aaron posted in hacking on May 5th, 2007
This looks pretty cool. The MacLockPick is a commercial USB hardware product that you can just plug into a mac and grab all sorts of useful things like system, internet and general passwords as well as email, web history and preferences, etc. They say they require you to provide proof that you are licensed law enforcement, but I wonder how long it is until a open-source alternative comes along (maybe a MRL project?). No reason you couldn’t combine it with an external drive to suck down the entire image. I also wonder why they don’t have a similar windows product.
David Maynor talked about similar hacks a couple years ago and I’m guessing that they’re using similar techniques. I suppose it’s not too huge of an issue since physical proximity usually equates to full access in one way or another anyway, but this is a little more covert. I would think that if a law officer is required to use something like this that they would be able to command a full forensics investigation, but I suppose there are some circumstances that would require a more surreptitious approach.
Also, it looks like they are just down the road from where I used to live (and MRL meetings used to take place).
The solution is based on a USB Flash drive that can be inserted into a suspect’s Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect’s critical information with as little interaction or trace as possible.
MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep. It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. Once awakened a Mac will return it’s keychain access levels to the default state found when it was initially put to sleep. Suspects often (and usually) transport portable systems in this sleeping state.
MacLockPick is not for sale to the general public. Purchasers will be required to provide proof that they are a licensed law enforcement professional. Users are required to ensure that the use of this technology is legal on federal, state, and local level.
Also gotta love the sneaky logo:
Update: ps. Yes, I know you could do a windows autorun USB stick, but I guess I assumed that this was a layer below this, getting this information through host-mode and DMA or something similar. Please let me know if I’m assuming too much, or if you know how this device actually works,