MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Report
Share
Report
Share
1 of 59
Download to read offline
More Related Content
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
9. What is computer forensics?
Computer forensics (also known as computer
forensic science) is a branch of digital forensic
science pertaining to evidence found in
computers and digital storage media. The goal
of computer forensics is to examine digital media
in a forensically sound manner with the aim of
identifying, preserving, recovering, analyzing
and presenting facts and opinions about the
digital information.
21. Mac Security mechanisms. XProtect
1) Only checks “quarantine” files
2) Small numbers of signatures
3) limited only on signature based analysis
4) Sometimes updates signatures
22. Signature based AV engines have no future
Malware Samples (April 2019):
OSX.Adware.Pirrit (2017 year):
24. System Integrity Protection
● protection of contents and file-system permissions of system files and directories;
● protection of processes against code injection, runtime attachment (like debugging) and
DTrace;
● protection against unsigned kernel extensions ("kexts").
$ csrutil status
“[any] piece of malware is one password or vulnerability away from taking full
control of the device”
Apple (c)
25. SIP bypass new technique using ssh
Video link: https://youtu.be/UPr6R2BQUU4
~/.ssh/authorized_keys
scp $file :/$safari_extz_fold
26. Inventatisation. System info
$ system_profiler -xml -detaillevel full >> system_info.spx
Contains:
● Hardware information
● USB information
● Network information
● Firewall settings
● Mounted Volumes
● System Information
● Applications
● Kernel Extensions
● Log Data
27. General system info
Network configurations: networksetup
DNS configurations: scutil --dns
Adapters: ifconfig
File /etc/hosts
Keychain configurations
Who is logged: who or w
Shares
~/.ssh/authorized_keys
netstat
lsof -i
~/.bash_history
Local accounts: /etc/passwd
Defaults instructions:
https://github.com/ernw/hardening/blob/master/operatin
g_system/osx/10.14/ERNW_Hardening_OS_X_Mojave.
md ^^^ OSX.Malware.MaMi
28. Mac persistence
Type Location Run on behalf of
Login Item Apple menu > System Preferences >
Users & Groups > Login Items or
My.app/Contents/Library/LoginItems
Currently logged in user
User Agents ~/Library/LaunchAgents Currently logged in user
Global Agents /Library/LaunchAgents Currently logged in user
Global Daemons /Library/LaunchDaemons root or the user specified with the key
UserName
System Agents /System/Library/LaunchAgents Currently logged in user
System Daemons /System/Library/LaunchDaemons root or the user specified with the key
UserName
Crontabs, login, logout hooks, login items...
29. Launch Agents/Daemons. What can be found there?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.example.app</string>
<key>Program</key>
<string>/Users/Me/Scripts/example.sh</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
31. Process exploration
Johns-Mac:tmp johndoe$ ps aux | grep -i osascript
johndoe 50813 2.5 0.3 2488260 6168 ?? R 11:22AM 0:00.04 /usr/bin/osascript -e if application
"Safari" is running then 012011run script "tell application "Safari" to return URL of front document"
012end if
Johns-Mac:tmp johndoe$ ps aux | grep -i osascript
johndoe 50819 13.4 0.3 2489356 7276 ?? R 11:22AM 0:00.08 /usr/bin/osascript -e if
application "Safari" is running then 012011run script "tell application "Safari" to return URL of front
document" 012end if
OSX.Adware.Pirrit
52. .fseventd and Spotlight
Spotlight is the name of the indexing system which comes built into macOS. It is responsible for continuous
indexing of files and folders on all attached volumes. It keeps a copy of all metadata for almost every single
file and folder on disk.
Parser link: https://github.com/ydkhatri/spotlight_parser
/.fseventsd is a log directory with files of "(F)ile (S)ystem (EVENTS), logged by the a (D)aemon", that
basically monitor file system changes.
Parser link: https://github.com/dlcowen/FSEventsParser
53. .fseventd and Spotlight
Spotlight is the name of the indexing system which comes built into macOS. It is responsible for continuous
indexing of files and folders on all attached volumes. It keeps a copy of all metadata for almost every single
file and folder on disk.
Parser link: https://github.com/ydkhatri/spotlight_parser
/.fseventsd is a log directory with files of "(F)ile (S)ystem (EVENTS), logged by the a (D)aemon", that
basically monitor file system changes.
Parser link: https://github.com/dlcowen/FSEventsParser
57. All artifacts list (upd 2020)
https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_
GNGpX8/edit#gid=1317205466
58. Where to find more information? Inspiration list
● Grr - Google Rapid Response: remote live forensics for incident response
● Osquery - SQL powered operating system instrumentation, monitoring, and analytics
● Objective see - https://objective-see.com/
● Patrick Wardle - https://www.youtube.com/channel/UCfJ9rcyHeYzGbWFdEq9jVJA
● https://github.com/mathiasbynens/dotfiles/blob/master/.macos
● SANS courses
● https://www.mac4n6.com/ - great blog with great forensics articles
● https://www.cmdsec.com/ - great tool for security monitoring of MacOS based systems