Providing a yet deeper insight into methods for avoiding forensics while using Mac OS X, the Grugq enumerates several more attack vectors, including those associated with zero width Unicode, application file formats, browser cookies and SQLite. In conclusion, the researcher highlights some essential anti-forensics recommendations overall, and answers a few questions from the HIRBSecConf attendees on the topic.
Continuing the review of Mac OS X in the context of anti-forensics methodology, the Grugq delves here into file system attacks, in particular focusing on exploitable aspects of HFS+. The researcher provides an analysis of this file system’s components and makes an insight into the essence of B*tree nodes and data forks, singling out the ways to use those while conducting HFS+ attacks.
The Grugq, a well-known anti-forensics researcher with substantial computer security background, outlines the key issues related to counter-forensics for the OS X platform while participating in HIRBSecConf event. During this presentation entitled “How the Leopard Hides His Spots”, the Grugq, in particular, describes the techniques that help evade application-level file format attacks, HFS-specific attacks, SQLite-based attacks, etc., based on his previous experience.