KoreLogic Blog
MASTIFF on Mac OS X 2013-10-30 17:22

One of the reasons MASTIFF was written in Python was to give it the flexibility to run wherever it was needed. Linux and other *nix's have been supported since the initial release, but one goal was to have MASTIFF work on Mac OS X. It was suspected that MASTIFF would run without a problem on OS X, but it had never been tested...until now.

This week MASTIFF was finally tested and proven to work on Mac OS X. Mac OS X 10.8.5 (Mountain Lion) was used during testing, although other versions of OS X will likely work as well.

The instructions to install MASTIFF on Mac OS X are below. In these instructions we used Homebrew to install a number of packages. There are many ways to install packages on OS X, this is the one that was chosen this time.

Additionally, instead of relying upon the Python installed with OS X, the instructions for installing the latest version of Python at Python Guide were followed beforehand.

You will need to be an administrative user on Mac OS X to install MASTIFF, and its pre-requisites.
The only functionality for MASTIFF that does not work in OS X is TrID. This is due to the fact there is no OS X port for TrID, and the source code is not available. However, it turns out you don't need it!

A few libraries are required for the MASTIFF framework to run. They can be installed with the following commands.

pip install Yapsy
brew install libmagic
pip install python-magic
pip install simplejson

The rest of these instructions install pre-requisites that some MASTIFF plug-ins require:

brew install ssdeep
pip install pydeep
pip install pefile
brew install yara
pip install yara

diStorm3 is required for the single-byte string plug-in. Unfortunately, using pip to install it did not work, so it will have to be downloaded and installed manually.

wget http://distorm.googlecode.com/files/distorm3-3-sdist.zip

The strings program in Mac OS X does not provide the ability to extract UNICODE strings from files. We found that gstrings, which gets installed with the GNU binutils package, works without a problem.

brew install binutils

Make sure you update the MASTIFF configuration file with the location of gstrings (/usr/local/bin/ by default).

Multiple plug-ins use exiftool to extract metadata from files. Again, make sure you update the configuration file in multiple places to point to the location of exiftool.

brew install exiftool

To get the pyOLEScanner plug-in to work, a library needs to be installed in addition to the Python script. Remember that once pyOLEScanner is downloaded, you must unzip it into its own directory, give pyOLEScanner.py executable permissions (chmod +x), and update the MASTIFF configuration file.

pip install OleFileIO_PL
wget https://github.com/Evilcry/PythonScripts/raw/master/pyOLEScanner.zip

Didier Stevens has a number of tools that are used in MASTIFF plug-ins. Each tools must be downloaded, given executable permissions, and its location updated within the MASTIFF configuration file.

wget http://www.didierstevens.com/files/software/disitool_v0_3.zip
wget http://didierstevens.com/files/software/pdf-parser_V0_4_3.zip
wget http://didierstevens.com/files/software/pdfid_v0_1_2.zip

Finally, once all of the pre-requisites have been successfully updated, you can download MASTIFF. Don't forget to verify the GPG signature!

wget -O mastiff-signing-key.asc http://sourceforge.net/projects/mastiff/files/mastiff/mastiff-signing-key.asc/download
wget -O mastiff-0.6.0.tar.gz.sig http://sourceforge.net/projects/mastiff/files/mastiff/0.6.0/mastiff-0.6.0.tar.gz.sig/download
wget -O mastiff-0.6.0.tar.gz http://sourceforge.net/projects/mastiff/files/mastiff/0.6.0/mastiff-0.6.0.tar.gz/download

After the package is untar'd, run make test to ensure that the pre-requisites were installed properly. If there are no issues, run make install to install MASTIFF onto the system!

As always, if you have any questions regarding MASTIFF or any suggestions for new features or plug-ins, please contact us at mastiff-project@korelogic.com.

0 comments Posted by Tyler at: 17:22 permalink

Comments are closed for this story.