.Super Cool Investigative information for a Malware type investigations. This is one of the way modern malware maintains persistence in the system across shutdowns and reboots.
Step -1
sudo mkdir /Volumes/apfs_disk_image/ Step -2 sudo mkdir /Volumes/apfs_disk_mount/ Step -3 sudo xmount --in ewf --out dmg /Users/<Username>/APFS/apfs_disk.E01 /Volumes/apfs_disk_image/ Step-4 hdiutil attach -nomount /Volumen/apfs_disk_image/apfs_disk.dmg Step-5 diskutil ap list Step -6 (Optional)In case of encryption use this: diskutil ap unlockVolume <Disk Guid> -nomount Step-7 sudo mount_apfs -o rdonly,noexec,noowners /dev/disk#/Volumes/apfs_disk_mount/ Install.log file has an immense value to see all the installations on you Mac. Use this command on your terminal to get the list: grep 'Installed' /private/var/log/install.log This log file has an immense forensic value to identify the user installation activity. Questions like remotely installed applications, failed installation can be answered by analyzing the 'Install.log' file. cat /private/var/log/install.log |
ArchivesCategories |