Nicole Ibrahim posted a blog entry about Apple FSEvents Forensics with some great information. She has updated the program that my Autopsy plugin calls so I decided to update the plugin as well. One thing that Nicole mentions in her article is that you can pull out different events based on specific information within the database so that you can more accurately see specific events in the file system. For example in order to see when volumes were mounted you can run the following SQL statement against the database to get the infromation:
*, _ROWID_ “NAVICAT_ROWID”
“mask” LIKE ‘%mount%’
AND “filename” NOT LIKE ‘/net’
AND “filename” NOT LIKE ‘/home’
This allows the examiner to get to cut thru the data and be able to pull out information that may be critical to the case. It is this type of thinking that helps examiners do their jobs better. Thank you Nicole for this insight.
This got me to thinking how can I incorporate this into my plugin to extract the information. I could hard code the SQL statements into the plugin but then anyone that wanted to add a new SQL statement then has to add it to the code and then test it before they deem it worthy to actually be used. That is a lot of work to go thru to add one thing and some people might shy away from that.
What I thought of instead was to put the SQL into a database along with the artifact name and artifact description so that it can easily be updated without having to figure out where it fits into the plugin. When the plugin runs it will read the database and then create the artifact in Autopsy then run the SQL statement against the fsevents table and pull out the data. This way we can add more events as people discover them.
The database resides in the plugin directory and is named fsevents_sql.db3. It has one table in it named extracted_content_sql. This table has 3 columns in it, sql_statement, artifact_name and artifact_title. The sql_statement column holds the sql_statement that you want to run against the fsevents data. The artifact name and title are what is created in Autopsy to be used for display in the extracted content. I have taken the examples that Nicole used in her post and put them into the database so there is some data in there to start. I have also included a file that has an example insert statement so that if someone wants to add there own they can. The file is commented as to what to change if you have any questions. If you decide to add your own please submit them so others may use them as well.
Once you run the plugin the extracted content will look like this:
You can see how it can really narrow down the data to look at. The data is the same as before just less of it. I still included all the FSEvents in case you want to see look at all the data.
The updated plugin can be found here. You can remove the old plugin completely and install the new one. If there are any questions or comments please let me know. One last shout out to Nicole and the great work she is doing.