When Macs Get Hacked - SANS Computer Forensics

More documents

Recommendations

Info

Incident Response:Network Data – ARP Table arp –an! ifconfig!bit:~ user$ arp -an!? (169.254.204.125) at b8:c7:5d:cc:5:80 on en1 [ethernet]!? (172.16.152.255) at ff:ff:ff:ff:ff:ff on vmnet8 ifscope [ethernet]!? (172.16.243.255) at ff:ff:ff:ff:ff:ff on vmnet1 ifscope [ethernet]!? (192.168.1.1) at c0:3f:e:8c:59:59 on en1 ifscope [ethernet]!? (192.168.1.133) at 3c:7:54:3:65:20 on en1 ifscope [ethernet]!? (192.168.1.241) at 68:9:27:32:15:9c on en1 ifscope [ethernet]!? (192.168.1.254) at e0:69:95:50:4c:6 on en1 ifscope [ethernet]!? (192.168.1.255) at ff:ff:ff:ff:ff:ff on en1 ifscope [ethernet]!…!bit:~ user$ ifconfig!en0: flags=8863 mtu 1500!!options=2b!!ether c4:2c:03:09:ca:fd !!media: autoselect (none)!!status: inactive!en1: flags=8863 mtu 1500!!ether 90:27:e4:f8:e6:5f !!inet6 fe80::9227:e4ff:fef8:e65f%en1 prefixlen 64 scopeid 0x5 !!inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255!!media: autoselect!!status: active!oompa@csh.rit.edu | @iamevltwin
Incident Response:Open Files lsof!bit:~ user$ lsof!COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME!loginwind 65 user cwd DIR 14,4 1156 2 /!loginwind 65 user txt REG 14,4 1421280 501728 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow!loginwind 65 user txt REG 14,4 118384 424796 /System/Library/LoginPlugins/FSDisconnect.loginPlugin/Contents/MacOS/FSDisconnect!loginwind 65 user txt REG 14,4 19328 281526 /private/var/folders/xq/yjffvqj90s313s17vy12w7nr0000gn/C/com.apple.scriptmanager.le.cache!loginwind 65 user txt REG 14,4 17284 27515 /System/Library/PrivateFrameworks/CoreWLANKit.framework/Versions/A/Resources/AirPort3.pdf!…!Mail 141 user 41u REG 14,4 1806336 604815 /Users/user/Library/Caches/com.apple.mail/Cache.db!Mail 141 user 42w REG 14,4 20748 282135 /Users/user/Library/Logs/Sync/syncservices.log!Mail 141 user 43u REG 14,4 40960 629603 /Users/user/Library/Application Support/AddressBook/MailRecentsv4.abcdmr!…!Google 144 user txt REG 14,4 270336 769873 /Users/user/Library/Caches/Google/Chrome/Default/Media Cache/data_1!Google 144 user txt REG 14,4 8192 769874 /Users/user/Library/Caches/Google/Chrome/Default/Media Cache/data_2!Google 144 user txt REG 14,4 8192 769875 /Users/user/Library/Caches/Google/Chrome/Default/Media Cache/data_3!oompa@csh.rit.edu | @iamevltwin
Page 1 and 2: When MacsGet HackedSarah Edwards@ia
Page 3 and 4: Current Threats:SuspiciousUseInside
Page 5 and 6: Current Threats:Imuler Hidden .app
Page 7 and 8: Current Threats:MacControl MS WordV
Page 9 and 10: Windows InvestigationsIncidentRespo
Page 11 and 12: Incident Response:MacQuisition by B
Page 13 and 14: Incident Response:MacResponse by AI
Page 15 and 16: Incident Response:System Informatio
Page 17: Incident Response:Network Data - Ro
Page 21 and 22: Incident Response:Running Processes
Page 23 and 24: Incident Response:System Profileroo
Page 25 and 26: Memory Analysis:Volafox http://code
Page 27 and 28: Memory Analysis:Volafoxoompa@csh.ri
Page 29 and 30: Mac AutorunsWhat XPC Services Launc
Page 31 and 32: Autoruns:XPC Services Exampleoompa@
Page 33 and 34: Autoruns:Launch Agents Agent - Back
Page 35 and 36: Autoruns:Launch Agents Examplesoomp
Page 37 and 38: Autoruns:Launch Daemons Daemon - Ba
Page 39 and 40: Autoruns:LoginItems Launched when u
Page 41 and 42: Autoruns:Deprecated Methods/etc/cro
Page 43 and 44: Internet HistoryWhat Browsers Safar
Page 45 and 46: Internet History:Safari - Downloads
Page 47 and 48: Internet History:Safari - Last Sess
Page 49 and 50: Internet History:Chrome - Internet
Page 51 and 52: Internet History:Chrome - Cache ~/L
Page 53 and 54: Internet History:FireFox - Cache ~/
Page 55 and 56: Email:Apple Mail ~/Library/Mail/V2/
Page 57 and 58: Email:Apple Mail - Attachments“Qu
Page 59 and 60: Temp & Cache Directories:Java Temp
Page 61 and 62: Java Temp & Cache:IDX File Contents
Page 64 and 65: Log Analysis:Apple System Logs Loca
Page 66 and 67: Log Analysis:Console.appoompa@csh.r
Page 68 and 69:
Log Analysis:syslog -T utc -F raw -
Page 70 and 71:
Log Analysis:praudit -xn /var/audit
Page 72 and 73:
Log Analysismonthly.out Account Aud
Page 74 and 75:
Log Analysis:Account CreationAudit
Page 76 and 77:
Log Analysis:install.logMay 27 11:5
Page 78 and 79:
Volume AnalysisWhat Log Files MRU F
Page 80 and 81:
Volume Analysis:kernel.log Search f
Page 82 and 83:
Volume Analysis:com.apple.finder.pl
Page 84 and 85:
Antivirus:File Quarantine Introduce
Page 86 and 87:
Antivirus:File Quarantine EventsLio
Page 88 and 89:
Antivirus:Extended AttributesComman
Page 90 and 91:
Antivirus:XProtect /System/Library/
Page 92 and 93:
Antivirus:GateKeeper 10.8 - Mountai
Page 94 and 95:
Anti-ForensicsWhat Encryption Optim
Page 96 and 97:
Anti-forensics:Other Encryption App
Page 98 and 99:
Other FilesWhat Kernel Extensions B
Page 100 and 101:
Other Files:CommandUsageBash Histor
Page 102 and 103:
Other Files:Application HookingFlas
Page 104 and 105:
Basic Reverse EngineeringWhat Basic
Page 106 and 107:
Basic Reverse Engineering:Static: l
Page 108 and 109:
Basic Reverse Engineering:Static: o
Page 110 and 111:
Basic Reverse Engineering:Dynamic:
Page 112 and 113:
Reverse Engineering:Dynamic: execsn
Page 114:
When MacsGet HackedSarah Edwards@ia
show all

When Macs Get Hacked - SANS Computer Forensics

Create successful ePaper yourself

Delete template?

Save as template?