OS X is, in effect, a *nix based system.
Therefore the forensic image acquisition processes are very similar to those used on Linux systems.
Today I'd like to share my personal acquisition workflow for Apple Mac systems, suitable for OSX before 10.11 (El Capitan) or any OSX version with SIP disabled.



'Light' evidence collection

A first assessment could be performed with a 'light' acquisition tool,that gathers information from plists and SQLite databases and the file system.

A good tool is OSXCollector, from Yelp:

osxcollector.py is a single Python file that runs without any dependencies on a standard OSX machine. This makes it really easy to run collection on any machine - no fussing with brew, pip, config files, or environment variables. Just copy the single file onto the machine and run it:

$ sudo osxcollector.py
Wrote 35394 lines.
Output in osxcollect-2014_12_21-08_49_39.tar.gz

https://www.youtube.com/watch?v=l-lhyPcSd6I

The JSON output of the collector, along with some helpful files like system logs, if bundled into a .tar.gz, containing:

  • version
  • system_info
  • kext
  • startup
    • launch_agents
    • scripting_additions
    • startup_items
    • login_items
  • applications
    • applications
    • install_history
  • quarantines
  • downloads
    • downloads
    • email_downloads
    • old_email_downloads
  • chrome
    • history
    • archived_history
    • cookies
    • login_data
    • top_sites
    • web_data
    • databases
    • local_storage
    • preferences
  • firefox
    • cookies
    • downloads
    • formhistory
    • history
    • signons
    • permissions
    • addons
    • extension
    • content_prefs
    • health_report
    • webapps_store
    • json_files
  • safari
    • downloads
    • history
    • extensions
    • databases
    • localstorage
    • extension_files
  • accounts
    • system_admins
    • system_users
    • social_accounts
    • recent_items
  • mail
  • full_hash

Full disk acquisition

On Unix systems, this step is really simple:

$ sudo dd if=/dev/[DISK] of=diskimage.dd bs=512

Memory acquisition

I suggest to use MacPmem, from Rekall project.

MacPmem enables read/write access to physical memory on OS X 10.8 through 10.11. It simultaneously exposes a wealth of useful information about the operating system and hardware it's running on through a informational device and sysctl interface.

https://github.com/google/rekall/tree/master/tools/osx/MacPmem
https://github.com/Velocidex/c-aff4/releases (Thanks to Phill Moore!)

MacPmem is a Osx Kernel Extension (kext, a dynamically loaded bundle of executable code that runs in kernel space) that, once loaded, exposes two new devices:

  • /dev/pmem: allows physical memory read access, but can be built also with write support.
  • /dev/pmem_info: Exposes informational dump.

Download latest release (i.e. https://github.com/Velocidex/c-aff4/releases/download/3.2/osxpmem_3.2.zip) and unzip the file.

Then, load the kext and start acquisition using DD:

$ sudo kextload MacPmem.kext
$ sudo dd if=/dev/pmem of=memory.raw

References and downloads