Read an Excerpt
OS X Exploits and Defense
By Kevin Finisterre Larry H. David Harley Gareth Porteous
Syngress Publishing, Inc.Copyright © 2008 Elsevier, Inc.
All right reserved.
Chapter OneMacintosh OS X Boot Process and Forensic Software
Solutions in this chapter:
* The Boot Process
* The Macintosh Boot Process
* Macintosh Forensic Software
"The computer for the rest of us" was never considered much of a hacker's platform. The original Mac didn't even have arrow keys (or a control key, for that matter), forcing the user to stop what he was doing, take his hands off the keyboard, and use the mouse. The Mac's case was sealed so tight, a special tool known as the "Mac cracker" was made to break it open. It was a closed machine, an information appliance. The expansionless design and sealed case of the Mac stood in stark contrast to the Apple II that came before it.
With its rich graphical interface and ease of use, the Mac became the standard for graphic artists and other creative types. Custom icons and desktop patterns soon abounded. The users that embraced the Macintosh for its simplicity began using ResEdit (Resource Editor) to modify system files and to personalize their machines. The Mac developed a fanatical following, and you could rest assured that each fanatic's system was unique, with the icons, menus, program launchers, windows, sounds, and keyboard shortcuts all scrutinized and perfected to meet his personal needs. My Color Classic even played Porky Pig's "That's all folks" each time it shut down (although the novelty wore off on that one pretty quick ...).
Mac OS X was met with some trepidation. It broke every program and system modification, it didn't have a proper Apple menu — and what on earth was this "dock"? Jef Raskin, who gave the Mac its name, wrote of Mac OS X, "Apple has ignored for years all that has been learned about developing UIs. It's unprofessional, incompetent, and it's hurting users." Bruce Tognazzini, founder of the Apple Human Interface Group, even penned an article titled "Top 10 Reasons the Apple Dock Sucks."
Mac OS X was an entirely different operating system. Most classic Mac OS applications were compatible, but only when operating inside a special run-time environment. All system extensions and user interface modifications were permanently lost. For many users, these changes are what made the computer "theirs" and they replied heavily upon their customizations to efficiently get work done. The loss was tremendous. And it was worth it.
Preemptive multitasking, symmetric multiprocessing, multithreading, and protected memory ... Protected memory was the one I wanted most.
At a 1998 keynote, Steve Jobs showed off a mere dialog box, to great applause. The dialog read: "The application Bomb has unexpectedly quit. You do not need to restart your computer." I take it for granted on Mac OS X, but as I write this, I'm recalling occasions when Internet Explorer brought my entire system down multiple times in a single day.
Protected memory doesn't do much good when all your apps are running in the Classic Environment and the user interface did indeed leave a lot to be desired. But with each revision, Mac OS X has improved dramatically. The Macintosh has become "the computer for everybody." For novices, it remains the easiest computer there is. For enthusiasts, as in the old days, there is a vast array of third party applications, utilities, and customizations, to tweak and improve the way the OS works. For hackers and programmers, there's the command line and the BSD Unix compatibility layer.
All the power, all the tools, and all the geekery of Linux is present in Mac OS X. Shell scripts, X11 apps, processes, kernel extensions ... it's a UNIX platform. It's even possible to forgo Apple's GUI altogether and run KDE. Why you'd want to is another matter. While its UNIX core is what has made Mac OS X a viable platform for hackers and programmers, it's the user interface that has made it popular.
Apple's Terminal application is perpetually running on my PowerBook, but so is iTunes, iCal, and a slew of Dashboard Widgets.
The Boot Process
In this section we will look at the startup process that most computers go through and how the fundamental operating systems get loaded and started. You will see that computers start with tiny steps that build on each other, getting larger until the entire system is loaded and running. Only then can you, the end user, issue commands that the computer interprets and understands.
One of the most popular analogies for how a computer starts up is the amnesia scenario. For a moment look around you at the things you use everyday: telephones, pencils, coffee cups, and so on. Now imagine that you closed your eyes and when you opened them you didn't recognize any of those things, and didn't know how they worked. That is what happens inside a computer when you press the reset or the power button.
At the most fundamental level, computers understand only two things: true and false. The process of getting the computer from being a completely blank state to a fully running operating system is one of the fundamental items that every investigator should understand.
After looking at how a Macintosh boots, we will look at some of the tools that are available for analyzing Macintosh systems using both the Macintosh and Windows operating systems.
The term "boot," depending on whom you talk to, came either from the old phrase, "Pulling one's self up by the bootstraps," or just from the word "bootstrap," meaning the leather tabs you use to pull on your boots. Either way it is a part of computer history and lore and is commonly used as the computer term for the initial startup of the system. All systems that are able to run Microsoft or Linux operating systems use the same boot up process. Once the computer completes this initial startup the specific operating system will load what it needs to continue. First we will look at the boot process in detail.
The Macintosh Boot Process
In this section, we will briefly examine the way an Apple Macintosh computer boots. The information here is for the Mac OS X version of their operating system using Intel based microprocessors. Older Motorola chipset Macintosh computers use a much different boot process.
OS X uses Open Firmware that is very much like the BIOS noted earlier. The Open Firmware that Apple uses in the Macintosh is based on the IEEE-1275 standard.
EFI and BIOS: Similar but Different
Just like any other computer on the market, when the power switch is activated on a Macintosh, the system goes through a Power On Self Test (POST), resets the microprocessor, and starts the execution of initialization code, which is the Open Firmware instead of BIOS.
Like the BIOS, Extensible Firmware Interface (EFI) checks the configuration of the machine and loads any device ROMs that it finds into memory. It then looks for a default boot device ... and here is where it gets interesting. There are numerous optional startup functions that EFI can perform based on user input. Single keys, known as "snag keys," can be pressed that will allow the system to boot from specific devices.
* Pressing the C key will attempt to boot from the CD/DVD-ROM drive. * Pressing the D key will attempt to boot from the first hard disk drive. * Pressing the N key will attempt to boot from the Network Interface Controller (NIC). * Pressing the Z key will attempt to boot from the ZIP drive.
It is also possible to enter the EFI interactive console mode by pressing the cmd-opt-O-F key combination during power up. (Note: If you are like me and just tried this before reading on, typing mac-boot at the prompt will let the Macintosh finish booting.) You should read a good source of Open Firmware/EFI commands before trying the console mode. An excellent mirror of the Open Firmware Working Group is at http://bananjr6000. Apple.com/1275/.
The EFI program is located in the BOOT.efi file. This is the portion of the boot loading process that loads the OSX kernel and starts the user interface.
To many die-hard Macintosh users the move to OS X wasn't immediately seen as a move to the open source UNIX environment. It wasn't long before they realized their beloved Mac was now a UNIX machine. When you look at the roots of OS X, a large number of open source modules and programs were obtained from other groups including Carnegie Mellon, FreeBSD, GNU, Mach, Xfree86, NEXTSTEP, and OPENSTEP.
The OS X Kernel
In a nutshell the real OS X is when the combination of several components come together. XNU is the actual OS X kernel name on the boot drive. It is comprised of the following modules:
* Mach Provides the service layer to the kernel
* n BSD Provides the primary system program interface
* I/O Toolkit Provides driver support
* LIBSA & LIBKERN Kernel libraries
* The Platform Expert A motherboard-specific hardware abstraction layer
* Apple I/O components The unique Mac interfaces
Apple uses proprietary components to invoke the Macintosh look and feel to the open source products listed. Carbon, Cocoa, Quartz, OpenGL, QuickTime, and the Aqua interfaces are just a few of the unique interfaces that make the Macintosh so special.
Macintosh Forensic Software
Only recently has the Macintosh begun to be accepted in the forensic community. Listed next are just a few of the tools that can make forensics of OS X systems easier.
As with all forensic tools, the examiner should have a solid understanding of how tools work and should be able to prove by demonstration that each finding produced by the tool can be duplicated in a court of law.
BlackBag Forensic Suite
BlackBag Technologies, Inc. is one of the few providers of forensic software for the Macintosh platform. Its Macintosh Forensic Suite is a collection of 26 modules that can be launched individually or from the Forensic Suite Toolbar (see Figure 1.1).
The Directory Scan utility allows you to view all the files and folders on a Macintosh volume (see Figure 1.2). A volume can be any mounted storage device including USB or Firewire devices. All files, including invisible files, can be examined to include Data Fork/ Resource Fork data sizes, Creator andType codes, and all important date/time stamps.
You can select individual files and folders for export to a new directory for further examination as well as printing a comprehensive report on all the files viewed or selected in the main window.
When you need to take a quick look inside of a file that has forks, FileSpy is a good tool (see Figure 1.3). This utility allow you to view either fork in a file, see the relative sizes of each fork, and move to any sector of a file directly. The utility even includes an ASCII filter to aid in file viewing.
Because the header is a calculated portion of Macintosh files, changing the header or repairing one can be time and math intensive using a traditional hex editor. HeaderBuilder makes this an easy task by allowing you to make the changes and then generate the CRC32 checksum and the MD5 hash of the file immediately (see Figure 1.4).
Other utilities in the Forensic Suite include:
* Breakup Splits large folders or files into more manageable sizes.
* Comment Hunter Looks in the Comment fields of Mac files for keywords.
* DCFLDDassistant Launches the Macintosh version of DCFLDD.
* File Searcher Looks for specific filenames or Type/Creator codes.
* GraphicView Uses the QuickTime engine to view files or movies.
* HFS Extractor Converts image file formats (Sfaeback, Linux, DD, FWB).
* ImageBuster Searches image files for keywords.
* ListBuilder Allows you to create keyword lists in native languages (Spanish, Russian, etc.).
* LockMaster Allows you to quickly lock or unlock a large number of files/folders.
* MacCarver Lets you carve image files from within a container.
* PhantomSearch Allows you to capture all the invisible files of a volume.
* Typer A very fast little utility that shows/changes the Type/Creator for a given file.
* VolumeExplorer HFS partition analyzer.
Carbon Copy Cloner
Mike Bombich has created a handy utility called Carbon Copy Cloner (CCC) for making backups or copies of important data on your Macintosh. It is a front-end for several less than intuitive utilities that are part of OS X.
As the name implies CCC can clone one hard disk to another when you use its default options. This copy can also be made to an image file on another drive, but it should be noted that this is not a forensic copy of the original (see Figure 1.5).
Documentation is available at the Bombich Software site: www.bombich.com/ software/ccc.html.
Only Macintosh formatted volumes can be "cloned" using CCC; any other DOS or UNIX formats are not recognized in the drop-down menus. If you do not have psync installed, you can install it from the Preferences menu (see Figure 1.6).
Excerpted from OS X Exploits and Defense by Kevin Finisterre Larry H. David Harley Gareth Porteous Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress Publishing, Inc.. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.