Sean's Cyber

Folks who have been doing Mac forensics for a while may remember that the keyword "longname" could be used to find a user's login password in a memory image.  This changed with OS X Lion (I believe).  All is not lost, I have had luck finding the login password (usually my own) by searching for the following  keyword in a memory capture:  "XpasswordZrecordtypeXfuncnameZrecordnameX" I have reliably found the above on a few machines but I can't say for sure if it is the norm. There is a bit of chicken and egg with this though, without the user's password you will most likely not be able to collect a memory image in the first place.  I've not been able to dig into this much deeper but my attempts to find this keyword in memory collected via Firewire or on boot have come up short. Given the difficultly collecting a live memory image (not a bad thing from a security perspective) its hard to think of many use cases for this keyword except:  1) In c...

Following my last post, folks may be interested to learn that OS X also ships with a seed database of WAP and other locations (think WiFi access points in and around public places like airports). As part of the Core Location framework factory.db , a SQLite database, holds WAP MAC addresses and locations. The file is located in: Macintosh HD/System/Library/Frameworks/CoreLocation.framework/Versions/A/Support/ The WifiLocation table holds MAC addresses, Latitude, and Longitude information. Other tables may be worth exploring as well. Since this database does not seem to track the location of the device this database is of little use to most people though if you live around an airport it may be interesting to see if your WAP is included. 

Readers may remember small tempest created when the consolidated.db (later renamed) file was discovered in Apple’s iOS tracking the phones location information. As it turns out, much the way the consolidated.db file tracked the location of WiFi access points and mobile towers around the iPhone, there is a similar file included as part of OS X Mavericks and other recent versions of OS X.    Hidden deep in /private/var/folders lies the file cache_encryptedA.db. Tucked away with, an often empty, consolidated.db and other files, cache_encryptedA.db tracks information about WiFi access points located around the Mac as it moves around. Data includes: WiFi Access Point (WAP) MAC Address  Latitude and Longitude  Time Stamp Data WiFi Channel Information Assuming Location Services is turned on and used (by the Maps app for example) the database should look something like this: The WiFi access points found in the database don’t ne...