MacOS Incident Response

Aung Myint Myat

Speaker Profile

Aung Myint Myat is currently working as a threat hunter at ExpressVPN in Singapore. I spend most of the time building security tools and hunting adversaries. From threat hunting, incident response, and engineering security tools, I do all the cool stuff.

​

Disclaimer

• Opinions expressed are solely my own and are not related to any of my previous or present employers.
• The materials presented are based loosely on publicly available research and discoveries.
• The examples shown in this presentation may violate corporate security policies. Proceed with caution and at your own risk.
• I am not responsible for any damage or issues that may arise.

​

Contents

• Introduction
• Forensic Acquisition
• Evidence Profiling
• Forensics Artifacts
• Logging and Analysis
• Considerations with Incident Response
• An Approach to macOS triaging

MacOS brief history

MacOS are mostly on endpoints.

Until OS X 10.12, HFS+ file system is used.�- Timestamp is limited to 1 sec�- Don’t support date beyond 2040�- Snapshot is not possible

APFS on macOS 10.13 in the year 2017.�- Solved all HFS+ issues�- Full disk encryption is native�- Instead of journaling, it uses Atomic Safe Save (ASS)

​

​

File Structure

User Domain

Home Directory� - /Users/<username>/� - .Trash� - .zsh history

Public Directory

User Library� - /Users/<username>/Library/� - Application sandboxes, Preferences, Caches

​

Network Domain

Standard Directories and Extensions

Directories

/bin - Standard binaries�/sbin - System binaries�/dev - Device files�/opt - Optional software�/private - tmp, var, etc config files

File Extensions

.dmg - Disk images�.kext - Kernel Extension (deprecated)�.plist - Property list�.app - Applications�.dylib - Dynamic Libraries�.pkg - Packages�.xar - Archive files (often installer)

Time

MacOS follows Unix time of 64 bit (APFS)

File system tracks up to nano second. But it only shows up to second normally.

# stat -x <filename>�# GetFileinfo <filename>

​

​

# stat -f %Fa <filename> —> a,m,c for access, modification, change

​

Acquisition

Challenges

• Physical disk access
• Hardware Encryption
• FileVault Encryption
• Full Disk Access
• System Integrity Protection

​

Acquisition Tools

Commercial Tools - Magnet AXIOM, Cellebrite

Direct Access tool - dd, hdiutil, dc3dd

Remote analysis tools - EDR, velociraptor

Image Mounting

Commercial tools

Mount on macOS - with apfs_mounts

Mount on Linux - with apfs_fuse �# apfs-fuse -o ro,allow_other ewf1 /mnt/apfs_mount

​

Make sure to mount as rdonly, noexec, noowners

Mounting on Linux

Evidence Profiling

OS version, serial number

OS version - /System/Library/CoreServices/SystemVersion.plist

Serial Number - /private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C

Evidence Profiling

Time Zone

/etc/localtime

/Library/Preferences/.GlobalPreferences.plist

Evidence Profiling

User Accounts

/private/var/db/dslocal/nodes/Default/users�/private/var/db/dslocal/nodes/Default/groups

Note: �/etc/passwd don’t show everything. �Each user account has a separate plist file.�Names starting _* are service accounts

Evidence Profiling

Network Configurations

/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist�/Library/Preferences/SystemConfiguration/preferences.plist�/private/var/db/dhcpclient/leases/�/Library/Preferences/com.apple.wifi.known-networks.plist

​

Information gathered : Interface, network type, MAC address, model, computer name, network configuration, DNS information, proxies if in used, SSID, Router IP and MAC, lease start date.

Dhcpclient leases

Artifacts: Account Activities

User Shell Artifacts

• ~/.zshenv (optional)
• ~/.zprofile
• ~/.zshrc
• ~/.zlogin
• ~/.zlogout (optional)
• /etc/zprofile
• /etc/zshrc
• /etc/zsh/zlogin

User history

• ~/.zsh_history
• ~/.zsh_sessions

Note: This applies to any other shells that might be on the system.� Check under /etc/.

Artifacts: Account Activities

User Plist - /private/var/db/dslocal/nodes/Default/users/<username>.plist

Artifacts: Account Activities

Login History -/Library/Preferences/com.apple.loginwindow.plist

Artifacts: Account Activities

Artifacts: Persistence

Launch Daemons/ Launch Agents

System Startup (root or user)

• /Library/LaunchAgents
• /Library/LaunchDaemons
• /System/Library/LaunchAgents
• /System/Library/LaunchDaemons

User Login (user)

• /Users/<username>/Library/LaunchAgents

Workflow to analyze Launchd Files

Logging and Logs

Important Plaintext Logs

• /var/log/system.log
• /var/log/DiskUtility.log
• /var/log/fsck_apfs.log
• /var/log/wifi.log
• /var/log/appfirewall.log

Application Logs

• /Library/logs
• ~/Library/logs
• /Library/Application Support/<app_name>
• /Applications

​

Binary Logs

Apple System Logs

• /var/log/asl/*.asl

Apple Unified Logs (*.tracev3)

• /var/db/diagnostics/
• /var/db/uuidtext/

​

Viewing Apple log formats

ASL logs

• # Syslog -f <filename>.asl

​

​

AUL logs

• # log collect → Collecting all the unified logs (live analysis)
• # log show –last 1d > /path/unifiedlog_24h.log
• Console app

Other Platform?

https://github.com/ydkhatri/mac_apt

mac_apt: Common Plugins for Forensics

ALL : Runs every plugin (around 39 currently available)

FAST : Runs all except UNIFIEDLOGS,SPOTLIGHT, and IDEVICEBACKUPS to speed up collection

SUDOLASTRUN : Last time sudo was run

TERMSESSIONS : Terminal activities

UNIFIEDLOGS : Read .tracev3 AUL files

UTMPX : Read login data

macOS Triage: An Approach

Collect Info & Context

Os version, serial number, boot time, hardware, account names, fde, EDRs

Review unified logs

Suspicious process, error message, security alerts, network activities, login attempts

Time machines snapshots

In macOS 26 (Tahoe), only os update snapshot is available by default. But if available, consider to mount.

Gather Volatile data

Running Process, network connections, ARP cache, logged-in users,

Persistence & Auto-start

LaunchDaemons, LaunchAgents, Cron jobs, system profiles, browser extensions.

User Artifact Data

Shell artifacts, browser history, downloads, gatekeeper logs.

AutoMacTC by CrowdStrike

https://github.com/CrowdStrike/automactc

Quick Wins with macOS

Unified File System Structure - Key user data are in /Users/<user> and system-wide resources are in /System or /Library.

Less Places for Persistence - Mostly on Launch Daemons/Agents, and a few others like (login items, cron jobs, kernel extensions)

Built-in Quarantine Info - macOS might tags downloaded files with the source URL.

Snapshots - Absolutely valuable and by default.

Apple’s AUL - Contains everything that happened in the system. It is on by default. Fields are generous.

Some other considerations

• Profiles need to be setup properly for the EDRs to work.
• EDR usually are not super strong on mac.
• Logs in the mac can be read, removed, modified by the users.
• Established the process to react in case of incident.
• How, When, Where, Who, What???

Thank you!