Monday, January 8, 2018

Consulting: Trace Digital Forensics, LLC

I haven't blogged here much recently.  A couple of years back I started a digital forensics consulting firm, Trace Digital Forensics, and have been doing most of my blogging over there.  I'm going to try to get back to posting some security, crypto and IT related content here and will cross-post some of the forensics content.

If you need a digital forensics consultant, email me.  I can handle most cases involving Windows, Mac, Android and iOS. I'm also working on an arrangement to subcontract for audio and video specialty work. I am open to working either side of a case and am happy to evaluate reports from opposing experts and/or recommend lines of questioning. 

Thursday, January 4, 2018

Safari Plugin Forensics - com.apple.Safari.plist

I'm posting this later than promised but this is a slightly revised version of what I submitted for Guidance Software's forensic bug bounty on BugCrowd.

In OS X 10.9, Apple started tracking which sites were configured to play Flash video in the file /Users/[user]/Libary/Safari/PlugInOrigins.plist. I originally discovered this while working on a case where a user had been browsing adult websites at work. The user's browser history (if I'm remembering this correctly) did not have any entries showing his visits to these sites but there was an entry in PlugInOrigins.plist showing that he had enabled Flash for one of them.  I eventually found a lot of other material to support the accusation and the user admitted what he had been up to.
As of OS X 10.10, the PluginOrigins.plist file is no longer used. The setting is now saved in /Users/[user]/Library/Preferences/com.apple.Safari.plist. 
The file is stored in binary xml format and can be converted with the cmd "plutil -convert xml1 com.apple.Safari.plist". A sample portion of this file is below. There is an entry for each configured site showing whether Flash should play, not play, or ask the user. It also tracks the last visited date and time. This artifact can be used to show whether a computer/account was used to visit a particular site. For example, the artifact in the file below would demonstrate that the computer was used to visit the HBO Now service on August 1st at 5:57 AM GMT.
 <key>com.macromedia.Flash Player.plugin</key>
    <dict>
        <key>PlugInDisallowPromptBeforeUseDialog</key>
        <true/>
        <key>PlugInFirstVisitPolicy</key>
        <string>PlugInPolicyBlock</string>
        <key>PlugInHostnamePolicies</key>
        <array>
            <dict>
                <key>PlugInHostname</key>
                <string>play.hbonow.com</string>
                <key>PlugInLastVisitedDate</key>
                <date>2017-08-01T05:57:45Z</date>
                <key>PlugInPageURL</key>
                <string>https://play.hbonow.com/</string>
                <key>PlugInPolicy</key>
                <string>PlugInPolicyAllowWithSecurityRestrictions</string>
                <key>PlugInRunUnsandboxed</key>
                <false/>
            </dict>
This file also contains artifacts for other plugins such as SilverLight, e.g.:
<key>com.microsoft.SilverlightPlugin</key>
   <dict>
        <key>PlugInDisallowPromptBeforeUseDialog</key>
        <true/>
        <key>PlugInFirstVisitPolicy</key>
        <string>PlugInPolicyBlock</string>
        <key>PlugInHostnamePolicies</key>
        <array>
            <dict>
                <key>PlugInHostname</key>
                <string>amazon.com</string>
                <key>PlugInLastVisitedDate</key>
                <date>2017-07-17T03:20:55Z</date>
                <key>PlugInPageURL</key>
                <string>https://www.amazon.com/Dawn-Planet-Apes-Andy-Serkis/</string>
                <key>PlugInPolicy</key>
                <string>PlugInPolicyAllowWithSecurityRestrictions</string>
                <key>PlugInRunUnsandboxed</key>
                <false/>
            </dict>
        </array>
Notice in this example that it shows the specific URL that was visited.


Understanding Scope in Go

As per my New Year's resolution, I've been learning to program in Go and reading  The Go Programming Language .   On page 141 of the...