[Pac4Mac] Forensics Framework for Mac OS X

Pac4Mac (Plug And Check for Mac OS X) is a portable Forensics framework (to launch from USB storage) allowing extraction and analysis session informations in highlighting the real risks in term of information leak (history, passwords, technical secrets, business secrets, ...). Pac4Mac can be used to check security of your Mac OS X system or to help you during forensics investigation.

Mindmap Pac4Mac features (PDF format)


[*] Developed in Python 2.x (natively supported)
[*] Framework usage
[*] Support of OS X 10.6, 10.7, 10.8 and 10.9(not tested)

[*] Data extraction through:

  • User or Root access
  • Single Mode access
  • Target Mode access (Storage media by Firewire or Thunderbolt)

[*] 3 dumping modes : Quick, Forensics, Advanced:
  • Dumping Users / User Admin?
  • Dumping Mac's Identity (os version, owner)?
  • Dumping Miscellaneous files
    (Address book, Trash, Bash history, stickies, LSQuarantine, AddressBook,
    Safari Webpage Preview, Office Auto Recovery, WiFI access history, …)
  • Dumping content of current Keychain (security cmd + securityd process)
  • Dumping Users Keychains?
  • Dumping System Keychains?
  • Dumping password Hashes?
  • Live Cracking hashes password?s
  • Dumping Browser Cookies (Safari, Chrome, Firefox, Opera)?
  • Dumping Browser Places (Safari, Chrome, Firefox, Opera)?
  • Dumping Browser Downloads history (Safari, Chrome, Firefox, Opera)?
  • Dumping printed files?
  • Dumping iOS files backups?
  • Dumping Calendar and Reminders / Displaying secrets
  • Dumping Skype messages / Displaying secrets on demand
  • Dumping iChat, Messages(.app), Adium messages
  • Dumping Emails content (only text)?
  • Dumping Emails content of all or special Mail Boxes
  • Adding root user
  • Dumping RAM
  • Cloning local Disk
  • Dumping system logs, install, audit, firewall

[*] DMA access features (exploitation of Firewire and Thunderbolt interfaces)
  • Unlock or bypass in writring into RAM
  • Dumping RAM content
  • Exploit extracted data (see Analysis module)

[*] Analysis module in order to easily exploit extracted data by one of dumping modes-
  • Exploit Browser History[*] x 4 (Displaying recordings, Local copy for usurpation)
  • Exploit Browser Cookies[*] x 4 (Displaying recordings, Local copy for usurpation)
  • Display Browser Downloads[*] x 4 (Displaying recordings)
  • Exploit Skype Messages[*] (Displaying/Recording all recorded messages, with secret information or containing a special keyword)
  • Exploit iChat, Messages(.app), Adium messages (in the next version)
  • Exploit Calendar Cache[*] (Display/Recording all recorded entries, with secret information or containing a special keyword)
  • Exploit Email Messages (Displaying/Recording all recorded messages, with secret information or containing a special keyword / )
  • Exploit RAM memory Dump[*] (Searching Apple system/applications/Web Passwords)
  • Exploit Keychains[*] (Display content Keychain?, Crack Keychain files)
  • Crack Hashes passwords?
  • Exploit iOS files[*] (Accessing to iPhone without passcode, reading secrets through iTunes backups)
  • Display Stickies Widgets?
  • Display Printed Documents
  • Display prospective passwords ?(displaying all found passwords during dump and analysis phases)

[*] Integration of post-intrusion features
  • Hard Disk/RAM image
  • System dump to help to analyse compromission
    • Logs system, syslog, install, firewall, audit?
    • System usernames?
    • Names and creation dates of launched agents, daemons, applications?
    • Scheduled tasks?
    • Plist of Mac OS X known malwares?
    • Loaded drivers?
    • Network connections?
    • Active Processes?
    • Used ressources (files, libraries, …)?
    • Strange files (SUID, important size, …)?
    • Last dates of WiFI connections
  • Integration of CheckOut4Mac in order to quickly detect recent malicious activities or if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party (based on USB connections, adding users, attempt to unlock session, access to emails, modification of files, etc.). 
    • Source : http://sud0man.blogspot.fr/2013/07/checkout4mac-v01.html
    • Startup activities (Startup dates, Stopping dates, Hibernation dates, Out of hibernation dates)
    • Session activities (Locked session dates, Attempt to unlock session without success, Unlocked session with success)
    • Physical activities (USB connections, USB plugged devices, File system events, Firewire connections with another machine or storage media, Firewire connections with another machine or storage media, Firewire connections to dump RAM)
    • Privileges escalation activities (Opened/Closed TTY terminals, ROOT commands executed with success, Attempt to execute commands with SUDO without success, User, password modification and creation
    • Applications activities (Opened applications)
    • File activities (Modified files like autorun App, LaunchAgents or LaunchDaemons, Added files like trojan or malware App, Accessed files like your secret files, Accessed Mails last access dates)
    • Network activities (Ethernet/WiFI connections, WiFI access points (last connection dates))
[*] Each launched action is logged and can be easily reviewed
[*] Easy to add new target (file, directory user, command, …) to extract (with db files and fonctions)
[*] All passwords found during dump or analysis are displayed
[*] All passwords found during dump or analysis are stored in common database(human readable format) and used for the next steps
[*] Multi-users extraction (from root session, single mode and Target Mode)
[*] Support of 4 browsers (Safari, Chrome, Firefox, Opera)
[*] Multi-profiles extraction (eg: Firefox, Skype)

[Pac4Mac] Forensics Framework for Mac OS X [Pac4Mac] Forensics Framework for Mac OS X Reviewed by Zion3R on 7:47 PM Rating: 5