Mac Marshal™ Field Edition Release 3.0 Product Description

Mac Marshal™ is available in a Field Edition version, which can be used “live” on a running machine rather than a disk image. The Field Edition is supplied on a USB 2.0 flash drive intended to be plugged directly into the target machine while it is running. In this way, it can gather live state information (RAM, running processes, network connections, etc.) that would be lost when seizing the machine and imaging the disk. It also allows the Mac Marshal data gathering and analytical functionality to operate on the live hard drive of the target computer.

You may also use the Field Edition with an investigator’s workstation to analyze the image of a hard drive of a target computer. The investigator’s workstation may be either an OS X 10.4 and later or Microsoft Windows XP and later platform.    Used in this way, it operates exactly like the Forensic Edition for Macs and for PCs, except that the Mac Marshal application is running from the USB drive and is not actually installed on the investigator’s workstation.  It is thus portable from one investigator’s workstation to another. The same features described previously that are not available on the Forensic Edition for PCs are also not available with the Field Edition when running on a Microsoft Windows platform.

Mac Marshal Field Edition includes functionality that is not contained in the Forensic Edition, which is described below. 

Creating a New Acquisition

The New Acquisition Wizard is used to create a new acquisition for analysis in Mac Marshal. In the first page of the wizard, we recommend that you save the acquisition data to a secondary USB device—not the Mac Marshal drive itself, and not the target drive you are analyzing. (Mac Marshal will warn you if you try to save acquisition data to the target drive.)

Within the Field Edition, the wizard allows you to analyze the system drive directly, bypassing the target selection process. Simply select the first option (“Perform a live analysis on this system’s root drive”) to automatically analyze the disk containing the root (/) file system, as shown below (click image to enlarge):

Clicking “Next” brings you to the acquisition options page. In live mode, this page’s Memory option also offers to automatically take a snapshot of physical RAM, as discussed in more detail below. If a RAM snapshot is not taken immediately, it can also be done while exploring the acquisition so long as the acquisition has not been closed and Mac Marshal continues to run “live” on the machine being analyzed. Because RAM is one of the most volatile sources of evidence, Mac Marshal’s default is to acquire a RAM snapshot automatically and early in the acquisition process, so that Mac Marshal’s own operation has minimal effect on the contents of RAM (and therefore the snapshot).

Physical Memory (RAM) Snapshots

In live mode, the Memory tab offers an additional option of acquiring a snapshot of the machine’s physical memory (RAM). Physical memory offers a plethora of live evidence that would otherwise be lost when the machine is powered down for seizure and imaging. Whether done automatically during initial acquisition, or manually by clicking “Acquire” in the Memory tab, the RAM snapshot file is saved within the acquisition directory and can be later be viewed by clicking “Show Acquired Data File” within the Memory tab. For machines with large amounts of RAM (e.g., 4GB, which is common on current Macs), ensure that the external USB disk you save acquisition data to has sufficient free space.

Mac Marshal saves RAM snapshots as 32-bit or 64-bit Mach-O format9files (depending on the size of physical memory). Physical memory is often segmented rather than contiguous, especially on Intel-based Macs. The Mach-O file format allows multiple segments of memory to be represented, preserving offset information. The format contains a header listing the segments of memory contained in the file, followed by the memory segments themselves. The command line “otool” program can be used to examine Mach-O file headers. For instance, “otool -l ” (replacing memoryfile with the path to the RAM snapshot file) will list all the physical memory segments saved in the snapshot.

Note: If virtual machine software, such as Parallels, that uses hypervisor technology is installed on the target, the physical memory snapshot will be slightly smaller than the full size of RAM on the machine. This happens because the hypervisor is controlling access to the underlying physical hardware and reserving some memory for itself.

Live State

When running in live mode, or when re-opening an acquisition that was formerly in live mode, Mac Marshal presents a Live State tab adjacent to Memory and System Config. This tab contains the results of commands run against the live machine, summarizing volatile system state. An example of the Live State tab is shown below (click image to enlarge):



There are eight sub-sections to the Live State tab:

• Running Processes: Lists all processes currently running on the machine. Note that two Mac Marshal processes will be among those processes listed: java and procinfo. Depending on the version of Mac OS X, the act of listing running processes may cause /usr/sbin/auditd and/or /usr/libexec/taskgated to also run; these are a normal part of the operating system. When a process has different real and effective user IDs (such as a for setuid process), the User column will show “real-user (as effective-user),” as in the last item in the sample shown above.
• Network Connections: Lists all active network connections and listening network ports, as obtained by the system’s /usr/sbin/netstat command. Wildcard addresses are shown as ‘*’. Note that ports for connections are shown after a period, so that 127.0.0.1.445 indicates port 445 on IP address 127.0.0.1.
• Open Files: Lists every file, device, and network connection opened by every process currently running, as obtained by the system’s /usr/sbin/lsof command.
• Hardware/Software: Shows the current system configuration in detail, including any devices attached to the computer (such as USB hardware, including serial numbers). The data is the same as that produced by Apple’s graphical System Profiler utility.
• Logins: Lists all currently logged-in users, including users logged in on the command line (as by remote SSH connections, for instance). Uses the system’s /usr/bin/w command.
• DNS Cache: Shows all recent Internet DNS queries performed on the machine by examining the Directory Services cache. Only applies to OS X 10.5 and newer. Items expire from this
  cache relatively quickly, so this may only show queries within the past few minutes before investigation. It is very likely that the cache will be empty.
• Screenshot: Shows the current graphical screen, after hiding the Mac Marshal window. If the target machine hasmultiple monitors, this will only show the main display. Likewise, it will not show alternate users if multiple users are logged in via Fast User Switching. Right-click on the image to show the screenshot PNG file in the Finder or open it an external viewer.
• Clipboard Contents: Shows the text content of the copy/paste clipboard for all graphically logged-in users. If the clipboard contains an image, it is not shown. On OS X 10.4 and earlier, only the currently visible user’s clipboard can be shown; clipboards for users hidden via Fast User Switching are only available on 10.5 and later.