When Macs Get Hacked - SANS Computer Forensics

More documents

Recommendations

Info

Internet History: Chrome - Cache ~/Library/Caches/Google/Chrome/ Default/Cache/ “data_#” index – “Chromium Disk Cache” bit:Cache oompa$ pwd! /Users/oompa/Library/Caches/Google/Chrome/Default/Cache! bit:Cache oompa$ file * | more! data_0: data! data_1: data! data_2: data! data_3: data! data_4: data! f_00000b: gzip compressed data, was "hs.base.js", from Unix, last modified: Thu May 10 14:40:25 2012! f_00000c: gzip compressed data, was "dashboard.css", from Unix, last modified: Thu May 10 14:40:16 2012! f_00000d: gzip compressed data, was "hs.dashboard.js", from Unix, last modified: Thu May 10 14:41:14 2012! f_00000e: PNG image data, 119 x 608, 8-bit/color RGBA, non-interlaced! f_00000f: gzip compressed data, was "hs.dependencies.streams.js", from Unix, last modified: Thu May 10 14:42:20 2012! f_000010: HTML document text! f_000011: PNG image data, 214 x 224, 8-bit/color RGBA, non-interlaced! f_000012: gzip compressed data, was "staticlegacy.css", from Unix, last modified: Thu May 10 14:41:05 2012! f_000014: JPEG image data, JFIF standard 1.01! oompa@csh.rit.edu | @iamevltwin
Internet History: Chrome - Cache ~/Library/Caches/Google/Chrome/ Default/Media Cache/ “data_#” index – “Chromium Disk Cache” bit:Media Cache oompa$ pwd! /Users/oompa/Library/Caches/Google/Chrome/Default/Media Cache! bit:Media Cache oompa$ file * | more! data_0: data! data_1: data! data_2: data! data_3: data! f_000001: ISO Media, MPEG v4 system, version 1! f_000002: data! f_000003: data! f_000004: data! f_000005: ISO Media, MPEG v4 system, version 1! f_000006: data! f_000007: data! f_000008: data! f_000009: ISO Media, MPEG v4 system, version 1! oompa@csh.rit.edu | @iamevltwin
Page 1 and 2: When Macs Get Hacked Sarah Edwards
Page 3 and 4: Current Threats: Suspicious Use Key
Page 5 and 6: Current Threats: Imuler Hidden .app
Page 7 and 8: Current Threats: MacControl MS Word
Page 9 and 10: Windows Investigations Incident Res
Page 11 and 12: Incident Response: MacQuisition by
Page 13 and 14: Incident Response: MacResponse by A
Page 15 and 16: Incident Response: System Informati
Page 17 and 18: Incident Response: Network Data - R
Page 19 and 20: Incident Response: Open Files lsof!
Page 21 and 22: Incident Response: Running Processe
Page 23 and 24: Incident Response: System Profiler
Page 25 and 26: Memory Analysis: Volafox http://cod
Page 27 and 28: Memory Analysis: Volafox oompa@csh.
Page 29 and 30: Mac Autoruns What XPC Services Laun
Page 31 and 32: Autoruns: XPC Services Example oomp
Page 33 and 34: Autoruns: Launch Agents Agent - Bac
Page 35 and 36: Autoruns: Launch Agents Examples oo
Page 37 and 38: Autoruns: Launch Daemons Daemon - B
Page 39 and 40: Autoruns: LoginItems Launched when
Page 41 and 42: Autoruns: Deprecated Methods /etc/c
Page 43 and 44: Internet History What Browsers Safa
Page 45 and 46: Internet History: Safari - Download
Page 47 and 48: Internet History: Safari - Last Ses
Page 49: Internet History: Chrome - Internet
Page 53 and 54: Internet History: FireFox - Cache ~
Page 55 and 56: Email: Apple Mail ~/Library/Mail/V2
Page 57 and 58: Email: Apple Mail - Attachments “
Page 59 and 60: Temp & Cache Directories: Java Temp
Page 61 and 62: Java Temp & Cache: IDX File Content
Page 63 and 64: Log Analysis What Apple System Logs
Page 65 and 66: Log Analysis: Console.app oompa@csh
Page 67 and 68: Log Analysis: syslog Command oompa@
Page 69 and 70: Log Analysis: Audit Logs Location:
Page 71 and 72: Log Analysis: User Logins / Logouts
Page 73 and 74: Log Analysis: Privilege Escalation
Page 75 and 76: Log Analysis: Firewall Logs Locatio
Page 77 and 78: Log Analysis: Log Recovery Logs get
Page 79 and 80: Volume Analysis: system.log & daily
Page 81 and 82: Volume Analysis: kernel.log Jun 3 1
Page 83 and 84: Antivirus What Extended Attributes
Page 85 and 86: Antivirus: File Quarantine Applicat
Page 87 and 88: Antivirus: File Quarantine Quaranti
Page 89 and 90: Antivirus: Extended Attributes ! co
Page 91 and 92: Antivirus: XProtect oompa@csh.rit.e
Page 93 and 94: Antivirus: Third-Party Software Kas
Page 95 and 96: Anti-forensics: FileVault Encryptio
Page 97 and 98: Anti-forensics: Optimization Softwa
Page 99 and 100: Other Files: Kernel Extensions Dyna
Page 101 and 102:
Other Files: User Accounts /private
Page 103 and 104:
Other Files: Shared Directory /User
Page 105 and 106:
Basic Reverse Engineering: Static:
Page 107 and 108:
Basic Reverse Engineering: Static:
Page 109 and 110:
Basic Reverse Engineering: Dynamic:
Page 111 and 112:
Basic Reverse Engineering: Dynamic:
Page 113 and 114:
Basic Reverse Engineering: Other To
show all

When Macs Get Hacked - SANS Computer Forensics

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?