Esta entrada no es mas que un aporte que hicie en le foro de Undercode y me gustaría compartir contigo ya que he hablado muchas veces de como hacer Forenses en Linux y en Windows pero nunca he tocado Mac OS X.
Pac4Mac es una herramienta para extraer y analizar información de un MAC OS X (vamos para hacerle un forense en condiciones) Ademas, esta bajo una Apache License 2.0.
Os dejo con las features de Pac4Mac :
• Developed in Python 2.x (natively supported)
• Framework usage
• Support of OS X 10.6, 10.7, 10.8 and 10.9 (not tested)
Data extraction through:
• User or Root access
• Single Mode access
• Target Mode access (Storage media by Firewire or Thunderbolt)
It use 3 dumping modes : Quick, Forensics, Advanced:
• Dumping Users / User Admin
• Dumping Mac's Identity (os version, owner)
• Dumping Miscellaneous files (Address book, Trash, Bash history, stickies, LSQuarantine, AddressBook, Safari Webpage Preview, Office Auto Recovery, WiFI access history, …)
• Dumping content of current Keychain (security cmd + securityd process)
• Dumping Users Keychains
• Dumping System Keychains
• Dumping password Hashes
• Live Cracking hashes password
s
• Dumping Browser Cookies (Safari, Chrome, Firefox, Opera)
• Dumping Browser Places (Safari, Chrome, Firefox, Opera)
• Dumping Browser Downloads history (Safari, Chrome, Firefox, Opera)
• Dumping printed files
• Dumping iOS files backups
• Dumping Calendar and Reminders / Displaying secrets
• Dumping Skype messages / Displaying secrets on demand
• Dumping iChat, Messages(.app), Adium messages
• Dumping Emails content (only text)
• Dumping Emails content of all or special Mail Boxes
• Adding root user
• Dumping RAM
• Cloning local Disk
• Dumping system logs, install, audit, firewall
DMA access features (exploitation of Firewire and Thunderbolt interfaces)
• Unlock or bypass in writring into RAM
• Dumping RAM content
• Exploit extracted data (see Analysis module)
Analysis module in order to easily exploit extracted data by one of dumping modes
• Exploit Browser History
x 4 (Displaying recordings, Local copy for usurpation)
• Exploit Browser Cookies
x 4 (Displaying recordings, Local copy for usurpation)
• Display Browser Downloads
x 4 (Displaying recordings)
• Exploit Skype Messages
(Displaying/Recording all recorded messages, with secret information or containing a special keyword)
• Exploit iChat, Messages(.app), Adium messages (in the next version)
• Exploit Calendar Cache
(Display/Recording all recorded entries, with secret information or containing a special keyword)
• Exploit Email Messages (Displaying/Recording all recorded messages, with secret information or containing a special keyword / )
• Exploit RAM memory Dump
(Searching Apple system/applications/Web Passwords)
• Exploit Keychains
(Display content Keychain
, Crack Keychain files)
• Crack Hashes passwords
• Exploit iOS files
(Accessing to iPhone without passcode, reading secrets through iTunes backups)
• Display Stickies Widgets
• Display Printed Documents
• Display prospective passwords
(displaying all found passwords during dump and analysis phases)
Etc.
Más Información:
Código fuente:
Y un pequeño regalo para los que hayáis llegado a leer todo el post, aqui teneis todos los TIPS que se han utilizado para extraer y analizar la información para esta herramienta:
