DMG Forensics

DMG Forensics - Profound Study of Apple Disk Image

Apple introduced a disk image format in the name of DMG file. DMG files are known as the proprietary disk image file for Apple that is used generally on Mac OS machines. Therefore, most users are in the habit of keeping image backup of their system data in the form of DMG files. Thus, DMG files prove to be greatly helpful from forensics point of view during investigation of an Apple machine. Apple DMG file can be generated with the help of default provided utility with Mac OS - Disk Copy (v10.2) and Disk Utility in version 10.3 and later. This blog offers information on the internal structure and built of a DMG file, which will further help in its forensics investigation.

Apple Disk Image

Apple disk image comes with a MIME type - application/x-apple-disk image and the built includes multiple layers of security to safeguard the contents of the disk image. A DMG file is structured with a secure password and compression technology as it development and usage is done mainly with the purpose of sharing software over web. However, the interest behind this blog is to dig up DMG file for forensic concern.

DMG logo

Starting With DMG Forensics

Processing a DMG

Double clicking on a DMG file on a Mac OS X machine will mount it as a drive thus; the contents can be accessed like that in a folder. During forensic investigation, it is necessary to keep all aspects in consideration while processing any artifact. Investigators commonly prefer mounting DMG to examine the storage in it.

However, the process of mounting also makes exchange/transfer of files in and out of the DMG therefore developing a threat of evidence manipulation. Thus, in order ensure the integrity of evidence; it has to be secured with locking. DMG files can be locked ascertaining that no spoliation of evidence takes place while it is mounted. As far as DMG files are concerned, they are available in multiple types that an investigator must be well aware of before starting the investigation.

  • READ-ONLY DMG
  • COMPRESSED DMG
  • READ/WRITE DMG
  • DVD/CD MASTER DMG
  • HYBRID DMG (HFS+/ UDF/ISO)
  • SPARSE DMG
  • SPARSE BUNDLE DMG

Challenge During Investigation

Challenges are what trouble investigators by acting as a hurdle. Thus, the most common challenge an investigator is supposed to face is an 'encrypted DMG file'. Encryption of the DMG file makes it quite a task to parse through the contents within.

Fact : DMG files are protected by 128 bit or 256 bit of AES Encryption, if applied.

The Loophole

It is true that Apple DMG files can be encrypted and at times, this acts as a hurdle during its investigation. However, another fact that passwords are automatically remembered by Disk Utility makes the file vulnerable.

Enter Password

By default when encrypting DMG file, the 'Remember Password in my Keychain' checkbox is checked on Disk Utility. Therefore, in most cases it is possible to find out the encryption key or crack it from the keychain file as the checkbox is usually neglected by users. Unless the option is unchecked, a copy of the key is saved in the keychain file on the same machine by Disk Utility. If the password is stored in a keychain file then a command line utility can be used for accessing it programmatically.

Security

Otherwise, an encrypted DMG can be accessed with the help of a dictionary attack that may or may not be able to break its security.

Tip for DMG File Forensics

DMG files are best from forensic standpoint as they can be locked with password without the use of any external program for the same. The lock prevents the DMG file from being modified during forensics email examination in any way or by any bit. Mounted DMG file can be parsed through and investigated without the chance of changing its contents or even the metadata.

Technically a DMG file is no different from a raw format of .dd file. They both are the same while the only difference is encountered with their extension. Yet one can literally change a DD image to .dmg by renaming the extension and back to the same. However, this has risk of evidence spoliation especially with the metadata denoting the activity track. However, DMG files still have an added benefit on being accessed over an Apple machine, i.e. the file gets mounted with all of its data like a disk volume just with a double click.

Conclusion:

A proprietary format, the DMG file can only be accessed and parsed on an Apple machine. However, the involvement of a third party application built to open dmg file in windows & to reverse engineer the structure can enable the possibility of accessing the file on a machine other than Apple Mac without the use of Disk Utility.