F-Response TACTICAL has long been a valuable tool for live acquisition and analysis of running Macs, Windows or Linux based devices for a variety of reasons. With the release of Apple’s latest operating system for the Macintosh, 10.7 Lion, F-Response TACTICAL is showing us once again how important live response can be.
OS X 10.7 comes with FileVault2, Apple’s encrypted partition technology very similar to BitLocker on Windows Vista or Windows 7. Once FileVault2 has been enabled, the entire OS X 10.7 partition becomes encrypted at shutdown. This is quite different from the original FileVault where only the User’s Home folder was encrypted.
In this article, we will look at the huge value of using F-Response TACTICAL when approaching a running, Lion based Macintosh to gather data while leaving a minimal and known footprint. Recall our first article, F-Response TACTICAL, that discussed the usage of the Subject/Examiner dongles and how to view data on a running Macintosh. Here, we will focus on the encrypted drive and the successful gathering of data from it.
First, on the running Macintosh, plug in the Subject dongle and start the executable. If you have done this successfully, you should have a Terminal window reporting the physical drive similar to this one:
Terminal Window - F-Response TACTICAL Subject running on OS X
For more information on what each of the physical disks are, you can launch a second Terminal window and utilize the ‘diskutil list’ command as seen in this window capture.
Terminal Window - Listing all disks and partitions
This Terminal window shows us very interesting data. First, pay notice to the size of disk0 and disk2. They are referring to the same drive, but in different states. When a FileVault2 encrypted drive is first booted, the user must enter a password immediately. That password assists in the decryption of the contents and the drive is successfully mounted as disk0. The unencrypted drive is mounted, in this case, as disk2. We will see this later in the article. Also, we can see that the user of this Macintosh has a disk4 mounted with a name of “Flash Player”. This could be interesting data depending on your case type.
Now, on the same network, launch your Examiner. If Auto Discover is able to locate the Subject running, you will have each of the physical drive populated in your Examiner window ready for you to make a connection. In this window, I have connected to each of the physical disks and added them to my Windows 7 analysis machine.
F-Response TACTICAL Examiner Window - Physical Drives connected to Windows
I connected all of the drives out of habit, but for this article, it was truly only necessary to connect to disk0 and disk2.
My tool of choice to examine the attached drives is FTK Imager. It is free, able to recognize the HFS+ file system, and can immediately acquire the disk or files/folders if I need them. Let’s add disk0 and disk2 to FTK Imager. I could have also chosen any other tools, such as FTK v3 and BlackLight for Windows as TACTICAL has simply made a conduit to the physical drives.
We must note the mapping from the Examiner window to do this correctly. disk0 mapped to PhysicalDrive2 and disk2 mapped to PhysicalDrive4. With these mapping in mind, we can successfully add both Physical Disks to FTK Imager and see a window that looks similar to this:
FTK Imager - disk0 and disk2 added
Notice disk0 (PhysicalDrive2) and its appearance. It has the layout of a GPT (GUID Partition Table) initialized drive with 3 meaningful partitions. Yet, the only partition that has any discernible data is the EFI system partition. This is how your analysis would look if you imaged this Macintosh when it were turned off and your report would read rather short in length.
Fortunately, we have the Lion based Macintosh running live, and have also connected to disk2 (PhysicalDisk4). The contents of this partition are decrypted because the user has logged in and FileVault2 has successfully unlocked the information stored within. This is a much more familiar layout of the Macintosh OS X file system. Utilizing FTK Imager, the analyst is able to look at files/folders and acquire data as needed before an encryption occurs. All browsing of the running Macintosh is read-only and no date/time worries exist because of F-Response. The known footprint being left behind is the system logging, the Terminal window history, and the network connection history.
In summary, F-Response TACTICAL is a superb answer to any situation where live response is necessary. Specifically, with the introduction of FileVault2 in OS X 10.7 Lion, TACTICAL gives us a means to safely gather OS X data in a meaningful way before it becomes encrypted beyond normal means of decryption.
More information about all of the great products from F-Response can be found at their website: www.F-Response.com
You can also find their support files and company blog on their Support and Mission Guides page.