- Richard - Part One Mac Os X
- Richard - Part One Mac Os 11
- Richard - Part One Mac Os Download
- New Mac Os 11
- Richard - Part One Mac Os Catalina
Navigation Part 1 – Prerequisites and creating the virtual machine Part 2 – Installing Mac OS Part 3 – Configuring Mac OS Part 4 – Setting up Xcode Part 5 – Building an app to your iOS device Introduction If, like me, you're a Unity or Xamarin hobbyist who develops primarily on a Windows PC but owns. Mac OS X Forensics Imager is a program found on www.macosxforensics.com that makes an identical copy of the hard drive and saves it in a file that we can then analyze using another program. Mac OS X Forensics Imager saves it in a file that is both EnCase and FTK compatible. System 7 Today, Advocates of Apple's 'Orphan' Mac OS 7.6.1, Tommy Thomas, Welcome to Macintosh, 2006.10.26. Why Mac OS 7.6.1 is far better for 68040 and PowerPC Macs than System 7.5.x.
If you have ever plugged a USB drive into a Mac, done some things, then plugged it into a Windows system, you have no doubt seen (if you have viewing of hidden files enabled) various '.DS_Store' files (among others) strewn throughout the folders on the drive. Though essentially useless to a Windows system, they do in fact serve a particular purpose on an HFS+ file system.
While I won't re-invent the wheel on describing 'What is a .DS_Store File?' (here as well), I would like to highlight its possible use for DFIR in containing/referencing artifacts that may be useful to investigations – traces of deleted files, with filenames and sometimes paths!
In a nutshell, the .DS_Store file stores metadata used by Finder for folder-specific display options such as window placement, layout, custom icons, background, etc. They are created in the parent folder of any folder that is viewed using the 'Icons', 'List', or 'Gallery' views within Finder. Note that no .DS_Store file is created when viewing a folder in the 'Columns' view. For example, if you opened your ~/Music/iTunes/ folder in Finder in 'Gallery' view, a .DS_Store file would be created at ~/Music/.DS_Store.
Thus, these .DS_Store files are (theoretically) created in every folder that Finder accesses, including remote network shares and external devices. Are those annoying .DS_Store files you see in Windows on your FAT32-formatted thumb drive making more sense now?
Sims 4 system test. A part of this metadata is the filename, which got me to thinking… I wonder whether or not any traces get left behind when a file is moved or deleted.
For this post/research, I focused solely on the deletion aspect of when a user deletes a file through Finder.
In testing on my systems (OS X 10.10.5 and macOS Sierra 10.12.2), when a file gets 'deleted' through Finder (not via 'rm' on the command line, that's a very different story), it first gets moved to the user's ~/.Trash/ folder. If at least one file already exists within the user's Trash, an entry for the yet-to-be-deleted file is added to the existing ~/.Trash/.DS_Store file denoting the full path on disk where the file resided before being moved to the Trash. This entry is part of how the 'Put Back' feature works. If no files currently exist in the Trash (due to the user previously emptying the trash), I assumed (more on this in a bit) a new .DS_Store file would be created ('new' meaning a clear/empty file) to again begin storing entries for 'Put Back'. Upon emptying the trash (via either the 'Empty Trash' or 'Secure Empty Trash' option in Finder for pre-Sierra systems), the files are deleted (according to the deletion method associated with each action) from the ~/.Trash/ folder and the ~/.Trash/.DS_Store file is also 'deleted' (stay tuned for why I put this in quotes). Here is a great little writeup on the HFS+ volume structure and what happens 'When Mac deletes it!'.
At this point, since all of the Trash source files are deleted upon emptying the Trash, we would assume that the .DS_Store file and all of its entries would be deleted as well. But, is this the case?
Answer: Not Quite!
In my testing, while the source data files within the ~/.Trash/ folder appear to be reliably deleted (short of carving the disk), various file and path entries within the ~/.Trash/.DS_Store file do not appear to be deleted! https://downloadob.mystrikingly.com/blog/snapndrag-pro-4-4-cylinder. In fact, when you move another file to the trash, the ~/.Trash/.DS_Store file is re-created and historical entries* are re-populated into the file! Even if you 'Put Back' the file(s), the associated .DS_Store file and entries remain. WIN!
*Note: These appeared to only be files I've deleted since the last reboot of my machine. Rebooting the machine seems to finally remove all historical entries. Various hypotheses of why/how this happens and where these entries come from will be tested later in this post.
We now have the opportunity to identify references to historical file deletions (sometimes with full path)! This doesn't just apply to the Trash's .DS_Store files, either. This applies to any given directory's .DS_Store file that may contain (or have contained) references to files that existed within it.
Pretty AWESOME, right? How many of you are already putting together the 'find' command to identify all the .DS_Store files on your systems?
*Hint:# find / -name .DS_Store
But, we kinda started this whole story at the end, well after I had finished muddling my way through researching and experimenting to find out how to actually parse these .DS_Store files. So, let's rewind a bit…
Upon first look at a .DS_Store file, they aren't exactly straight forward, and they can't apparently be opened with any native system tool or application. There is no native 'ds_store_viewer' utility that simply parses the file information from the command line. So, how would we be even go about trying to figure out how to parse this thing?
Well, it turns out the .DS_Store format is documented here. Given its format is published, it's likely a parser already exists for it. But, sometimes I just like to see what I can find myself before I go an easy(er) route. So, how should we start exploring what's inside these files?
Your initial thought may be 'strings!' That's a solid idea to start, let's see what that yields…
[jp@jp-mba (:) ~]$ strings -a ~/.Trash/.DS_Store
Bud1
pptbNustr
gptbLustr
xptbLustr
xptbNustr
gptbNustr
.
DSDB
gptbNustr
gptbLustr
gptbNustr
gptbLustr
gptbNustr
fptbLustr
Well, that was less than useful. Oh, wait… maybe they're Unicode strings instead of ASCII. Let's see what the option is for Unix strings to search for Unicode strings instead of ASCII:
[jp@jp-mba (:) ~]$ man strings
At this point you may already know what I'm about to say – the BSD strings utility does NOT have the capability to search for Unicode strings. See my post 'Know Your Tools: Linux (GNU) vs. Mac (BSD) Command Line Utilities' for more about all of that and why.
Fail.
So, you can go a few different ways here:
- Stick with native utilities
- Install/use a third-party utility that can identify Unicode strings (particularly big-endian Unicode)
- Install/use a third-party utility that can directly read .DS_Store format files
Native Utilities
So, what else might exist that we can use to view strings?
When in doubt, Hex it out!
Richard - Part One Mac Os X
10th planet hobart pinball mac os. I typically use of two native hex viewers – hexdump and xxd. They are both useful in different ways, but we'll start with hexdump.
Using hexdump, you can dump hex+ASCII by doing the following:
Keyboard layout macbook abc extended. $ hexdump -C
[jp@jp-mba (:) ~]$ hexdump -C ~/.Trash/.DS_Store
00000000 00 00 00 01 42 75 64 31 00 00 38 00 00 00 08 00 |.Bud1.8..|
00000010 00 00 38 00 00 00 10 0c 00 00 02 09 00 00 20 0c |.8... .|
00000020 00 00 30 0b 00 00 00 00 00 00 00 00 00 00 08 00 |.0....|
00000030 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |....|
00000040 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 4e |....N|
00000050 00 00 00 04 00 00 10 00 00 65 00 61 00 73 00 65 |...e.a.s.e|
00000060 00 5f 00 44 00 00 00 00 00 00 00 00 00 00 00 00 |._.D...|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |....|
*
00000200 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 04 |....|
00000210 00 00 00 30 00 50 00 6c 00 65 00 61 00 73 00 65 |.0.P.l.e.a.s.e|
00000220 00 5f 00 44 00 6f 00 63 00 75 00 53 00 69 00 67 |._.D.o.c.u.S.i.g|
00000230 00 6e 00 5f 00 74 00 68 00 69 00 73 00 5f 00 64 |.n._.t.h.i.s._.d|
Here we see the notable 'Bud1' header followed by readable text. Score! But, how do we extract JUST the readable text in some effective way? You can mess around with hexdump to try to make sense of the output formats, or you could do like I did and get so overwhelmed at one point that you just use xxd to create this incredibly unpretty, certainly less than efficient, convoluted, but 'working' one-liner:
$ xxd -p | sed 's/00//g' | tr -d 'n' | sed 's/([0-9A-F]{2})/0x1 /g' | xxd -r -p | strings | sed 's/ptb[LN]ustr//g'
Voilà. Strings output from Unicode strings only using the built-in utilities. It is very ugly and it is certainly separating at points/lines where it should not, but hey… you get what you get. At least you can more legibly make out filenames and paths that could get you somewhere.
This is an ugly hack. I do not recommend it, but sometimes ugly is better than nothing. YMMV.
Note: I would be very interested if someone who is WAY more versed in hexdump output formatting would create a much simpler way of doing the above solely using the hexdump utility.
Third-Party Utilities
GNU Strings
Believe it or not, you can actually install various GNU utilities on your Mac via a handy little thing called Homebrew. Just takes a command line one-liner to install and opens your Mac to world a new and useful utilities called 'formulas'. Note that Xcode is a pre-req for installing Homebrew.
For our purposes, we want to install strings, which is a part of the GNU coreutils package. With homebrew installed, all it takes is a 'brew install coreutils' and we're up and running. Do note that various GNU utilities will be prepended with 'g' due to naming conflicts. For example, the GNU strings utility must be called/run as 'gstrings' (yeah, I laugh a little each time I see that).
Once installed, we now have full GNU strings capabilities, namely for searching big-endian Unicode text, a la the following:
$ gstrings -a -eb
You don't necessarily need the '-a' option that tells strings 'I don't care whether or not you think it's a searchable file, do it anyway', but I add it out of habit of searching files that the system likes to gripe about.
Using FDB
https://digi.ninja/projects/fdb.php
- Enter CPAN shell
$ perl -MCPAN -e shell
- Install DSStore
$ cpan[1] > install Mac::Finder:DSStore
- Install Switch
$ cpan[1] > install Switch
- Run FDB
$ ./fdb.pl --type ds --filename /Users//.Trash/.DS_Store --base_url /Users//
Using ds_store Go Parser
Richard - Part One Mac Os 11
https://github.com/gehaxelt/ds_store
- Download and Install Go
- Download OS X Package from here: https://golang.org/dl/
- Set Go Path in shell
- One-time (I set mine as the following but it's up to you)
$ export GOPATH=~/Projects/Go
- Permanent
- Place above line in /etc/bashrc
- Reload shell '
source /etc/bashrc' or close and relaunch terminal
- One-time (I set mine as the following but it's up to you)
- Download ds_store go files
$ go get github.com/gehaxelt/ds_store
- Change to the directory of the go project
$ cd $GOPATH/src/github.com/gehaxelt/ds_store
- Make a directory for the new project/files (I opted to name mine 'dsdump', but feel free to alter yours) and cd to it
$ mkdir -p bin/dsdump && cd '$_'
- (If not already done) Create a .go file (I named mine dsdump.go) and copy/paste the Example Code from https://github.com/gehaxelt/ds_store
$ nano dsdump.go- Copy/paste the Example Code into this file and save it
- Build the Go binary
$ go build
- Run dsump
$ ./dsump -i
**Note: One of the awesome things about Go is its ability to build static binaries (no additional files needed) for a variety of operating systems. For example, if you wanted to build a binary for a Windows x64 system, you would simply run 'GOOS=windows GOARCH=amd64 go build -o dsdump.exe'. Then, just copy that to whatever Windows x64 system and run it. Pretty sweet, huh?
(Shout out to Slavik at Demisto for quickly getting me up and running with Go before I spent any time looking at documentation.)
— Update 7/31/19 —
Richard - Part One Mac Os Download
Using DSStoreParser
Nicole Ibrahim recently presented at the SANS DFIR Summit on .DS_Store files and pointed us all to a parser she built.
https://github.com/nicoleibrahim/DSStoreParser
Using it is as simple as downloading it and running it (with Python2.7).
- Download the source
$ git clone https://github.com/nicoleibrahim/DSStoreParser.git
- Change into the directory
$ cd DSStoreParser
- Install the requirements (unicodecsv), if needed
$ pip2.7 install unicodecsv --user
- Run it by pointing it to the source folder containing the .DS_Store file(s) you'd like to parse, and provide the output folder for the results
$ python2.7 DSStoreParser.py -s /path/to/source/ -o output_dir/
Comparing the .DS_Store Parsing Solutions
As you can see, there are a variety of useful tools, both native and third-party, that can assist in analyzing .DS_Store files. A hex viewer is an invaluable tool for so many reasons, namely for assisting in identifying unknown structures, artifacts, or items within a given file. Gstrings offers an easy way to search for the appropriate strings with an easily installable pseudo-native utility. Fdb allows the option to specify the 'base_url' to prepend its results with the appropriate path, based on the given .DS_Store file's location. The ds_store Go parser does the job as well and it can be compiled to be portable to any major OS, which can be very handy in a Mac Forensics go-kit of sorts. And, Nicole's DSStoreParser is a nice, clean Python-based solution that provides a variety of output reports to better assist in seeing/understanding the information contained within the files.
Wrapping It All Up
[jp@jp-mba (:) ~]$ strings -a ~/.Trash/.DS_Store
Bud1
pptbNustr
gptbLustr
xptbLustr
xptbNustr
gptbNustr
.
DSDB
gptbNustr
gptbLustr
gptbNustr
gptbLustr
gptbNustr
fptbLustr
Well, that was less than useful. Oh, wait… maybe they're Unicode strings instead of ASCII. Let's see what the option is for Unix strings to search for Unicode strings instead of ASCII:
[jp@jp-mba (:) ~]$ man strings
At this point you may already know what I'm about to say – the BSD strings utility does NOT have the capability to search for Unicode strings. See my post 'Know Your Tools: Linux (GNU) vs. Mac (BSD) Command Line Utilities' for more about all of that and why.
Fail.
So, you can go a few different ways here:
- Stick with native utilities
- Install/use a third-party utility that can identify Unicode strings (particularly big-endian Unicode)
- Install/use a third-party utility that can directly read .DS_Store format files
Native Utilities
So, what else might exist that we can use to view strings?
When in doubt, Hex it out!
Richard - Part One Mac Os X
10th planet hobart pinball mac os. I typically use of two native hex viewers – hexdump and xxd. They are both useful in different ways, but we'll start with hexdump.
Using hexdump, you can dump hex+ASCII by doing the following:
Keyboard layout macbook abc extended. $ hexdump -C
[jp@jp-mba (:) ~]$ hexdump -C ~/.Trash/.DS_Store
00000000 00 00 00 01 42 75 64 31 00 00 38 00 00 00 08 00 |.Bud1.8..|
00000010 00 00 38 00 00 00 10 0c 00 00 02 09 00 00 20 0c |.8... .|
00000020 00 00 30 0b 00 00 00 00 00 00 00 00 00 00 08 00 |.0....|
00000030 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |....|
00000040 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 4e |....N|
00000050 00 00 00 04 00 00 10 00 00 65 00 61 00 73 00 65 |...e.a.s.e|
00000060 00 5f 00 44 00 00 00 00 00 00 00 00 00 00 00 00 |._.D...|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |....|
*
00000200 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 04 |....|
00000210 00 00 00 30 00 50 00 6c 00 65 00 61 00 73 00 65 |.0.P.l.e.a.s.e|
00000220 00 5f 00 44 00 6f 00 63 00 75 00 53 00 69 00 67 |._.D.o.c.u.S.i.g|
00000230 00 6e 00 5f 00 74 00 68 00 69 00 73 00 5f 00 64 |.n._.t.h.i.s._.d|
Here we see the notable 'Bud1' header followed by readable text. Score! But, how do we extract JUST the readable text in some effective way? You can mess around with hexdump to try to make sense of the output formats, or you could do like I did and get so overwhelmed at one point that you just use xxd to create this incredibly unpretty, certainly less than efficient, convoluted, but 'working' one-liner:
$ xxd -p | sed 's/00//g' | tr -d 'n' | sed 's/([0-9A-F]{2})/0x1 /g' | xxd -r -p | strings | sed 's/ptb[LN]ustr//g'
Voilà. Strings output from Unicode strings only using the built-in utilities. It is very ugly and it is certainly separating at points/lines where it should not, but hey… you get what you get. At least you can more legibly make out filenames and paths that could get you somewhere.
This is an ugly hack. I do not recommend it, but sometimes ugly is better than nothing. YMMV.
Note: I would be very interested if someone who is WAY more versed in hexdump output formatting would create a much simpler way of doing the above solely using the hexdump utility.
Third-Party Utilities
GNU Strings
Believe it or not, you can actually install various GNU utilities on your Mac via a handy little thing called Homebrew. Just takes a command line one-liner to install and opens your Mac to world a new and useful utilities called 'formulas'. Note that Xcode is a pre-req for installing Homebrew.
For our purposes, we want to install strings, which is a part of the GNU coreutils package. With homebrew installed, all it takes is a 'brew install coreutils' and we're up and running. Do note that various GNU utilities will be prepended with 'g' due to naming conflicts. For example, the GNU strings utility must be called/run as 'gstrings' (yeah, I laugh a little each time I see that).
Once installed, we now have full GNU strings capabilities, namely for searching big-endian Unicode text, a la the following:
$ gstrings -a -eb
You don't necessarily need the '-a' option that tells strings 'I don't care whether or not you think it's a searchable file, do it anyway', but I add it out of habit of searching files that the system likes to gripe about.
Using FDB
https://digi.ninja/projects/fdb.php
- Enter CPAN shell
$ perl -MCPAN -e shell
- Install DSStore
$ cpan[1] > install Mac::Finder:DSStore
- Install Switch
$ cpan[1] > install Switch
- Run FDB
$ ./fdb.pl --type ds --filename /Users//.Trash/.DS_Store --base_url /Users//
Using ds_store Go Parser
Richard - Part One Mac Os 11
https://github.com/gehaxelt/ds_store
- Download and Install Go
- Download OS X Package from here: https://golang.org/dl/
- Set Go Path in shell
- One-time (I set mine as the following but it's up to you)
$ export GOPATH=~/Projects/Go
- Permanent
- Place above line in /etc/bashrc
- Reload shell '
source /etc/bashrc' or close and relaunch terminal
- One-time (I set mine as the following but it's up to you)
- Download ds_store go files
$ go get github.com/gehaxelt/ds_store
- Change to the directory of the go project
$ cd $GOPATH/src/github.com/gehaxelt/ds_store
- Make a directory for the new project/files (I opted to name mine 'dsdump', but feel free to alter yours) and cd to it
$ mkdir -p bin/dsdump && cd '$_'
- (If not already done) Create a .go file (I named mine dsdump.go) and copy/paste the Example Code from https://github.com/gehaxelt/ds_store
$ nano dsdump.go- Copy/paste the Example Code into this file and save it
- Build the Go binary
$ go build
- Run dsump
$ ./dsump -i
**Note: One of the awesome things about Go is its ability to build static binaries (no additional files needed) for a variety of operating systems. For example, if you wanted to build a binary for a Windows x64 system, you would simply run 'GOOS=windows GOARCH=amd64 go build -o dsdump.exe'. Then, just copy that to whatever Windows x64 system and run it. Pretty sweet, huh?
(Shout out to Slavik at Demisto for quickly getting me up and running with Go before I spent any time looking at documentation.)
— Update 7/31/19 —
Richard - Part One Mac Os Download
Using DSStoreParser
Nicole Ibrahim recently presented at the SANS DFIR Summit on .DS_Store files and pointed us all to a parser she built.
https://github.com/nicoleibrahim/DSStoreParser
Using it is as simple as downloading it and running it (with Python2.7).
- Download the source
$ git clone https://github.com/nicoleibrahim/DSStoreParser.git
- Change into the directory
$ cd DSStoreParser
- Install the requirements (unicodecsv), if needed
$ pip2.7 install unicodecsv --user
- Run it by pointing it to the source folder containing the .DS_Store file(s) you'd like to parse, and provide the output folder for the results
$ python2.7 DSStoreParser.py -s /path/to/source/ -o output_dir/
Comparing the .DS_Store Parsing Solutions
As you can see, there are a variety of useful tools, both native and third-party, that can assist in analyzing .DS_Store files. A hex viewer is an invaluable tool for so many reasons, namely for assisting in identifying unknown structures, artifacts, or items within a given file. Gstrings offers an easy way to search for the appropriate strings with an easily installable pseudo-native utility. Fdb allows the option to specify the 'base_url' to prepend its results with the appropriate path, based on the given .DS_Store file's location. The ds_store Go parser does the job as well and it can be compiled to be portable to any major OS, which can be very handy in a Mac Forensics go-kit of sorts. And, Nicole's DSStoreParser is a nice, clean Python-based solution that provides a variety of output reports to better assist in seeing/understanding the information contained within the files.
Wrapping It All Up
Regardless of why/how this ~/Trash/.DS_Store file re-creation occurs (which we'll address in Part 2 of this post) and what option(s) you choose to parse/extract these items, you may now at least have an additional DFIR investigation method and artifact(s) to identify previously deleted files that are no longer resident on (allocated) disk.
New Mac Os 11
Though we focused solely on .DS_Store files in this post, do note that it is not just .DS_Store files that can assist in identifying deleted files on a system. There are several other files/areas that should be searched for such investigations; however, I wanted to hone in on analysis of these files as it is possibly lesser known (at least in my research and experience).
At any rate, I hope this can be somehow useful in your investigations moving forward! As usual, YMMV, so I'm interested to hear feedback and stories of if/how this works in the field for everyone.
Best macbook for graphic design 2019. /JP Turings test mac os.
By: Mike Yocom - Revised: 2014-01-27 richardRichard - Part One Mac Os Catalina
Introduction
This class will introduce the student to the history of the technologies within the Mac OS X operating system. This will include a discussion of the evolution of old Apple technologies and UNIX technologies, how these two sources are combined, and also new technologies Apple is currently developing. Apple's involvement in the Open Source community through its Darwin project will be discussed. Some of the in-depth technologies reviewed are: preemptive multitasking, virtual memory, protected memory, Carbon, Classic, Cocoa, and Java.- The Macintosh provided the world with the first computer affordable by average people that used a Graphical User Interface (GUI). UNIX is a standard operating system on mainframes and within research centers because of its robust resource management, open source nature, and availability on a wide range of hardware. Mac OS X combines both of these to produce an operating system that is robust, but also easy to use.
A graphical user interface (GUI) uses graphical elements, instead of text, for the input and output of a program. A pointing device — mouse, trackball, trackpad, writing tablet, etc. — is used to move a pointer around on the screen, as opposed to typing in a series of commands in command-line interfaces.
The Mac OS was not the first graphical user interface, but it was the first successful one. The reason for this is simple: affordability. The Xerox Alto cost $32 000 to build, the Xerox Star retailed for $16 600, and the Apple Lisa retailed for $10 000. The first Macintosh, on the other hand, retailed for $2 500. Because it was affordable by average people, it was immediately much more attractive than the GUI computers that came before it.
By the end of 1994 it was clear that Apple needed to release a new operating system. System 7, although rather advanced in many ways, was starting to show its age. A lot of features and technologies that were becoming standard couldn't be supported in the Mac without major re-writes of a huge portion of the operating system.
Covers the history of UNIX including pre-UNIX chaos, Multics, BSD, Mach, and NeXT.
Mac OS X, despite its similar name and superficial resemblance to the classic Mac OS, is a new operating system — one that embodies a number of excellent technologies.
This is a supersub-doc article summary. This is where you should put your introduction paragraph that briefly describes the subject matter and scope of the article. Copy this paragraph and paste it into the 'Article Summary' field in the Page Properties dialog. To access Page Properties, click on the 'Properties' button in the upper right corner of this page in AdminCentral.
