Mac OS Lion Memory Forensics

Embed Size (px)

Citation preview

  • 8/4/2019 Mac OS Lion Memory Forensics

    1/11

  • 8/4/2019 Mac OS Lion Memory Forensics

    2/11

    4/19/12

    Copyright 2011 Todd Garrison.

    This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License.

    To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/3.0/ or send a letter toCreative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

    http://creativecommons.org/licenses/by-nc/3.0/http://creativecommons.org/licenses/by-nc/3.0/
  • 8/4/2019 Mac OS Lion Memory Forensics

    3/11

    4/19/12

    Overview Mac OS 10.7 (Lion) includes a full-volume

    encryption product called FileVault 2.o It is possible to use IEEE 1394/Firewire to extract a users password from

    the RAM of a running system, and in most cases a sleeping system once

    it has been woken up.o This password can be used to decrypt the volume, or to login to the

    system.

    o Using Firewire in this manner is a well-known method of gaining accessto an operating system, with published attack methods dating back to2004.

    Lion uses a set of countermeasures designed toprevent this attack.

    o There are weaknesses in the implementation.

    Default settings allow the protections to be bypassed.o Chan in three settin s can rotect a ainst the attack in most cases.

  • 8/4/2019 Mac OS Lion Memory Forensics

    4/11

    4/19/12

    Tools to Extract RAM libforensic1394

    o Written by Freddie Witherden and released in 2010.

    o Available at:

    https://freddie.witherden.org/tools/libforensic1394/o Python and C library that works on Linux (JuJu Firewire stack) and Mac OS

    (IOKit libraries).

    o Does not supply programs to perform capture, so a Python script waswritten to perform capture. Available at:

    http://www.frameloss.org/wp-content/uploads/2011/09/ramdump.py.gz

    pythonraw1394o Written by Adam Boileau and released in 2006.

    o

    Original website no longer available, mirrored copy at:

    https://freddie.witherden.org/tools/libforensic1394/http://www.frameloss.org/wp-content/uploads/2011/09/ramdump.py.gzhttp://www.frameloss.org/wp-content/uploads/2011/09/ramdump.py.gzhttp://www.frameloss.org/wp-content/uploads/2011/09/pythonraw1394-1.0.tgzhttp://www.frameloss.org/wp-content/uploads/2011/09/ramdump.py.gzhttp://www.frameloss.org/wp-content/uploads/2011/09/ramdump.py.gzhttps://freddie.witherden.org/tools/libforensic1394/https://freddie.witherden.org/tools/libforensic1394/
  • 8/4/2019 Mac OS Lion Memory Forensics

    5/11

    4/19/12

    Applicability The attack is possible in most system states.

    o The user has logged off of the system.

    o The system has been locked via the screensaver, User Switching isenabled (default setting,) and there is more than one user account on

    the system.o The system has been booted, but a user has not logged in.

    Not a default system configuration when FileVault 2 is enabled.

    Plaintext passwords are not available, SHA2-512 hashes are in RAM.

    When do the countermeasures apply?o When the screen saver is active and requires a password.

    Can be bypassed by selecting Switch User (if available.)

    o When the system is requesting authentication to gain access to the full-volume encryption key.

  • 8/4/2019 Mac OS Lion Memory Forensics

    6/11

    4/19/12

    Can the System beImaged?

    Connect FirewireCable

    DetermineTarget System

    State

    SystemBooted, NotLogged In

    User LoggedIn,

    Screensaver

    Locked

    User Logged In,Not Locked

    System atPre-boot

    FileVault 2Login

    Screen

    SystemHibernated,

    FVE Key

    Removed

    Stop:RAM Capture Not

    Possible

    User Switching Available? No

    Select SwitchUser on Target.

    Yes

    Perform RAMCapture

    Analyze Results

    User LoggedOut, atLogin

    Screen

  • 8/4/2019 Mac OS Lion Memory Forensics

    7/11

    4/19/12

    Protecting AgainstFirewire DMA

    Several settings are suggested, and should protectagainst most attempts to gain access:

    o Disable User Switching feature.

    o Configure system to store RAM to disk and remove power to memoryupon sleep state.

    o Configure system to remove full-volume encryption key upon sleep.

    Other settings:o Always use a strong password for every user. Any users password can

    be used to decrypt the volume.

    o Do not disable screen locking:

    Set a reasonable time for automatically locking.

    Configure the system to sleep if it has been idle for a long time.

  • 8/4/2019 Mac OS Lion Memory Forensics

    8/11

    4/19/12

    Disable User Switching Can be disabled in System Preferences, Users

    and Groups, Login Options.o Uncheck the Show fast user switching menu as . . . option.

  • 8/4/2019 Mac OS Lion Memory Forensics

    9/11

    4/19/12

    Sleep Options Must be performed as the root user from the

    Unix shell.o Uses the dmset program to change two values:

    o Example:

    Option Value Description

    destroyfvkeyonstandby 1 Removes the full volume encryption keyfrom RAM when the system is put into sleepmode and is dependent on the value of hibernatemode.

    hibernatemode 25 Forces the system to immediately write RAMto disk and remove power from memoryupon sleep.

  • 8/4/2019 Mac OS Lion Memory Forensics

    10/11

    4/19/12

    Conclusion

    Encryption products are designed to protect datawhen a third party gains physical access to a

    computer.o Unfortunately, the system is not secure when using the default settings.

    o It is simple to configure the system in a secure state.

    It may be possible for Apple to extend therestrictions for Firewire DMA, but for now it issuggested that the recommended configurationoptions be set on computers containingconfidential information.

    o There are also other interfaces (such as Thunderbolt and SDXC) that may

  • 8/4/2019 Mac OS Lion Memory Forensics

    11/11

    4/19/12

    Bibliography1394-2008 - IEEE Standard for a High-Performance Serial Bus.

    (2008). IEEE Standards Association.

    Apple - OS X Lion - The worlds most advanced OS. (n.d.).

    Retrieved September 17, 2011, from

    http://www.apple.com/macosx/

    Apple - Thunderbolt: Next-generation high-speed I/O technology.

    (n.d.). Retrieved September 17, 2011, from

    http://www.apple.com/macosx/http://www.apple.com/macosx/