Timemachine 4n6

Posted: February 12, 2015 in Foreniscs, Timemachine
Tags: , , ,

Time Machine Forensics

Timemachine uses hard links to create it’s backups, in a full/incremental pattern , creating snapshots on a specified backup volume.

Forensics on these types of volumes can be handled multiple ways. You can create an EWF image using many tools (EnCase Imager, FTK Imager, DD, etc), and then open the image up under EnCase, FTK, Autopsy, X-Ways, whatever forensics analysis tool you want. The downfall is that the filesystem will show up as a blob of Unallocated space, as the tools do not see it as known filesystem. The other problem is the needle in a haystack view if it does show you the directory/file structure. It will show every snapshot as a full backup with all the files listed, makes it difficult to navigate and locate evidence for a case.

[Insert EnCase view of Timemachine]

To view the Timemachine drive in it’s native structure, I used Blacklight  by BlackBag Tech, it has a classroom version to evaluate and learn it, and then once purchased, uses a USB dongle. The interface shows the timemachine backups in a nice gui view.

[insert Blacklight screen cap]

Another tactic I have used (before having Blacklight) was to reverse out the drive from the EWF image and attach it to a stripped and clean Mac Mini, let it inherit the Timemachine backup set from the restored voilume, and then run Timemachine Gui and the tmutil command line tools to analyze and hunt for specific files on the backup set. This is not forensically sound, it WILL change timestamps and the backup volume. It is vitally important that you do not use the primary evidence drive in this process. Always use a secondary disposable copy if you have to go tis route. Another thing to do here is to keep a camera handy and snap screen shots if you find pertinent evidence on the suspect’s desktop or within the directory heirarchy. You can then restore the files found to the analysis host to open and analyze as needed. Again this will change the file MAC times, so document in writing and screen cap any steps you take using this process.

tm2

Using command line tools native on OsX

XATTR for Timemachine extended attributes
I learned about extended attributer from Sarah Edwards (@iameviltwin) in an awesome Mac forensics class offered by SANS.

xattr will show extended attributes for Timemachine backups, the filenames show the date and time of the backups, you can see that with a simple ls command.

xattr paired with the com.apple.backupd.SnapshotType will show what type of backup it it, Monthly (1), Weekly (2), or Daily (3).

ls
2014-04-23-105142 2014-09-18-100058 2015-02-03-005258
2014-05-21-173044 2014-10-06-132320 2015-02-11-090802

xattr -xlp com.apple.backupd.SnapshotType *
2014-10-28-124450: com.apple.backupd.SnapshotType:
00000000 33 00 |3.|
00000002
2014-11-10-142032: com.apple.backupd.SnapshotType:
00000000 31 00 |1.|
00000002
2015-02-11-131131: com.apple.backupd.SnapshotType:
00000000 32 00 |2.|
00000002

xattr on the Backup volume set will show the MAC address for the host backed up, the host UUID, the backup volume UUID, model of the host, if the host is encrypted, and the last date/time it was backed up.

xattr -xl DarkAngel/
com.apple.backupd.BackupMachineAddress:
00000000 35 38 3A 62 30 3A 33 35 3A 66 62 00 00 00 00 00 |58:b0:00:00:00:1|
00000010 36 00 |6.|
00000012
com.apple.backupd.HasEncryptedRecoveryBits:
00000000 59 45 53 |YES|
00000003
com.apple.backupd.HasRecoverySet:
00000000 59 45 53 |YES|
00000003
com.apple.backupd.HostUUID:
00000000 30 38 32 33 34 38 32 35 2D 32 45 32 34 2D 35 46 |08234825-0000-5F|
00000010 46 39 2D 39 42 32 30 2D 43 00 00 00 38 46 39 41 |F9-0000-C9BF8F9A|
00000020 00 00 00 00 00 |A441.|
00000025
com.apple.backupd.ModelID:
00000000 4D 61 63 42 6F 6F 6B 50 72 6F 36 2C 31 |MacBookPro6,1|
0000000d
com.apple.backupd.RecoveryPartitionLastModificationDate:
00000000 33 35 30 35 33 39 34 37 37 32 |3505394772|
0000000a
com.apple.backupd.RecoveryPartitionVolumeUUID:
00000000 44 46 30 31 38 30 43 42 2D 44 43 31 37 2D 33 36 |DF0180CB-0000-36|
00000010 31 33 2D 38 43 00 00 00 00 34 44 46 30 41 37 32 |13-0000-34DF0A72|
00000020 45 42 32 34 |EB24|
00000024

HDIUTIL for mounting a timemachine volume
Use hdiutil to mount the sparsebundle if it is a Networked Timemachine volume, use hdiutil to mount the dmg image of the timemachine volume from an external drive, and use that same command but wit the nomount option if the timemachine volume was encrypted. If it was encrypted you will need the password to go any further.

exapmles:
hdiutil attach timemachine.sparsebundle -readonly
hdiutil attach timemachine.dmg -readonly
hdiutil attach timemachine.dmg -nomount -readonly

Analysis of the mounted volumes
I suggest using a Mac host for the analysis as OsX will follow the hard links and you will be able to see all the files per each snapshot. Otherwise if you use Linux or Windows as your analysis host, all you will get out of the snapshots is the changed files in that set.

You can now create an EWF or DD image from a snapshot for analysis under forensics software.
I use libewf to create images in E01 EnCase format, you can and probably should read more about libewf here.

examples:
ddcfldd if=/Volumes/TM-drive/Backups.backupdb/DarkAngel/2014-04-23-105142/DarkAngel of=/mnt/cases/TM-snapshot-2014-04-23-105142.dd
ewfacquire /Volumes/TM-drive/Backups.backupdb/DarkAngel/2014-04-23-105142/DarkAngel -t /mnt/cases/TM-snapshot-2014-04-23-105142.img

You can then use ewfmount to mount the new forensics image for reveiw.

ewfmount /mnt/cases/TM-snapshot-2014-04-23-105142.img /mnt/TM

How to know if a case should contain a Timemachine backup volume?
If the investigation is on a laptop then it should have an entry under /Volumes for mobilbackups. These snapshots are created on the local host for laptops when the Timemachine external volume is not attached. These snapshots will sync back up to the external volume when it attached again. It is another location to look at, especially if you are presented with the image of a laptop but not the external timemachine drive. If snapshots exist in the /Volumes/MobileBackups/ location then you can assume an external timemachine volume also exists, and should be requested as part of the evidence in the case.

example from my laptop:
ls -ltra /Volumes/MobileBackups/Backups.backupdb/DarkAngel/
total 13
lrwxrwxrwx 0 root wheel 0 Feb 12 13:33 Latest -> 2015-02-12-133315
drwxr-xr-x@ 3 root wheel 102 Feb 12 13:33 2015-02-12-133315
drwxr-xr-x@ 3 root wheel 102 Feb 12 13:33 2015-02-12-131556
drwxr-xr-x@ 3 root wheel 102 Feb 12 13:33 2015-02-12-121048
drwxr-xr-x@ 3 root wheel 102 Feb 12 13:33 2015-02-12-110921
drwxr-xr-x@ 3 root wheel 102 Feb 12 13:33 2015-02-12-110250

Other tools to install on your analysis Mac
I have MacPorts installed to bring in many other tools such as john, nmap, netcat, etc, that are not native to OsX.
I also recently installed Homebrew to facilitate installation of the community version of Metasploit. It was not the easiest install, but with the help of some useful top pages I got it working.

TIP: make sure nokogiri ruby and libiconv and libxml all install correctly.
My command sequence was like this
brew install libxml2 libxslt libiconv
NOKOGIRI_USE_SYSTEM_LIBRARIES=1 gem install nokogiri — –use-system-libraries –with-iconv-dir=”$(brew –prefix libiconv)” –with-xml2-config=”$(brew –prefix libxml2)/bin/xml2-config” –with-xslt-config=”$(brew –prefix libxslt)/bin/xslt-config”

Advertisements
Comments
  1. […] a blog post provided the real solution – hdiutil.Best part of hdiutil is that you can provide the […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s