[Pac4Mac] Forensics Framework for Mac OS X

Pac4Mac (Plug And Check for Mac OS X) is a portable Forensics framework (to launch from USB storage) allowing extraction and analysis session informations in highlighting the real risks in term of information leak (history, passwords, technical secrets, business secrets, ...). Pac4Mac can be used to check security of your Mac OS X system or to help you during forensics investigation.

Mindmap Pac4Mac features (PDF format)

Features

[*] Developed in Python 2.x (natively supported)

[*] Framework usage

[*] Support of OS X 10.6, 10.7, 10.8 and 10.9(not tested)

[*] Data extraction through:

• User or Root access
• Single Mode access
• Target Mode access (Storage media by Firewire or Thunderbolt)

[*] 3 dumping modes : Quick, Forensics, Advanced:

• Dumping Users / User Admin?
• Dumping Mac's Identity (os version, owner)?
• Dumping Miscellaneous files
  (Address book, Trash, Bash history, stickies, LSQuarantine, AddressBook,
  Safari Webpage Preview, Office Auto Recovery, WiFI access history, …)
• Dumping content of current Keychain (security cmd + securityd process)
• Dumping Users Keychains?
• Dumping System Keychains?
• Dumping password Hashes?
• Live Cracking hashes password?s
• Dumping Browser Cookies (Safari, Chrome, Firefox, Opera)?
• Dumping Browser Places (Safari, Chrome, Firefox, Opera)?
• Dumping Browser Downloads history (Safari, Chrome, Firefox, Opera)?
• Dumping printed files?
• Dumping iOS files backups?
• Dumping Calendar and Reminders / Displaying secrets
• Dumping Skype messages / Displaying secrets on demand
• Dumping iChat, Messages(.app), Adium messages
• Dumping Emails content (only text)?
• Dumping Emails content of all or special Mail Boxes
• Adding root user
• Dumping RAM
• Cloning local Disk
• Dumping system logs, install, audit, firewall

[*] DMA access features (exploitation of Firewire and Thunderbolt interfaces)

• Unlock or bypass in writring into RAM
• Dumping RAM content
• Exploit extracted data (see Analysis module)

[*] Analysis module in order to easily exploit extracted data by one of dumping modes-

• Exploit Browser History[*] x 4 (Displaying recordings, Local copy for usurpation)
• Exploit Browser Cookies[*] x 4 (Displaying recordings, Local copy for usurpation)
• Display Browser Downloads[*] x 4 (Displaying recordings)
• Exploit Skype Messages[*] (Displaying/Recording all recorded messages, with secret information or containing a special keyword)
• Exploit iChat, Messages(.app), Adium messages (in the next version)
• Exploit Calendar Cache[*] (Display/Recording all recorded entries, with secret information or containing a special keyword)
• Exploit Email Messages (Displaying/Recording all recorded messages, with secret information or containing a special keyword / )
• Exploit RAM memory Dump[*] (Searching Apple system/applications/Web Passwords)
• Exploit Keychains[*] (Display content Keychain?, Crack Keychain files)
• Crack Hashes passwords?
• Exploit iOS files[*] (Accessing to iPhone without passcode, reading secrets through iTunes backups)
• Display Stickies Widgets?
• Display Printed Documents
• Display prospective passwords ?(displaying all found passwords during dump and analysis phases)

[*] Integration of post-intrusion features

• Hard Disk/RAM image
• System dump to help to analyse compromission
• Logs system, syslog, install, firewall, audit?
• System usernames?
• Names and creation dates of launched agents, daemons, applications?
• Scheduled tasks?
• Plist of Mac OS X known malwares?
• Loaded drivers?
• Network connections?
• Active Processes?
• Used ressources (files, libraries, …)?
• Strange files (SUID, important size, …)?
• Last dates of WiFI connections
• …
• Integration of CheckOut4Mac in order to quickly detect recent malicious activities or if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party (based on USB connections, adding users, attempt to unlock session, access to emails, modification of files, etc.). 
• Source : http://sud0man.blogspot.fr/2013/07/checkout4mac-v01.html
• Startup activities (Startup dates, Stopping dates, Hibernation dates, Out of hibernation dates)
• Session activities (Locked session dates, Attempt to unlock session without success, Unlocked session with success)
• Physical activities (USB connections, USB plugged devices, File system events, Firewire connections with another machine or storage media, Firewire connections with another machine or storage media, Firewire connections to dump RAM)
• Privileges escalation activities (Opened/Closed TTY terminals, ROOT commands executed with success, Attempt to execute commands with SUDO without success, User, password modification and creation
• Applications activities (Opened applications)
• File activities (Modified files like autorun App, LaunchAgents or LaunchDaemons, Added files like trojan or malware App, Accessed files like your secret files, Accessed Mails last access dates)
• Network activities (Ethernet/WiFI connections, WiFI access points (last connection dates))

[*] Each launched action is logged and can be easily reviewed

[*] Easy to add new target (file, directory user, command, …) to extract (with db files and fonctions)

[*] All passwords found during dump or analysis are displayed

[*] All passwords found during dump or analysis are stored in common database(human readable format) and used for the next steps

[*] Multi-users extraction (from root session, single mode and Target Mode)

[*] Support of 4 browsers (Safari, Chrome, Firefox, Opera)

[*] Multi-profiles extraction (eg: Firefox, Skype)

Download Pac4Mac

[Xplico 1.1.0] Open Source Network Forensic Analysis Tool (NFAT)

The goal of Xplico is extract from an internet traffic capture the applications data contained.

For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Xplico is released under the GNU General Public License and with some scripts under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) License. For more details see License.

Features

• Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
• Port Independent Protocol Identification (PIPI) for each application protocol;
• Multithreading;
• Output data and information in SQLite database or Mysql database and/or files;
• At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
• Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
• TCP reassembly with ACK verification for any packet or soft ACK verification;
• Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
• No size limit on data entry or the number of files entrance (the only limit is HD size);
• IPv4 and IPv6 support;
• Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcher) are all modules;
• The ability to easily create any kind of dispatcher with which to organize the data extracted in the most appropriate and useful to you;

Download Xplico

[DEFT] Distribución linux para análisis forense

DEFT es una reputada distribución que recopila herramientas de análisis forense y que alcanza ya su versión 8.

No se enfoca únicamente al típico análisis forense de discos duros, si no que tendremos la posibilidad también de realizar forenses de red e incluso de dispositivos móviles. Deft v8 está basada en Ubuntu 12.10, y posee un kernel versión 3.5.0-30. Como cualquier tipo de livecd actual, se nos ofrece la opción de instalar la distribución en nuestro disco duro.

Dentro del menú principal de la distribución, nos encontramos las siguientes categorías de herramientas incluidas:

Menú de herramientas de DEFT 8

• Analysis - Herramientas de análisis de ficheros de diferentes tipos
• Antimalware - Búsqueda de rootkits, virus, malware, así como PDFs con código malicioso.
• Data recovery - Software para recuperación de ficheros
• Hashing - Scripts que permiten la realización de cálculo de hashes de determinados procesos (SHA1, SHA256, MD5...)
• Imaging - Aplicaciones que podemos utilizar para realizar los clonados y adquisición de imágenes de discos duros u otras fuentes.
• Mobile Forensics - Análisis de Blackberry, Android, iPhone, así como información sobre las típicas bases de datos de dispositivos móviles en SQLite utilizadas por las aplicaciones.
• Network Forensics - Herramientas para procesamiento de información almacenada en capturas de red
• OSINT - Aplicaciones que facilitan la obtención de información asociada a usuarios y su actividad.
• Password recovery - Recuperación de contraseñas de BIOS, ficheros comprimidos, ofimáticos, fuerza bruta, etc.
• Reporting tools - Por último, dentro de esta sección encontraremos herramientas que nos facilitarán las tareas de generación de informes y obtención de evidencias que nos servirán para documentar el análisis forense. Captura de pantalla, recopilación de notas, registro de actividad del escritorio, etc.

Dentro de estas secciones, encontraréis muchísimas herramientas que evitarán tener que recopilarlas por cuenta propia. El listado completo de paquetes lo tenéis en este enlace. De esta versión última 8, todavía no existe un manual, pero podéis echar un vistazo al manual para la versión 7, si bien su uso es bastante simple y cada herramienta lleva su man asociado.

Por último, destacar la inclusión dentro de esta versión 8 de DART 2, una suite para gestión y respuesta ante incidentes desde sistemas operativos Windows, que incluye un lanzador de aplicaciones a herramientas para este sistema operativo.

Ejecutando DART en sistema operativo Windows

Podréis descargar la distribución en diferentes formatos (imagen ISO, máquina virtual y versión para pendrives USB, entre otros) teniendo disponibles varios mirrors. Sin duda, una livecd que no debe faltar también en nuestro arsenal de cds/usbs para llevar siempre encima.

Descargar DEFT Linux

Fuente

[Ghiro v0.1] Digital Image Forensic Analyzer

Sometime forensic investigators need to process digital images as evidence. There are some tools around, otherwise it is difficult to deal with forensic analysis with lot of images involved. Images contain tons of information, Ghiro extracts these information from provided images and display them in a nicely formatted report.

Dealing with tons of images is pretty easy, Ghiro is designed to scale to support gigs of images.

All tasks are totally automated, you have just to upload you images and let Ghiro does the work. 

Understandable reports, and great search capabilities allows you to find a needle in a haystack.

Ghiro is a multi user environment, different permissions can be assigned to each user. Cases allow you to group image analysis by topic, you can choose which user allow to see your case with a permission schema.

Ghiro can be used in many scenarios, forensic investigators could use it on daily basis in their analysis lab but also people interested to undercover secrets hidden in images could benefit. Some use case examples are the following:

• If you need to extract all data and metadata hidden in an image in a fully automated way
• If you need to analyze a lot of images and you have not much time to read the report for all them
• If you need to search a bunch of images for some metadata
• If you need to geolocate a bunch of images and see them in a map
• If you have an hash list of “special” images and you want to search for them

Download Ghiro v0.1