Intro

Mac OS X Yosemite and El Capitan have both been available to Mac users for a while now. As such, many users have updated their systems to at least one of the two versions of the OS X operating system. El Capitan has brought several new updates to OS X especially in terms of the default Apple apps. However, in terms of forensic artifacts it was fairly similar to OS X Yosemite with a few changes noted, but most of the artifacts remained the same.

It has been a while since the last time we reported on our progress. During that time period we finished examining the two operating systems and compiled spreadsheets containing the artifact locations. Then we generated a final report that will be available at “Mac Forensics Report” (Link to the final report). Overall the two versions of OS X were very similar and only had a few minor differences.

Analysis

The last time we update our progress we had just completed data gen and imaging of both the OS X Yosemite and El Capitan machines. We are happy to report that we finished our examination of the two images and were able to compile a list of artifact locations for both Yosemite and El Capitan. The lists contained many different artifacts ranging from application specific artifacts to system configuration files. Most of the artifacts that we located were user specific while a few were machine specific.

Once we had created the spreadsheets of the artifact locations we then compared them to determine what artifacts were different between Yosemite and El Capitan. We determined that the two versions were very similar and only a few artifacts had moved to new locations in El Capitan. However, through our analysis and comparison we were unable to locate some artifacts. We broke theses artifacts into two groups, obsolete and missing. Obsolete artifacts were determined if neither versions of the operating system had that artifact. Missing artifacts were determined if the artifact should have been generated during data gen but was still missing. In the end we created a comprehensive list of artifacts and their locations. This list can be found in our final report.

We created our final report using google docs so that we could all edit it at the same time. This led to a few problems, seeing as Microsoft Word and Google Docs do not keep the same formatting. This led us to have a few headaches further down the line. As a result, we had to type everything in Google Docs and then import it manually into Word in order to obtain the proper formatting that we were seeking. Once that was completed we then had to import all of our spreadsheets containing the artifact locations and format them to fit the theme of the final report as well. In the end we had created a nice report that looks great and has detailed information about the artifact locations for both OS X Yosemite and El Capitan.

With our final report completed we are now officially done with this project, at least for now. Our final report details specifically our methods and outcomes of our research. It goes into depth about what artifacts were determined to be new, obsolete, and what artifacts we expected to find but were unable to. Research into operating systems is never complete and further work can always be completed to enhance the available knowledge base and resources available.

Conclusion

Overall we determined a lot about the artifacts in both OS X Yosemite and El Capitan. We were able to overcome some of the difficulties of using virtual machines by using two separate iMacs to conduct our data gen. In general, Yosemite was very similar to the last project that we conducted at the LCDI. Almost all of the artifacts from last year’s research into Yosemite were exactly the same. The artifact locations in El Capitan were very similar to those in Yosemite. We only found a handful of artifacts in new locations and a few artifacts were unable to be located in El Capitan that we found in Yosemite. The largest change from Yosemite to El Capitan was with the mail application, and many of the artifact paths had changed. The two versions of OS X are very similar, but there is always more research to be done.

Our team made great progress in determining the default locations for artifacts in both OS X Yosemite and El Capitan. We were able to overcome several struggles associated with using a VM that earlier research encountered, but we still missed a few key pieces of software such as Microsoft Office. Further research could be conducted into applications that we missed in our data gen. We were unable to locate a few of the artifacts that should have been generated, and as such, further research could be conducted to determine if those artifacts are obsolete or where they are located in the current versions of the OS. It is also important to stay up to date with the current versions of operating systems. They are always being updated and this research needs to be conducted every time an OS is updated.

We look forward to updating you on our future projects here at the LCDI. Please take a look at our “final report”(Link to final report) on this project to get a more in depth look at the default artifacts in OS X Yosemite and El Capitan. If you have questions or comments about the project, you can leave a comment, or contact the LCDI via Twitter @ChampForensics, or via email at lcdi@champlain.edu.

The post Mac OS X Forensics Final Update appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

DJ Miller, Marketing and Digital Marketing ’22 is tackling their work in remote learning while maintaining their Leahy Center position as the Marketing team Supervisor.

What it was like going from campus life to remote life?

We found out during spring break that we were going to remote learning. It was a really quick but smooth transition. My professors and workplaces were instantly working to make plans that accommodated us, students. During such a stressful time, it was nice to see just how many staff members were putting what was best for us students as their main priority when planning for the rest of the year.

My work life changed a lot with Champlain going completely remote. Thankfully I was still able to keep my hours working for the Leahy Center and continue my supervising position. This meant all of us supervisors were going to have to work with our teams to make sure they had what they needed to continue their jobs and internships outside of the lab.

Finding a work-life balance while in quarantine has been pretty challenging. Going from being in the office and classroom to being home without any human interaction has been hard. Most of my work is done in groups, from a majority of my Leahy Center work to almost all of my marketing classes. All of them surround class engagement and collaborative projects. This meant learning all-new skills to continue being successful outside of the work environment I was used to.

How the Leahy Center helped transition students from being in the lab to being remote?

Our managing director Joe Williams was instantly finding out ways to run the Leahy Center remotely. Since our students are already so immersed in technological skills we were able to create a quick turn about. Us supervisors and Joe got together during our extended spring break and began the lab to the remote process. We started by…

Letting students shift hours their hours to better accommodate their own personal at-home schedules. We set up a VPN to our center so students could access the tools they needed for their projects.Us supervisors scheduled weekly Google Hangouts to be able to work with our teams and get in some fun engaging times together to make working from home a little more fun.We also set up fun things for students to continue getting in social time. Joe did his own Google Hangout where you could all make breakfast together, my marketing team does our shifts together over video chat, and we planned different takeovers for our social media pages so everyone could keep up with each other. What is it like to be supervising from home?

As the supervisor of the Marketing team, I am super fortunate that all of my team works well together and that they all are highly independent workers with great work ethic. My team consists of

Two Marketing AssistantsOne Graphic DesignerOne VideographerA Web WriterOne Web Designer

My job now revolves around me communicating throughout the day over Slack with my own team, interns, Cybertech, Supervisors, and our professional staff. We had to quickly change what we were putting out for content and quickly design new marketing ideas surrounding working from home. As a team, we all gained new skills surrounding communication, collaboration, time management, and creativity. We also had to learn more skills specialized to the programs we used, like Slack and Google Hangouts/Meet. Overall, the Center as a whole learned how to rely on each other in these uncertain times.

What have I learned about yourself or the team during this remote experience?

As I said before, I, as well as everyone else at the Leahy Center, have picked up so many skills during this remote experience. I personally felt that,

First I learned that everyone is understanding and is able to step up to the plate even when the transitioning felt stressful.Second I learned how to work with others in a whole new way. Especially how to supervise and guide my team projects with all new obstacles. Third I learned to trust your skills and your prior experiences. I have been able to learn so many things over the two years working at the Leahy Center that helped me be a strong member during this remote experience.

My biggest take away from this is how strong of a marketing environment our team can be. We’re like a human body with how well our parts play together. The marketing assistants are the brains. They do all the forethought project planning for the whole team. The videographer is the eyes. They are showing everyone what we are doing in and outside the lab. The writers are helping us to communicate and properly function. Lastly, the graphic designer is allowing us to show off what we have put all together.

Thank you.

I want to end this by saying thank you to my team and the professional staff. The whole center putting in 100% effort during this crazy pandemic we are going through. I am very thankful to have had the opportunity to continue my position even from home. I am looking forward to my future work back in Burlington in the upcoming semester. Us Leahy Center students have so much planned and we have a lot more dedication and hard work coming!

Stay up to date with Twitter, Instagram, Facebook, and LinkedIn so you always know what we’re up to!

The post What Is It Like To Become A Remote Supervisor? -DJ Miller appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

Kevin Rode is an upcoming senior in Champlain College’s Computer Networking and Cybersecurity program and Research Assistant at the Leahy Center. With Champlain going remote, Kevin shares with us his experience working on a sixth-semester workload and in-depth Leahy Center research stuck in campus dorms.

“Please, tell us about the team you’re on, the project you’re working on and your position on that team.”

“I work on the IoT Team creating a scenario to showcase the use of IoT devices in criminal investigations. These devices are used all around us, from in our homes to on the street. If you live in a busy city, you’re almost definitely in the vicinity of a device at all times, between smartphones, smart watches, etc. We know how important these devices can be for collecting evidence in criminal investigations, given how prevalent they are in society. There’s abundant information just sitting inside of them that’s particularly relevant to these types of investigation.

The issue arises when we see that local law enforcement can’t parse that data correctly. What good is that data if you don’t know how to access it? That’s why we’re creating this scenario. We want to give people the ability to learn how to extract data from these devices in real situations. Through this, we hope law enforcement will be more prepared for utilizing the data in these devices.”

“What is your current home life like now as a remote college student?”

“I’m one of the few that was able to remain on campus during this entire mess. There isn’t a lot of room for me back home, so I would likely otherwise need an apartment. Luckily for me, here I have my own room. I do have roommates, but we’re separated off. Through having different rooms, I can keep an isolated workspace and choose when I want to hang out. It keeps me from going insane, both from always being by myself and never so. I get to decide what balance is healthiest for me and keep to it.

Additionally, one of my roommates moved out for the semester, so I converted his bedroom. Now it’s a sort-of workspace separated from both my full-time and schoolwork. Not only did this let me set up a good data-gen environment, but it also meant I had a separate zone to work on research. For me, having that separate research zone helps me focus a lot more on it, especially as the room doesn’t have things like my laptop, etc.”

“What does a typical day look like for you now?”

“I work full-time doing IT support, starting right at 8AM. Luckily for me, you don’t exactly need to be presentable to pick up a phone. I wake up a few minutes before I need to work and basically roll over to my desk to start the day. Things like breakfast etc. all come as the day lets them. It’s definitely a bit rough—it’s not as easy to go out and get lunch, and getting groceries is a logistical nightmare.

It’s definitely nice to be able to dictate my own flow for research though. I can pick it up on periods of downtime, in between other work. Being around the machines constantly is good for data generation, so I get a lot to work with. Sometimes the sterility of an office just can’t beat fiddling with an Alexa in your pajamas.”

“How has your teamwork pattern changed given the shift to remote work?”

“The thing about our project is that it’s not primarily research focused. We’re basically trying to create a training environment. Because of this, most of the information is already known. It’s our team’s job to create this guided experience. Because the overall volume of information we’re sharing is lower, our communication is pretty consistent from before we went remote. We mostly use services like Slack and Trello to keep each other updated. Slack lets us message each other info, and Trello works to keep us on track. Overall, not much has changed on that front.”

“Anything else you would like to add?”

“Right now, things are gonna be rough. We can’t get groceries like normal, we can’t work together like normal. We really get to see, however, the power of today’s technology. At no other point have we been so connected that we could all be stuck at home and still get critical research done together. I don’t know where I would be in this project without my team, and I’m not sure what I’d do without the technology to communicate with them.”

Stay up to date with Twitter, Instagram, Facebook, and LinkedIn so you always know what we’re up to!

The post Remote Student Spotlight: Kevin Rode appeared first on The Leahy Center for Digital Forensics & Cybersecurity.