DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

InvesTigations & Analysis

macOs Autoruns?

7/20/2019

 
.Super Cool Investigative information for a Malware type investigations. This is one of the way modern malware maintains persistence in the system across shutdowns and reboots.
  • LaunchAgents
    • User Level and contains background user process
    • /System/Library/LaunchAgents
    • /Library/LaunchAgents
    • ~/Library/LaunchAgents
  • LaunchDaemons 
    • Background System Process for MacOs
    • /System/Library/LaunchDaemons
    • /Library/LaunchDeamons
  • StartupItems
  • LoginItems - ~/Library/Preferencescom.apple.loginitems.plist

How to mount an APFS Image?

7/20/2019

 
Step -1
sudo mkdir /Volumes/apfs_disk_image/
Step -2
sudo mkdir /Volumes/apfs_disk_mount/
Step -3
sudo xmount --in ewf --out dmg /Users/<Username>/APFS/apfs_disk.E01 /Volumes/apfs_disk_image/  
Step-4
hdiutil attach -nomount /Volumen/apfs_disk_image/apfs_disk.dmg
Step-5 
diskutil ap list
Step -6 (Optional)In case of encryption use this: 
diskutil ap unlockVolume <Disk Guid> -nomount
Step-7
sudo mount_apfs  -o rdonly,noexec,noowners /dev/disk#/Volumes/apfs_disk_mount/

What's 'Installed' on your Mac?

7/20/2019

 
Install.log file has an immense value to see all the installations on you Mac. 
Use this command on your terminal to get the list: 
​

grep 'Installed' /private/var/log/install.log
This log file has an immense forensic value to identify the user installation activity. Questions like remotely installed applications, failed installation can be answered by analyzing the  'Install.log' file.
cat /private/var/log/install.log

    

    Archives

    July 2019
    April 2018

    Categories

    All
    Plist

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity