tel. 22 813 10 29 email:
pon-pt w godz. 8-16

Gravsoft informatyka śledcza

Home Informatyka śledcza - ForensicInformatyka śledcza › MacLockPick 3.0

MacLockPick 3.0

The need for timely identification, interpretation and meaningful analysis of electronic media has never been more critical. The ever-changing threat environment presented by cyber criminals and technological advances has required modern investigative processes to include on scene forensic triage. Introligatorstw are faced with the challenges of capturing volatile data, preserving potential evidence and maintaining the integrity of the electronic crime scene while ensuring the data remains viable and accessible for further investigative efforts. The success of these operations is measured in minutes not days.

Winner of the 2007 Computer Forensics Innovation award from Law Enforcement Technology Magazine.

MacLockPick 3.0 represents a new generation of forensic triage aimed at providing IT professionals, eDiscovery experts, and law enforcement officers a single tool that transcends the concerns of a particular operating systems. Whether the suspect (or the investigator) uses Microsoft Windows, Mac OS X or Linux, you can perform your field triage in the same way using the same tool.

Cross platform forensic field triage
for Microsoft Windows
and Apple OS X

MacLockPick 3.0 for Microsoft Windows, Apple Mac OS X, and Linux is a fully cross platform tool that allows digital forensics professionals and eDiscovery experts to perform field triage on live computers running a wide variety of operating systems. Similarly, once completed, the results of the field triage operation can analyzed on a wide variety of computers.

Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly; sometimes this is quite literally difference between life and death for the victim.

MacLockPick 3.0™ is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspect's computer that is running (or sleeping). Once the MacLockPick 3.0 software is run, it will extract the requisite data providing the examiner fast access to the suspect's critical information that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick 3.0 is minimally evasive, providing results that can hold up in a court of law.

What's new in MacLockPick 3.0

• Extract iPhoto information based on camera type with filters for meta data and file filters
• Upgraded iPhone, iPad, iOS, and Mac OS X Lion support
• Upgraded plugin application support
• Increased speed in processing suspect machines
• Additional focus on Apple technologies
• User selectable order of plugin execution

What data is captured from the suspect's computer

MacLockPick 3.0 is designed to capture information that might be considered valuable to an IT manager, an E-Discovery professional, or a digital forensics law enforcement officer. Such information includes details about the system, activities of the user of that system, and the online history of that user.

Through the use of a plugin architecture MacLockPick 3.0 can be configured to collect almost any kind of information depending on the needs of the investigator. This information might include files of a specific type, chat logs, phone records, browser history, passwords, accounts, and system state data.

Plugins and plugins types

MacLockPick 3.0 is built on a plugin architecture in order to allow the investigator greater control over which processes are run in the field. These plugins are broken into 5 different categories;

  1. Built-in Plugins - pre-configured digital investigative tools. Inc. has included many built-in plugins that are shipped with MacLockPick 3.0. These plugins gather data from the suspect's system and deliver that information to the logs.
  2. Copy Files or Folders - logical acquisition with hashing in MD5, SHA1, and SHA256.
    Investigators can pre-configure MacLockPick 3.0 to make copies of specified files and folders on a suspect's system. Target data can be specified relative to the root of the system or relative to the user's home folder. Filters can also be included so that only files of a specified type or name are copied.
  3. Terminal Commands - captured output from the command-line on the suspect's computer.
    Many investigations require the execution of command-line tools on a system. MacLockPick 3.0 can be configured to transparently open a shell environment, execute the specified command (with or without parameters), and then record the output to the logs.
  4. External Commands - execution of third party command-line tools programs.
    The open source community, as well as digital forensics developers, have created a wide variety of tools that are useful to field investigators. MacLockPick 3.0 allows the investigator to configure these tools to be included in the triage process and for the output from these tools to be captured in the MacLockPick 3.0 logs.

Built-in plugins

The following is a partial list of the plugins currently being shipped with MacLockPick 3.0. This list is far from complete and is here as an example of the inherent product capabilities.

a) Law Enforcement Only
The following two plugins are only available to law enforcement customers.

NTLM and Lan Man Password Grabber - This plugin utilizes pwdump6 (unmodified) from fizzgig. pwdump is the name of various Windows programs that output the LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM). The hashes extracted can be used to extract the passwords using brute force, dictionary, or rainbow table attacks once the MacLockPick 3.0 logs have been returned to the lab for further analysis.

Apple Keychain Extractor - The keychain extractor takes advantage of the default state of the central password repository on Apple Mac OS X. All passwords stored in the keychain are extracted and detailed in the log files.

b) IT/eDiscovery and Law Enforcement
The following plugins are shipped with all MacLockPick 3.0 units.

Apple iPhone - Gather information stored by the Apple iPhone and other devices using the Apple Mobile Sync system on Windows and Mac OS X computers. Information captured includes (but is not limited to) the following;

  • Incoming and outgoing phone calls including phone number, duration, date, and time.
  • Incoming and outgoing SMS messages including the phone number or name of the third party, the message content, and the date and time of the message.
  • IMEI - The International Mobile Equipment Identity is a number unique to every GSM and UMTS mobile phone as well as some satellite phones. It is usually found printed on the phone underneath the battery. The IMEI number is used by the GSM network to identify valid devices.
  • TMSI - The "Temporary Mobile Subscriber Identity" is the identity that is most commonly sent between the mobile phone and the network. TMSI is randomly assigned by the VLR to every mobile in the area, the moment it is switched on. The number is local to a location area, and so it has to be updated, each time the mobile moves to a new geographical area.
  • IMSI - An International Mobile Subscriber Identity is a unique number associated with all GSM and UMTS network mobile phone users. It is stored in the SIM inside the phone and is sent by the phone to the network. It is also used to acquire other details of the mobile in the Home Location Register (HLR) or as locally copied in the Visitor Location Register. In order to avoid the subscriber being identified and tracked by eavesdroppers on the radio interface, the IMSI is sent as rarely as possible and a randomly-generated TMSI is sent instead.
  • International Roaming Edge Status - Whether the phone is currently set to roam status.
  • Favorites - Speed dial entries including the name and phone number.
  • Safari State Documents - Pages currently open in the browser.
  • Safari History - Pages viewed in the browser.
  • Safari Bookmarks - All pages book marked.
  • Notes recorded in the notes program.
  • Address Book contacts, including all recorded details for each contact.
  • Mail Accounts setup for synchronization.

The iPhone is an Internet-enabled multimedia mobile phone designed and marketed by Apple Inc. It has a multi-touch screen with virtual keyboard and buttons, but a minimal amount of hardware input. The iPhone's functions include those of a camera phone and portable media player (equivalent to the iPod) in addition to text messaging and visual voicemail. It also offers Internet services including e-mail, web browsing, and local Wi-Fi connectivity. The first generation phone hardware was quad-band GSM with EDGE; the second and third generations use UMTS and HSDPA.

Clipboard - Capture any text contents or graphics found in the clipboard. Any text that is found will be stored in the logs. Any graphics will be converted to jpeg form and saved to the output log folder.

Valuable information is often accidentally left in the clipboard by the suspect.

Firefox - Create a summary of online activity of the suspect when/if they use Firefox version 2 and/or 3. Information captured includes (but is not limited to) the following;

  • Bookmarks - All pages that have been marked as a favorite or shortcut.
  • History - Details on all pages visited.
  • Cookies - Data items stored by web servers for future reference.
  • Downloads - URL and file name of files that have been downloaded.
  • Auto fill - Data strings used to auto complete forms, this includes addresses and often purchasing information used for online purchases.

Mozilla Firefox is a web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation. Firefox has achieved recorded usage share of web browsers as of late, making it the second-most popular browser in current use worldwide, after Internet Explorer.

Internet Explorer - Create a summary of online activity of the suspect when/if they use Internet Explorer. Information captured includes (but is not limited to) the following;

  • Bookmarks - All pages that have been marked as a favorite or shortcut.
  • History - Details on all pages visited.
  • Cookies - Data items stored by web servers for future reference.
  • Downloads - URL and file name of files that have been downloaded.

Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. It has been the most widely used web browser since 1999, attaining a peak of about 95% usage share during 2002 and 2003 with IE5 and 6 but steadily declining since.

Network - An analysis of the network activity on the suspect's computer. This information includes ARP tables, interfaces, and netstat activity.

ARP converts an Internet Protocol (IP) address to its corresponding physical network address. ARP is a low-level network protocol, operating at Layer 2 of the OSI model. From a forensics point of view the ARP table shows what computers were connected to the suspect's machine on their local area network at the time of analysis.

Interface tables describe what interfaces are in use on the system and what the individual MAC address is for each of them. The Media Access Control (MAC) address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number.

Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems. It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Processes - Use the OS to list all active applications running on the suspect's computer at the time of analysis. This module is important in determining if malware is present as well as any active tools used by the suspect.

Note: This will not show background and system processes. OS specific plugins are included for this purpose.

Apple Safari - Create a summary of online activity of the suspect when/if they use Safari. Information captured includes (but is not limited to) the following;

  • Bookmarks - All pages that have been marked as a favorite or shortcut.
  • History - Details on all pages visited.
  • Cookies - Data items stored by web servers for future reference.
  • Downloads - URL and file name of files that have been downloaded.

Safari is a web browser developed by Apple Inc. and included in Mac OS X. It was first released as a public beta on January 7, 2003, and is the default browser in Mac OS X v10.3 and later. It is also the native browser on the Apple iPhone and iPod touch. Safari for Windows was released on June 11, 2007. Windows XP, Windows Vista and Windows 7 are supported.

Screen shot - Capture and save a screen shot of the main screen on the suspect's system. The plugin will temporarily hide MacLockPick 3.0 during the process and save the file to your output folder along side the captured logs database.

Skype - Create transcripts of communications the suspect has made using Skype. Information captured includes (but is not limited to) the following;

  • VoIP calls, including the name or phone number.
  • Instant messages including the name of the third party, content of the message, and the date and time of the message.
  • SMS messages, including the phone number of the third party, and content of the message.
  • File Transfers.
  • Buddy list and details including addresses imported from other systems by Skype.

Skype is a software program that allows users to make telephone calls over the Internet. Calls to other users of the service are free of charge, while calls to land lines and cell phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing.

System Information - Create a profile of the hardware in use by the suspect. Information captured includes (but is not limited to) the following;

  • User Name
  • Computer Name
  • Operating System
  • System Serial number (where available)
  • Processor
  • RAM
  • Model
  • UUID
  • Time Zone
  • Country Code

USB Flash Drive History - USB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They're small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Windows Registry - This module will extract all settings from the registry on Microsoft Windows systems.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

  • Brak komentarzy
Podobne w tej kategorii