Passwords in Mac Memory

Folks who have been doing Mac forensics for a while may remember that the keyword "longname" could be used to find a user's login password in a memory image.  This changed with OS X Lion (I believe).  All is not lost, I have had luck finding the login password (usually my own) by searching for the following  keyword in a memory capture:

 "XpasswordZrecordtypeXfuncnameZrecordnameX"

I have reliably found the above on a few machines but I can't say for sure if it is the norm.

There is a bit of chicken and egg with this though, without the user's password you will most likely not be able to collect a memory image in the first place.  I've not been able to dig into this much deeper but my attempts to find this keyword in memory collected via Firewire or on boot have come up short. Given the difficultly collecting a live memory image (not a bad thing from a security perspective) its hard to think of many use cases for this keyword except:

 1) In cases where the user has allowed you to collect memory (knowingly or unknowingly) but has not overtly given you their password. 

2) Using an exploit to allow a memory image without user authorization (a questionable tactic at best).

3)  The password is found in a Firewire memory image (locked the heck down now) or RAM image collected at boot. (I've not had luck in either case).

If you have had luck with any of the above or have a more reliable keyword please let me know...



Popular posts from this blog

OS X Location Information: Where Has That MacBook Been?

Image
Readers may remember small tempest created when the consolidated.db (later renamed) file was discovered in Apple’s iOS tracking the phones location information. As it turns out, much the way the consolidated.db file tracked the location of WiFi access points and mobile towers around the iPhone, there is a similar file included as part of OS X Mavericks and other recent versions of OS X.    Hidden deep in /private/var/folders lies the file cache_encryptedA.db. Tucked away with, an often empty, consolidated.db and other files, cache_encryptedA.db tracks information about WiFi access points located around the Mac as it moves around. Data includes: WiFi Access Point (WAP) MAC Address  Latitude and Longitude  Time Stamp Data WiFi Channel Information Assuming Location Services is turned on and used (by the Maps app for example) the database should look something like this: The WiFi access points found in the database don’t necessarily reflect t
Read more

Malware Fingerprinting

My malware fingerprinting arrival was finally published in the very excelent Excelcior College Cyber security Journal: http://ecwp.s3.amazonaws.com/wp-content/uploads/sites/34/2016/11/nci-journal-vol-2-no-3.pdf
Read more

McVey’s 37 Questions for a SOC

The Basics: Do you have… 1. Authority to operate, a defined scope of operation, authority to act 2. Enough staff to meet the desired scope of operation 3. Accurate inventory of endpoints (hosts and serves) 4. Accurate inventory of networks, their design and use 5. Accurate inventory of egress points, VPNs, DMZs, externally accessible servers, and externally hosted resources (“the cloud”) 6. Contact lists for groups of users (departments, offices, etc.), system owners, other IT teams, service providers, and external response organizations 7.  A list of high value assets and the data they hold (PII, financial data, HIPPA, etc.)     Visibility: What is your access to…  8. Logs (Active Directory, DHCP, DNS, firewall, proxy, servers, VPN, etc.) 9. Flow data (source, destination, ports, session time, volume, etc.) 10. Endpoints (disk, memory, and proces
Read more