Digital Forensics and Incident Response | DFIR
  • Blog
  • Infosec
  • Windows Forensics
  • Mac Forensics
  • Memory Forensics
  • Incident Response
  • Contact

macOs Autoruns?

7/20/2019

0 Comments

 
.Super Cool Investigative information for a Malware type investigations. This is one of the way modern malware maintains persistence in the system across shutdowns and reboots.
  • LaunchAgents
    • User Level and contains background user process
    • /System/Library/LaunchAgents
    • /Library/LaunchAgents
    • ~/Library/LaunchAgents
  • LaunchDaemons 
    • Background System Process for MacOs
    • /System/Library/LaunchDaemons
    • /Library/LaunchDeamons
  • StartupItems
  • LoginItems - ~/Library/Preferencescom.apple.loginitems.plist
0 Comments

How to mount an APFS Image?

7/20/2019

0 Comments

 
Step -1
sudo mkdir /Volumes/apfs_disk_image/
Step -2
sudo mkdir /Volumes/apfs_disk_mount/
Step -3
sudo xmount --in ewf --out dmg /Users/<Username>/APFS/apfs_disk.E01 /Volumes/apfs_disk_image/  
Step-4
hdiutil attach -nomount /Volumen/apfs_disk_image/apfs_disk.dmg
Step-5 
diskutil ap list
Step -6 (Optional)In case of encryption use this: 
diskutil ap unlockVolume <Disk Guid> -nomount
Step-7
sudo mount_apfs  -o rdonly,noexec,noowners /dev/disk#/Volumes/apfs_disk_mount/
0 Comments

What's 'Installed' on your Mac?

7/20/2019

0 Comments

 
Install.log file has an immense value to see all the installations on you Mac. 
Use this command on your terminal to get the list: 
​

grep 'Installed' /private/var/log/install.log
This log file has an immense forensic value to identify the user installation activity. Questions like remotely installed applications, failed installation can be answered by analyzing the  'Install.log' file.
cat /private/var/log/install.log

    
0 Comments

MacOs Keychain Analysis

4/6/2018

0 Comments

 
MacOs Key Chain Analysis
Location: ~Library/Keychains
File of interest: 
keychain-2.db
Data in Login & System Keychain can be very useful in an investigation.
Once you copy the keychain-db file - you can use keychain native app to view the content.
​
0 Comments

Which plist store auto login items data?

4/5/2018

0 Comments

 
$ cd /Users/<Username>/Library/Preferences
$ open -a xcode com.apple.loginitems.plist
You can use any hex editor to read the hex data. Hex will give you the location of the file path of the login item.
Picture
0 Comments

MacOs Investigation Tracker

4/5/2018

0 Comments

 
​https://docs.google.com/spreadsheets/d/1t6swpG1kN_8ZP6BX3CkEeOyUmsAv86pqU5yEvwIdAP0/edit?usp=sharing
0 Comments

List of Application in Mac Dock

4/5/2018

0 Comments

 
open -a xcode ~/Library/Preferences/com.apple.dock.plist
Picture
0 Comments

Mac Keyboard Dynamic Text

4/5/2018

0 Comments

 
Location: /Users/<username>/Library/KeyboardServices/TextReplacements.db

The data from this DB can be very handy in investigation ot get access to the suspects' machine.
0 Comments

Application Launched at the System Boot

4/5/2018

0 Comments

 
Following plist hold the information of the application that get start at the system boot:

open -a xcode  ~/Library/Preferences/com.apple.loginitems.plist

0 Comments

Launch Agents/Daemons

4/5/2018

0 Comments

 
Launch Agents (User Level) - Background User Process

$ cd /System/Library/LaunchAgents/
$ cd /Library/LaunchAgents/

Launch Deamons (System Level) - Background System Process


cd /System/Library/LaunchDaemons/
$ cd /Library/LaunchDaemons/

This is basically like a cron jobs.Best examples of Launch Daemons are following plist files:
​

Picture
0 Comments
<<Previous

    Archives

    July 2019
    April 2018

    Categories

    All
    Plist

    RSS Feed