When Macs Get Hacked - SANS Computer Forensics

More documents

Recommendations

Info

Antivirus: XProtect /System/Library/CoreServices/ CoreTypes.bundle/Contents/Resources XProtect.meta.plist Last Update Date & Version XProtect.plist AV Signatures Weaknesses Apple updates it, sometimes. Very few signatures on blacklist No Heuristics Only checks “quarantined” files oompa@csh.rit.edu | @iamevltwin
Antivirus: XProtect oompa@csh.rit.edu | @iamevltwin
Page 1 and 2:
When Macs Get Hacked Sarah Edwards
Page 3 and 4:
Current Threats: Suspicious Use Key
Page 5 and 6:
Current Threats: Imuler Hidden .app
Page 7 and 8:
Current Threats: MacControl MS Word
Page 9 and 10:
Windows Investigations Incident Res
Page 11 and 12:
Incident Response: MacQuisition by
Page 13 and 14:
Incident Response: MacResponse by A
Page 15 and 16:
Incident Response: System Informati
Page 17 and 18:
Incident Response: Network Data - R
Page 19 and 20:
Incident Response: Open Files lsof!
Page 21 and 22:
Incident Response: Running Processe
Page 23 and 24:
Incident Response: System Profiler
Page 25 and 26:
Memory Analysis: Volafox http://cod
Page 27 and 28:
Memory Analysis: Volafox oompa@csh.
Page 29 and 30:
Mac Autoruns What XPC Services Laun
Page 31 and 32:
Autoruns: XPC Services Example oomp
Page 33 and 34:
Autoruns: Launch Agents Agent - Bac
Page 35 and 36:
Autoruns: Launch Agents Examples oo
Page 37 and 38:
Autoruns: Launch Daemons Daemon - B
Page 39 and 40: Autoruns: LoginItems Launched when
Page 41 and 42: Autoruns: Deprecated Methods /etc/c
Page 43 and 44: Internet History What Browsers Safa
Page 45 and 46: Internet History: Safari - Download
Page 47 and 48: Internet History: Safari - Last Ses
Page 49 and 50: Internet History: Chrome - Internet
Page 51 and 52: Internet History: Chrome - Cache ~/
Page 53 and 54: Internet History: FireFox - Cache ~
Page 55 and 56: Email: Apple Mail ~/Library/Mail/V2
Page 57 and 58: Email: Apple Mail - Attachments “
Page 59 and 60: Temp & Cache Directories: Java Temp
Page 61 and 62: Java Temp & Cache: IDX File Content
Page 63 and 64: Log Analysis What Apple System Logs
Page 65 and 66: Log Analysis: Console.app oompa@csh
Page 67 and 68: Log Analysis: syslog Command oompa@
Page 69 and 70: Log Analysis: Audit Logs Location:
Page 71 and 72: Log Analysis: User Logins / Logouts
Page 73 and 74: Log Analysis: Privilege Escalation
Page 75 and 76: Log Analysis: Firewall Logs Locatio
Page 77 and 78: Log Analysis: Log Recovery Logs get
Page 79 and 80: Volume Analysis: system.log & daily
Page 81 and 82: Volume Analysis: kernel.log Jun 3 1
Page 83 and 84: Antivirus What Extended Attributes
Page 85 and 86: Antivirus: File Quarantine Applicat
Page 87 and 88: Antivirus: File Quarantine Quaranti
Page 89: Antivirus: Extended Attributes ! co
Page 93 and 94: Antivirus: Third-Party Software Kas
Page 95 and 96: Anti-forensics: FileVault Encryptio
Page 97 and 98: Anti-forensics: Optimization Softwa
Page 99 and 100: Other Files: Kernel Extensions Dyna
Page 101 and 102: Other Files: User Accounts /private
Page 103 and 104: Other Files: Shared Directory /User
Page 105 and 106: Basic Reverse Engineering: Static:
Page 107 and 108: Basic Reverse Engineering: Static:
Page 109 and 110: Basic Reverse Engineering: Dynamic:
Page 111 and 112: Basic Reverse Engineering: Dynamic:
Page 113 and 114: Basic Reverse Engineering: Other To
show all

When Macs Get Hacked - SANS Computer Forensics

Create successful ePaper yourself

Delete template?

Save as template?