Mac OS X Forensics: Mac OS x yOSEMITE and iOS Handoff
Progress and Roadblocks
Our team has made a lot of progress over the months since the start of this project. We were able to find a list of Mac OS X Lion artifacts and their location used in a OS X Lion Artifact report by Sean Cavanaugh . We used this list as our initial starting point and point of reference for our data generation. The plan was to to generate all the artifacts in this list in order to compare it to OS X Yoesmite and create a lit of our own. We used a virtual machine (VM) with the program VMware Fusion, running Yosemite 10.10 for the data generation. We were able to copy the VM we used for the data generation over to a Windows machine and use FTK Imager to create an e01 image of the VM to be analyzed in FTK.
Once the data generation was done for the Mac OS X Forensics section of this project, our team was split up: two members to continue on with Mac OS X Forensics to find the default locations of the artifacts and the other two members to start up the iOS Handoff section of the project. The Mac OS X Forensics section is going great. Currently, we are going through the image of the data gen VM and are finding the locations of the artifacts. The locations are being documented with screenshots. While looking for the artifact locations we found that some of the artifacts on the OS X Lion artifact list were not generated so we are currently revisiting the VM to generate the last of the artifacts before we continue on with the analysis.
Below is a snippet of the OS X Lion artifact list with our findings in OS X Yosemite. Most artifacts are being found to have the same locations as in Lion but some are different which are highlighted in blue
Again, this is just a snippet of the artifact list and there are a lot more to be looked at. We are going to be following this format to show which locations have stayed the same, and which have changed. This artifact list will be included in our report, along with screenshots of these locations in the file system.
The iOS Handoff section hit a roadblock. We found that the iOS handoff feature was not able to work in a VM. We decided to use physical Macs for this section of the project instead. The devices were are going to use are an iMac desktop, MacBook Air laptop, an iPhone 5, and an iPad Air. We are currently getting these devices set-up to generate data with iOS Handoff compatible apps. Our team did some research on what apps are compatible with iOS Handoff and found that besides Apple proprietary apps, there are a handful of third party apps compatible. Here is there list of apps we are going to generate data with:
CONCLUSION
A lot of the artifact location in OS X Yosemite are being found and documented, we will be working through the roadblock with iOS Handoff to keep it on track. Moving forward we are going to finish finding all the artifact locations, generate iOS Handoff data with the compatible apps, and look for any evidence the Handoff feature leaves behind on devices.