This script parses user-specified Mac OS X OpenBSM audit logs, which are usually found in the following folder -

• /private/var/audit

The default audit configuration is such that events relating to audit-control, user-logon, and group/user creation/modification/deletion will be logged. That said, the audit-logging system is customizable and can be configured to log a wide range of other events.

Each audit-log will contain one or more records each one starting with a header token and ending with a trailer token. Stored between these tokens will be one or more additional tokens the number and content of which will depend on the nature of the record concerned.

The script determines the length of a record using information contained in the header token. This information is mirrored in the trailer token together with a magic number: this information allows the script to check that a record isn't corrupt.

When it comes to parsing additional tokens, the script has to parse each token in turn. If a token cannot be identified, or if it can't be parsed, then the script will have to skip to the next record. It will record the fact that it's done this in the bookmark created for the record; it will also write a warning to the console.

Some tokens contain a stream of binary data. These include those with the following token IDs -

• AUT_OPAQUE - A sequence of one or more un-typed values each one having the same length.
• AUT_DATA - A sequence of bytes.
• AUT_IP - A 20-byte IP header.

The script will not make an effort to decode these bytes: it will simply report on their offset and length within the associated audit-log file.

The output of the script is in the form of bookmarks and XML files.

One XML file will be created per audit file. The script will assign GUIDs to certain XML entities including those that represent audit files, audit records and certain types of audit token. The GUID assigned to an audit file will be the GUID of the source entry.

The reason for assigning GUIDs is to facilitate import of the XML data into a database such as MS Access. Access will, on reading a given XML file, create tables for the file, the records it contains, and the different types of audit tokens contained therein. Using the GUIDs will allow the examiner to create queries that identify the tokens that belong to each record; also the records that belong to each file.

NOTE: The XML files created by the script will be larger than the binary source files due to the amount of text contained therein.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training