Hipster DFIR on OSX Incident Response Tools So Cool You've Never Heard of Them 

Who Am I? GitHub Since 2012 DFIR Since 2006 Mac User Since 1989 Curious Since 1983 

Trust me! SOC’d Intel’d & DFIR’d @ Symantec Mandiant + Vigilant 

My First Computer… 

DFIR @ GitHub 

Getting Started 

Why Bother? 

No content

No content

No content

No content

Market Share From MacRumors.com 

Support is… “Meh” 

On vs. On 

A Bit About 

Problems Location, OS, & Attitude 

Problems Location, Platform, & Attitude Challenges 

Location 

Challenge: No Hands On 

~100% OSX On the Desktop Platform 

~100% Linux In the Datacenter Platform 

Challenge: Limited Tools 

Attitude Trust, Openness, & Transparency 

Challenge: No Draconian Tactics 

Bonus! We ❤ Open Source… 

Concepts You’ll Need 

Next* NS* 

Its Unix w/ Windows And OSX 

Plists 

Property lists organize data into named values and lists of values using several Core Foundation types: CFString, CFNumber, CFBoolean, CFDate, CFData, CFArray, and CFDictionary. These types give you the means to produce data that is meaningfully structured, transportable, storable, and accessible, but still as efficient as possible. 

Binary*, XML, & JSON * Almost always the binary… 

Year Of Birth 1965 Pets Names Picture PEKBpYGlmYFCPA== City of Birth Springfield Name John Doe Kids Names John Kyra 

No content

Mach-O 

HFS+ 

Kexts 

GateKeeper & XProtect 

Persistance Mechanisms 

Persistance Mechanisms - cron jobs - Yup… just like basic Linux cron - No admin necessary 

Persistance Mechanisms - cron jobs - kexts - OSX’s kernal extensions/modules - Needs admin privileges to install, but can do almost anything… - Defaults to: /System/Library/Extensions 

Persistance Mechanisms - cron jobs - kexts - launchdaemons - The “common” way for admin level binaries to persist across reboots - launchd is the first process and kicks off launch agents & daemons - Described by plist lauchd item 

Persistance Mechanisms - cron jobs - kexts - launchdaemons - Startup Items - Deprecated… but still works! - Requires startup script & a plist in: - /Library/StartupItems - /System/Library/StartupItems - Starts up with operating system 

Persistance Mechanisms - cron jobs - kexts - launchdaemons - Startup Items - Login Items - The “common” way for desktop userland applications to start up - User specific - User configurable without admin rights 

Persistance Mechanisms - cron jobs - kexts - launchdaemons - Startup Items - Login Items - Login/Logout Hooks - Deprecated… but still works! - User specific - Just writes the script to execute to com.apple.loginwindow.plist and specify either LoginHook or LogoutHook 

Persistance Mechanisms - OSX “helps” you out and automatically re-opens applications at startup - Persists lost of state, like browser tabs in Safari & Chrome and docs in Pages - Defaults to On in 10.10 - cron jobs - kexts - launchdaemons - Startup Items - Login Items - Login/Logout hooks - Re-opened Applications 

Tools 

Alerting Triage Forensics Malware Reporting 

Linux Tools Are Usable Mostly… 

VM Support is Awesome VMWare Fusion, VirtualBox, Docker, Vagrant etc 

Built In Tools That Make Life Easier 

/var/log 

Console 

Activity Monitor 

Xcode & DTrace 

Xcode - Apple’s Developer Suite - Development - Debugging - Instruments - Debugging & Monitoring with Dtrace - Commandline Tools 

No content

netstat & lsof 

awk/sed/grep 

python & ruby 

Non Security Tools You Should Install 

HomeBrew & Cask 

./jq 

No content

No content

No content

No content

Apple Remote Desktop 

Open Source Tools That Make me ☺ 

OSXCollector - Zero dependency OSX live response tool - Built by the security team at Yelp based on OSXAuditor - Copies key system state and log files for off host analysis - Built in filters for quickly identifying common patterns 

No content

No content

- Host instrumentation for OSX & Linux - Exposes the operating system as a series of SQLite tables - Framework that allows lots of customization but needs integration Written by this handsome devil: Facebook’s @marpaia (& @theopolis) osquery 

No content

ELK - 3 services = 1 Log management platform - High effort/high reward - Take a look at Yelp’s ElastAlert 

No content

Yara - Malware centric Pattern Matching - Disk & Network - Highly Integratabtle rule leverage_a { meta: author = "[email protected]" version = "1.0" description = "OSX/Leverage.A" date = "2013/09" strings: $a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F" $a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:" $a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'" $script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'" $script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'" $script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'" $properties = "serverVisible \x00" condition: all of them } OSX/Leverage Rule from AlienVault } 

- Remote Forensics & Host Sweeping Tool - Cross Platform: OSX & Linux (& Windows) - Add in Rekall (MemForensics) & ForensicArtifacts.com - Great API & Easy PoC 

No content

- “The” OSS Memory Forensics Tool - Tons of Plugins (including OSX specific) to look for different data structures and techniques - Worth the time to get setup ahead of time 

$ python vol.py --info | grep mac_ mac_arp - Prints the arp table mac_check_syscalls - Checks to see if system call table entries are hooked mac_check_sysctl - Checks for unknown sysctl handlers mac_check_trap_table - Checks to see if system call table entries are hooked mac_dead_procs - Prints terminated/de-allocated processes mac_dmesg - Prints the kernel debug buffer mac_dump_maps - Dumps memory ranges of processes mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images mac_ifconfig - Lists network interface information for all devices mac_ip_filters - Reports any hooked IP filters mac_list_sessions - Enumerates sessions mac_list_zones - Prints active zones mac_ls_logins - Lists login contexts mac_lsmod - Lists loaded kernel modules mac_lsof - Lists per-process opened files mac_machine_info - Prints machine information about the sample mac_mount - Prints mounted device information mac_netstat - Lists active per-process network connections mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) mac_pgrp_hash_table - Walks the process group hash table mac_pid_hash_table - Walks the pid hash table mac_print_boot_cmdline - Prints kernel boot arguments mac_proc_maps - Gets memory maps of processes mac_psaux - Prints processes with arguments in user land (**argv) mac_pslist - List Running Processes mac_pstree - Show parent/child relationship of processes mac_psxview - Find hidden processes with various process listings mac_route - Prints the routing table mac_tasks - List Active Tasks mac_trustedbsd - Lists malicious trustedbsd policies mac_version - Prints the Mac version mac_vfs_events - Lists Mac VFS Events mac_volshell - Shell in the memory image mac_yarascan - A shell in the mac memory image 

FIR - “FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind” - Entity extraction & autolinking to common data sites - Minimal (in a good way) but comprehensive 

No content

Paid Security Tools I Like & Use 

Paterva Maltego - Infrastructure Reconnaissance Tool? - Network Visualization & Analysis Tool? - Mash Up & Pivot Tool! - LEARN TO WRITE YOUR OWN TRANSFORMS!!!! 

No content

No content

Hopper - A Mac Dissassembler and Binary Analysis Tool - Somewhat dev focused - Somewhat security focused - Great Value! 

Other Tools - The Sleuth Kit & Autopsy - Traditional Forensics - Wireshark & tcpdump - Network Monitoring - 0xED - Hex Editor 

Resources 

People - @blackbagtech - @dinodaizovi - @iamevltwin - @mikearpaia - @osquery - @osxreverser - @patrickwardle - @robtlee - @sansforensics - @synack 

Sites https://reverse.put.as/ http://www.mac4n6.com/ http://www.thesafemac.com/ https://objective-see.com/ 

Books - Mac OS X and iOS Internals - Mac Hacker's Handbook - iOS Hacker's Handbook 

Courses SANS FOR518: Mac Forensic Analysis 

Hardening - http://iase.disa.mil/stigs/os/mac/Pages/mac-os.aspx - https://github.com/google/santa/ - https://www.usenix.org/conference/lisa13/os-x-hardening- securing-large-global-mac-fleet - https://github.com/drduh/OS-X-Yosemite-Security-and- Privacy-Guide 

Conclusion 

Concepts - PLists, Mach-O, HFS+, Kexts, Gate Keeper, & XProtect - Get Started: OSXCollector, ./jq, & FIR - Advance To: osquery, GRR, Yara, Maltego, & Hopper 

GitHub Security Is Growing!! - DFIR - Logging - IAM 

Thanks & Questions??? 

No content