Creating a OS X Live IR CD-ROM

Posted on

About a year ago, I built my 1st OS X live response CD-ROM and I’m still not aware of any free tools to do this.  I’ve have heard that the Raptor CD-ROM is great for booting a machine that is powered off, but most of the time I’m dealing with live systems that need to have live analysis done.  Lets cover the basics so you can create your own.

Static Binaries

In OS X, they do not use static binaries.  When building your incident response disk, you must copy the binary files to the CD-ROM along with the required libraries. This topic has been covered many times in the Linux environment, but not OS X.  You want to make sure the machine you are using to collect the binaries from is a trusted machine. I used a freshly loaded  and patched laptop to complete this.

The command to determine what libraries are used by the specified binary in Linux is ldd. This tool is not available in OS X, but they do have a similar tool called otool which is part of the xcode toolkit that is free. Using the the command otool -L /bin/ps will list the required library files.

When I upgraded my laptop to Snow Leopard I was unsure if I would need to rebuild a new set of binaries for the latest version of the OS, but when testing this I did not receive any errors . I have not tried running the 10.6 binaries on a 10.5 system, so I’m not sure if there would be any backward compatibly issues. I have recently tried to run the universal desktop binaries on a OSX 10.4 server, but was not able to run them. This is a problem I’m going to look at when I get a little more time. The temporary fix is to create separate binaries folders if you need both desktop and server binaries. This may be the only solution to this problem, but I’ll let you know once I’ve tested more.

What binaries to include?

How to determine what commands should be ran, you should reference the previous post under what to collect. Additionally, Apples command_line admin guide is a great place to learn how to get the data you want out of the system.

ps
lsof
netstat
md5sum
ifconfig
route
iptables
cat
echo
vi
fdisk
mmls
fls
sed
screen
dd
dcfldd
bash
awk
cat
date
hostname
who
arp
serversetup
macrobber
PlistBuddy
fdisk
df
du
mount
find
crontab
less
md5
sha1
gzip
tar
kextstat
system_profiler
vmmap
ls
mount
disktool
which

Automation of disk creation

I have created a little script that uses a list of file, like the one included above, to find the required libraries, then move them into a /bin folder and /lib and rename the binaries to IR_filename. Renaming the binaries makes it very easy to tell what commands are being run by the responder. This saves time while you are reviewing the output and prevents you from chasing your own tail. To run the script, simply call the script and pass the location of the file that has the list of the binaries you want to have on the disk.

#./mac-ir.sh /Users/demo/filelist.txt
#!/bin/bash
#Created by:Tom Webb
#Version 0.1
#usage mac-ir-create.sh filelist

#Error if no file given
if [ -z "$1" ]; then
 echo -e "\nUsage: `basename $0` /path/to/file list"
 exit 1
fi

#Error if not sudo/root
if [[ $EUID -ne 0 ]]; then
 echo "You must be root/sudo to run the script"
 exit 1;
fi

echo "Enter the path where you want the /bin and /lib folders to be created"
read IR_LOCATION

#Setup DIR PATH
mkdir $IR_LOCATION/bin
mkdir $IR_LOCATION/lib

while read line; do

 FIND_BIN=`whereis $line` #Find the location of the binary file
 if  [ -z $FIND_BIN ]; then #if results empty
    echo "$line is not installed or in your path"
 else
   cp $FIND_BIN $IR_LOCATION/bin/IR_$line #Copies binary file to the new directory and renames it
   for i in `otool -L $FIND_BIN |sed '1d' | cut -d ' ' -f1`; #Takes the path of the bin file and looks up required libraries and removes the 1st line and set as a variable
   do
      cp $i $IR_LOCATION/lib #Copies the library file to the new IR Location for each library
   done
 fi
done <$1 #Use file from command line argument

Response Script

Having a script when doing live response is very important, because executing commands on a running system makes changes to it. But if you use a script, you have a documented list of what was ran and accessed on the system. Of course, any other commands that you run outside the script still need to be documented.  Consistency is also another important advantage. As systems get more complicated, it is becoming more difficult to remember to collect everything you need before the system is taken offline. Additionally, how often you are preforming IR on certain OS’s  can also make manual collection more challenging.

After running the script, you should have two directories (bin and lib).  We need to do something with these files, so  it’s time to build a script.  Like all good programmers it’s time to start with code that someone has already started. Pull down the old helix CDROM and under the static binaries directory is a script linux-ir.sh. This is the framework I used to build the script which I included below.  One major thing I changed in this script was the order in which data is collect. I would recommend follow NIST guidelines in SP800-86. On page 5-8 they list order as follows:

1. Network connections
2. Login sessions
3. Contents of memory
4. Running processes
5. Open files
6. Network configuration
7. Operating system time

The Apple Examiner website has a great list of some OS X specific items to collect. The best program I’ve found to script analysis of plist files is a program called PlistBuddy.  This program allows you to dump  both binary and XML files and convert them to ASCII.

I’ve created a starter script for gathering information. While this does not include all the commands that are listed in the Helix IR script, it does cover at least one command for all major information that should be gathered.  Many times responders will want to use different tools to get the same information and compare the output or sort the output in different ways. You will need to customize it for your needs, but if other commands should be added please let me know, and I’ll keep updating the script.

#Public MAC-IR.sh
#Version 0.1
#Author:Tom Webb
#usage ir_script.sh /path/to/folder containing bin and lib directory
#output is to standard out

#!/bin/bash
clear

if [[ $EUID -ne 0 ]]; then
 echo "You must be root or sudo to run script"
 exit 1;
fi

#Error if no file given
if [ -z "$1" ]; then
 echo -e "\nUsage: `basename $0` usage ir_script.sh /path/to/folder containing bin and lib directory"
 exit 1
fi

if [[ ! -d "$1" ]]; then
 echo "Directory does not exist"
 exit 1;
fi

BINDIR="$1/bin" #$1 is command line argument for path
LD_LIBRARY_PATH="$1/lib"
PATH=$BINDIR

IR_echo "========="
IR_echo "Start Date:"
IR_echo "========="
IR_date
IR_echo

IR_echo "========="
IR_echo "hostname:"
IR_echo "========="
IR_hostname
IR_echo

IR_echo "==================================="
IR_echo "netstat output(current connections)"
IR_echo "==================================="
IR_netstat -an
IR_echo

IR_echo "==================================="
IR_echo "lsof -i Network Connections"
IR_echo "==================================="
IR_lsof -i
IR_echo

IR_echo "=========================="
IR_echo "currently logged in users:"
IR_echo "=========================="
IR_who
IR_echo

IR_echo "=========================="
IR_echo "List of running processes:"
IR_echo "=========================="
IR_ps auxwww
IR_echo

IR_echo "=========================="
IR_echo "Memory Mapping of all Processes"
IR_echo "=========================="
for i in `IR_ps aux| IR_awk '{print $2}'`; do IR_vmmap $i ; done
IR_echo

IR_echo "============"
IR_echo "List of open files:"
IR_echo "============"
IR_lsof
IR_echo

IR_echo
IR_echo "======================"
IR_echo "serversetup -getDefaultDNSServer :"
IR_echo "======================"
IR_serversetup -getDefaultDNSServer *
IR_echo

IR_echo "=============="
IR_echo "routing table:"
IR_echo "=============="
IR_netstat -rn
IR_echo

IR_echo "=================="
IR_echo "arp table entries:"
IR_echo "=================="
IR_arp -an
IR_echo

IR_echo "======================"
IR_echo "Network interface info"
IR_echo "======================"
IR_ifconfig -a
IR_echo
IR_ifconfig -L
IR_echo

IR_echo "======================"
IR_echo "Mount"
IR_echo "======================"
IR_mount
IR_echo

IR_echo "======================"
IR_echo "disktool"
IR_echo "======================"
IR_disktool -l
IR_echo

IR_echo "======================"
IR_echo "macrobber"
IR_echo "======================"
IR_macrobber /
IR_echo

IR_echo "======================"
IR_echo "LS -LAR /System/Library/StartupItems"
IR_echo "======================"
IR_ls -laR /System/Library/StartupItems
IR_echo

IR_echo "======================"
IR_echo "LS -LAR /System/Library/StartupItems"
IR_echo "======================"
IR_ls -laR /System/Library/StartupItems
IR_echo

IR_echo "======================"
IR_echo "LS -LAR /Library/StartupItems"
IR_echo "======================"
IR_ls -laR /Library/StartupItems

IR_echo "=============================================="
IR_echo "/etc/hosts.allow"
IR_echo "=============================================="
IR_cat /etc/hosts.allow
IR_echo

IR_echo "=============================================="
IR_echo "cat /etc/passwd"
IR_echo "=============================================="
IR_cat /etc/passwd
IR_echo

IR_echo "=============================================="
IR_echo "cat /etc/group"
IR_echo "=============================================="
IR_cat /etc/group
IR_echo

IR_echo "==========="
IR_echo "   fstab   "
IR_echo "==========="
IR_cat /etc/fstab
IR_echo

IR_echo "==========="
IR_echo "SystemVersion.plist"
IR_echo "==========="
IR_PlistBuddy -c  Print /System/Library/CoreServices/SystemVersion.plist
IR_echo
IR_echo

IR_echo "==========="
IR_echo "ServerVersion.plist"
IR_echo "==========="
IR_PlistBuddy -c  Print /System/Library/CoreServices/ServerVersion.plist
IR_echo
IR_echo

IR_echo "==========="
IR_echo " SoftwareUpdate.plist  (Last softwareupdate)    "
IR_echo "==========="
IR_PlistBuddy -c  Print /Library/Preferences/com.apple.SoftwareUpdate.plist
IR_echo
IR_echo

IR_echo "==========="
IR_echo " /Library/Preferences/com.apple.preferences.accounts.plist  "
IR_echo "List of Deleted User Accounts "
IR_echo "==========="
IR_PlistBuddy -c  Print /Library/Preferences/com.apple.preferences.accounts.plist
IR_echo
IR_echo

for i in `IR_ls -l /Users |IR_awk '{print $9}'`; do #This setup up each user with a dir as a variable
 IR_echo "User $i"
 IR_PlistBuddy -c Print /Users/$i/Library/Safari/LastSession.plist
 IR_echo
done

IR_echo "==========="
IR_echo " /Library/Preferences/com.apple.alf.plist"
IR_echo "Firewall settings "
IR_echo "==========="
IR_PlistBuddy -c  Print /Library/Preferences/com.apple.alf.plist
IR_echo
IR_echo

IR_echo "========="
IR_echo "End Date:"
IR_echo "========="
IR_date
IR_echo

Finishing Up

Let’s make sure that you have everything ready to burn to a disk. You will need to make sure that your file permissions are correct.  In the example below I have my /bin and /lib dir in /tmp/ir directory.

#chmod  -R 755  /tmp/ir

Now its time to take the /bin and /lib directories along with the mac-ir.sh and burn it to disk. Once it’s burned we need to test it out.

1. Launch terminal.

This is under Finder -> Utilities -> Terminal

2. Find out your mounted CD-ROM drive.  From Terminal:

$mount |grep cd9660

/dev/disk1s0 on /Volumes/ir_1.0 (cd9660, local, nodev, nosuid, read-only, noowners)

3. Change directory to your cd mount

$cd /Volumes/ir_1.0

4. Determine where you want to output your results. You should not write the output to the system you are doing analysis on. I always carry two drives when doing analysis one small flash drive to dump volatile data and a large one for the disk image. You can also shoot the data across the network using cryptcat.

5. Run the script (this examples redirects the output to a removable drive /volumes/usb and filename is ir.txt)

$sudo ./mac-ir.sh /volumes/ir_1.0  >/volumes/usb/ir.txt

6. Before you shutdown the system, ALWAYS make sure that your script worked by checking the results file.

Advertisements

14 thoughts on “Creating a OS X Live IR CD-ROM

    echo6 said:
    August 13, 2010 at 5:28 pm

    Awesome stuff, many thanks for your time and effort and sharing this with the community.

    Rob Dewhirst said:
    September 2, 2010 at 3:55 am

    This will save a lot of people a lot of work and research, especially me – as I was planning to try building a homegrown Mac OS X IR CD on my own just this week. Much thanks for your work on this.

    One question: Shouldn’t we be bringing Terminal.app (or even iTerm) with us as well on our IR CD? In the example above it implies your just testing your CD, but I was wondering if you tried this and it didn’t work (though I can’t think of a reason that wouldn’t work).

      twsecblog said:
      September 2, 2010 at 8:44 pm

      That’s a great point and I missed that. I haven’t tried any of the .app before, but here is what I did and it seemed to work. This needs to be tested more.

      You will need to add the open command to the list of files needed.

      otool actually needs the binary file to find the libraries which is located in the /Contents/MacOS/ in the Terminal.app folder. My normal script will not work for that so you’ll have to do that manually.

      #for i in `otool -L /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal |sed ‘1d’ | cut -d ‘ ‘ -f1`; do cp $i /tmp/ir/lib; done
      This copies the file to /tmp/ir/lib

      Then you will need to copy the entire Terminal.app folder to you IR folder.

      #cp -r /Applications/Utilities/Terminal.app /tmp/ir/

      Script to open a safe terminal with known good libraries.
      ———
      #safe_terminal.sh
      #Usage: ./safe_terminal.sh /path/to/ir/folder
      #This opens a safe terminal to run the mac-ir.sh
      BINDIR=”$1/bin” #$1 is command line argument for path
      LD_LIBRARY_PATH=”$1/lib”
      PATH=$BINDIR

      open Terminal.app
      ——————–

      Of course you could just copy the app Terminal.app file to the disk and run it, but it would be using local libraries and not the known good.

    […] About a year ago, I built my 1st OS X live response CD-ROM and I'm still not aware of any free tools to do this.  I've have heard that the Raptor CD-ROM is great for booting a machine that is powered off, but most of the time I'm dealing with live systems that need to have live analysis done.  Lets cover the basics so you can create your own. Static Binaries In OS X, they do not use static binaries.  When building your incident response disk, you … Read More […]

    Rob Dewhirst said:
    October 7, 2010 at 2:26 pm

    It looks like whereis doesn’t find all the binaries (at least on my system) but which does.

    rob:~ robd$ whereis dcfldd
    rob:~ robd$ which dcfldd
    /usr/local/bin/dcfldd
    rob:~ robd$ whereis ps
    /bin/ps
    rob:~ robd$ which ps
    /bin/ps

      twsecblog said:
      October 11, 2010 at 1:31 pm

      If you look at the man page for whereis it uses a static list of directories looking for the installed binaries. To see what is in the path for whereis run the following command:
      #sysctl user.cs_path.
      user.cs_path = /usr/bin:/bin:/usr/sbin:/sbin

      I tried to add something to the path of user.cs_path, but was not successful.

      Which looks for everything in $PATH. So you could replace whereis with witch in the script, that should be a quick fix. I haven’t had a chance to test it, but let me know if you run into any more issues.

    Paul said:
    October 21, 2010 at 3:53 pm

    I am having trouble compiling your mac-ir.sh script. What version of Apple Script Editor are you using? Do you have the default prefences selected? It seems that Version 2.3 (118) is choking on quotes.

      twsecblog said:
      October 21, 2010 at 6:52 pm

      Paul,
      The script is not an apple script, its a bash script. It should be ran from the terminal. Once you start terminal you need to change your rights to the Root user.
      -From the $ prompt in terminal type “sudo -s” then enter your password.
      -Next you’ll need to change directories to the location of the script.
      -You’ll need to make sure that the script is excitable. Run the command below:
      #chmod 700 mac-ir.sh
      -Then run the script
      #./mac-ir.sh

      Let me know if this works for you.

        Paul said:
        October 21, 2010 at 7:29 pm

        Thank you. I followed the instructions but I was never prompted for an IR path and the prompt immediately returned to an empty command prompt. I am not sure what is going on.

        I copied the script from this website to a TextEdit file. I saved the file and then renamed the extension to .sh.

        From the $ prompt in terminal type “sudo -s” then enter your password.
        -Next you’ll need to change directories to the location of the script. (I changed directories to the desktop where the script is located)
        -You’ll need to make sure that the script is excitable. Run the command below:
        #chmod 700 mac-ir.sh (I did this)
        -Then run the script
        #./mac-ir.sh (I ran this as is)

        Please advise. I haven’t done much scripting so I appreciate your patience!

        Thank you!

      twsecblog said:
      October 22, 2010 at 8:46 pm

      Paul,

      Are you getting an error when you run the script? Also do you have the line numbers in the script? If so, you will need to remove them. On the top right corner of the code, you can click the icon copy to clipboard. That will give you a clean copy of the code.

        Paul said:
        October 23, 2010 at 1:27 pm

        I used the copy feature you mentioned and there are no line numbers in the file I am executing. I am executing the script through the terminal and no error comes up. Once I hit enter an empty command line came up. It appears it executed but after looking at the code I was never prompted for a path to copy the files…

        twsecblog said:
        October 25, 2010 at 2:17 pm

        Paul,

        At the top of the script change #!/bin/bash to #!/bin/bash -x. This will put the script in debug mode. Then run the script #./ir_script.sh >/tmp/test 2>&1. This will will put all results of the script into the file /tmp/test. If this is just a test system, and the results are safe to post on the site, go ahead. If not, let me know and we can finish up through email.

    Brian said:
    October 23, 2010 at 11:13 am

    Osx Is hard to understand.
    thanks for the tip,
    Will be following this one

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s