Digital Forensics and Incident Response

macOs Autoruns?

7/20/2019

.Super Cool Investigative information for a Malware type investigations. This is one of the way modern malware maintains persistence in the system across shutdowns and reboots.

LaunchAgents
- User Level and contains background user process
- /System/Library/LaunchAgents
- /Library/LaunchAgents
- ~/Library/LaunchAgents
LaunchDaemons
- Background System Process for MacOs
- /System/Library/LaunchDaemons
- /Library/LaunchDeamons
StartupItems
LoginItems - ~/Library/Preferencescom.apple.loginitems.plist

0 Comments

Step -1
sudo mkdir /Volumes/apfs_disk_image/
Step -2
sudo mkdir /Volumes/apfs_disk_mount/
Step -3
sudo xmount --in ewf --out dmg /Users/<Username>/APFS/apfs_disk.E01 /Volumes/apfs_disk_image/
Step-4
hdiutil attach -nomount /Volumen/apfs_disk_image/apfs_disk.dmg
Step-5
diskutil ap list
Step -6 (Optional)In case of encryption use this:
diskutil ap unlockVolume <Disk Guid> -nomount
Step-7
sudo mount_apfs -o rdonly,noexec,noowners /dev/disk#/Volumes/apfs_disk_mount/

0 Comments

What's 'Installed' on your Mac?

7/20/2019

0 Comments

Install.log file has an immense value to see all the installations on you Mac.
Use this command on your terminal to get the list:

grep 'Installed' /private/var/log/install.log
This log file has an immense forensic value to identify the user installation activity. Questions like remotely installed applications, failed installation can be answered by analyzing the 'Install.log' file.
cat /private/var/log/install.log

0 Comments

MacOs Keychain Analysis

4/6/2018

0 Comments

MacOs Key Chain Analysis
Location: ~Library/Keychains
File of interest: keychain-2.db
Data in Login & System Keychain can be very useful in an investigation.
Once you copy the keychain-db file - you can use keychain native app to view the content.

0 Comments

Which plist store auto login items data?

4/5/2018

0 Comments

$ cd /Users/<Username>/Library/Preferences
$ open -a xcode com.apple.loginitems.plist
You can use any hex editor to read the hex data. Hex will give you the location of the file path of the login item.

0 Comments

MacOs Investigation Tracker

4/5/2018

0 Comments

https://docs.google.com/spreadsheets/d/1t6swpG1kN_8ZP6BX3CkEeOyUmsAv86pqU5yEvwIdAP0/edit?usp=sharing

0 Comments

List of Application in Mac Dock

4/5/2018

0 Comments

open -a xcode ~/Library/Preferences/com.apple.dock.plist

0 Comments

Mac Keyboard Dynamic Text

4/5/2018

0 Comments

Location: /Users/<username>/Library/KeyboardServices/TextReplacements.db

The data from this DB can be very handy in investigation ot get access to the suspects' machine.

0 Comments

Application Launched at the System Boot

4/5/2018

0 Comments

Following plist hold the information of the application that get start at the system boot:

open -a xcode ~/Library/Preferences/com.apple.loginitems.plist

0 Comments

Launch Agents/Daemons

4/5/2018

0 Comments

Launch Agents (User Level) - Background User Process

$ cd /System/Library/LaunchAgents/
$ cd /Library/LaunchAgents/

Launch Deamons (System Level) - Background System Process

cd /System/Library/LaunchDaemons/
$ cd /Library/LaunchDaemons/

This is basically like a cron jobs.Best examples of Launch Daemons are following plist files:

0 Comments

<<Previous

macOs Autoruns?

How to mount an APFS Image?

What's 'Installed' on your Mac?

MacOs Keychain Analysis

Which plist store auto login items data?

MacOs Investigation Tracker

List of Application in Mac Dock

Mac Keyboard Dynamic Text

Application Launched at the System Boot

Launch Agents/Daemons

Archives

Categories