.INDD 10 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


Typer A very fast little utility that shows/changes the Type/Creator for a given fi le.

VolumeExplorer HFS partition analyzer.

Carbon Copy Cloner Mike Bombich has created a handy utility called Carbon Copy Cloner (CCC) for making backups or copies of important data on your Macintosh. It is a front-end for several less than intuitive utilities that are part of OS X.

As the name implies CCC can clone one hard disk to another when you use its default options. This copy can also be made to an image fi le on another drive, but it should be noted that this is not a forensic copy of the original (see Figure 1.5 ).

Documentation is available at the Bombich Software site: www.bombich.com/software/ccc.html .

■

■

Figure 1.5 Selecting the Source and Destination Drive Is a Simple Matter

0000779308.INDD 110000779308.INDD 11 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


Only Macintosh formatted volumes can be “cloned” using CCC; any other DOS or UNIX formats are not recognized in the drop-down menus. If you do not have psync installed, you can install it from the Preferences menu (see Figure 1.6 ).

Note the list of fi les that are not copied in the Advance Settings Dialog (see Figure 1.7 ).

Figure 1.6 The Preferences Menu

0000779308.INDD 120000779308.INDD 12 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


The CCC documentation goes into more detail on the list of fi les that are not copied during the clone process. This can be because of PowerMac to Intel Macintosh copying causing problems. When in doubt check the reference material or the online forum.

MacDrive6/7 Technically Mediafour MacDrive 6 or 7 is not Macintosh software; it really is a Windows program that lets you mount and read Macintosh formatted volumes. MacDrive 6 is for Windows 2000 and 98SE; MacDrive 7 is for Windows XP (see Figure 1.8 ), Vista, and Server 2003.

If you have a Windows-based workstation and need to quickly view some fi les on a Macintosh volume, this utility can be very helpful.

Figure 1.7 The Advance Settings Dialog

0000779308.INDD 130000779308.INDD 13 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


From the main menu you have the quick choices of Exploring a Macintosh volume, burning a Macintosh formatted CD or DVD, and formatting or repairing a Macintosh formatted volume. Mounted Macintosh volumes are shown with a small red Apple logo (see Figure 1.9 ).

Figure 1.8 The Main MacDrive7 Screen (Windows XP version)

0000779308.INDD 140000779308.INDD 14 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


Figure 1.9 Macintosh Options

0000779308.INDD 150000779308.INDD 15 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

www.syngress.com


Summary Now you can see how the computer progresses through the steps of booting up. The power supply generates the Power-Good signal that resets the microprocessor and starts the loading of the BIOS from the Boot ROMs. Then the computer checks all its basic functions during the Power On Self Test (POST). If the POST is successful the computer then progresses through the different phases of loading the necessary drivers and initialization code that eventually leads to the computer fi nding the Boot Loader for a given operating system, which it then loads and runs. Finally the kernel of the operating system is loaded and the computer completes the boot process when the login prompt or command prompt is displayed and the computer is waiting for input.

You should also be familiar with the Master Boot Record (MBR) and how it is used in the boot process. The LILO and GRUB boot loaders for the Linux operating systems should be familiar now along with the Extensible Firmware Interface for the Macintosh OS.

0000779308.INDD 160000779308.INDD 16 4/4/2008 12:54:00 PM4/4/2008 12:54:00 PM

Macintosh OS X Boot Process and Forensic Software

Documents

Transcript of Macintosh OS X Boot Process and Forensic Software