Daily Blog #449: Solution Saturday - Winning Answer for OSX Artifacts Challenge

Winning Answer for OSX Artifacts Challenge by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out.

The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed. 

The Winning Answer:

The majority of Anti-Forensic tools are just programs like any other, often executed within the host OS. Additionally, the question specifically asks about proving execution of of Anti-Forensic tools. As such the first thing I will concern myself with is evidence of program execution. 

Noting that different anti-forensics tools may miss certain evidence sources (especially if run with basic user privileges) it is important to be broad in the areas you look as one of the lesser known or used artifacts may have been left untouched by the tools. Additionally in cases of suspected anti-forensic efforts I would be interested in the content of all of these artifacts, including whether they are empty, as this may be an indication of anti-forensics tool use in and of itself. 

Evidence of Tool Execution
Jump Lists
Log Files (tools may be deployed as services or with a scheduled element, process creation events associated with Audit Process Creation)
Third party application execution monitoring (e.g. AV, DLP, etc)
WSL (If WSL is in use then this opens a whole other kettle of fish, .bashhistory, evidence of tool installation etc.)
Evidence of process artifacts in RAM
Command history in RAM

knowledgeC.db database (application usage data)
.bashhistory (if tools used or executed from command line)
FSEvents (evidence of filesystem events including creation of software files and also deletion and renaming associated with tool use)
com.apple.finder.plist (evidence of finder searches for software)
Spotlight Shortcuts plist
.bashhistory in ram
Evidence of process artifacts in RAM

Evidence of Tool Use
In addition, the use of anti-forensics tools can leave their own artifacts behind. In the case of CCleaner the presence of deleted but recoverable “ZZZ” files and folders is a classic indicator of use. Other similar unique fingerprints are associated with different anti-forensic tools. One other such tell tail sign is recoverable files with random filenames and high entropy content consistent with being overwritten with pseudo random data, entropy analysis of recovered deleted files can highlight these. 

Evidence of research/download/installation
Proving the intent of a user can also be useful, whether evidence of the use of anti-forensic tools is actually identified. Evidencing that tools were sought, downloaded and installed during an in-scope time frame (such as just after an employee was notified of an HR interview etc). Additionally evidence that research was performed into hiding evidence can be helpful in painting a picture as to a users intentions and help to combat the "My computer was running slow so I used CCleaner" defense.

Registry artifacts (installed applications, application specific entries etc)


The disk… (Look for executables for anti-forensics tools on disk e.g. ‘Program Files’ Directories, ‘Applications’ directories, ‘Downloads’ directories) 
Browser History/Cache/Cookies for evidence of search history and websites visited (location dependant on OS and installed browser(s))
Proxy/ web filtering logs (evidence of browsing to sites concerning anti-forensics and downloading of tools)
AV Logs (scanning of downloaded executable)

You never know where you might find that smoking gun which demonstrates the intention to circumvent forensic analysis. In one notable case, a colleague of mine stumbled across an iOS note which was stored within a backup on the suspects computer. Within it the suspect had detailed a proposed methodology to steal data from his employer which would be “undetectable”. Using throwaway virtual machines (which would then be wiped from disk) he proposed to collate and extract data from the organisation and transmit it to a cloud service connected to via the VM. The actions performed left almost no trace of the IP theft, but what evidence of the existence of a now deleted VM coupled with the note made compelling reading in court.


Also Read: Daily Blog #448

Post a Comment