When Macs Get Hacked - SANS Computer Forensics

More documents

Recommendations

Info

Current Threats:Flashback Infected 600,000+systems $10,000/day ad-clickrevenue for attackers Java Vulnerabilities Fake Adobe FlashInstaller Drive-by-Download CompromisedWordpress BlogsImage Source: http://www.cultofmac.com/124840/new-flashback-os-xtrojan-is-in-the-wild-and-it-can-kill-os-xs-anti-malware-scams/oompa@csh.rit.edu | @iamevltwin
Current Threats:Imuler Hidden .app filein Zip Archive Installs backdoor InformationStealer Files ScreenshotsImage Source: http://blog.eset.com/2012/03/16/osximuler-updated-still-athreat-on-mac-os-xoompa@csh.rit.edu | @iamevltwin
Page 1 and 2: When MacsGet HackedSarah Edwards@ia
Page 3: Current Threats:SuspiciousUseInside
Page 7 and 8: Current Threats:MacControl MS WordV
Page 9 and 10: Windows InvestigationsIncidentRespo
Page 11 and 12: Incident Response:MacQuisition by B
Page 13 and 14: Incident Response:MacResponse by AI
Page 15 and 16: Incident Response:System Informatio
Page 17 and 18: Incident Response:Network Data - Ro
Page 19 and 20: Incident Response:Open Files lsof!b
Page 21 and 22: Incident Response:Running Processes
Page 23 and 24: Incident Response:System Profileroo
Page 25 and 26: Memory Analysis:Volafox http://code
Page 27 and 28: Memory Analysis:Volafoxoompa@csh.ri
Page 29 and 30: Mac AutorunsWhat XPC Services Launc
Page 31 and 32: Autoruns:XPC Services Exampleoompa@
Page 33 and 34: Autoruns:Launch Agents Agent - Back
Page 35 and 36: Autoruns:Launch Agents Examplesoomp
Page 37 and 38: Autoruns:Launch Daemons Daemon - Ba
Page 39 and 40: Autoruns:LoginItems Launched when u
Page 41 and 42: Autoruns:Deprecated Methods/etc/cro
Page 43 and 44: Internet HistoryWhat Browsers Safar
Page 45 and 46: Internet History:Safari - Downloads
Page 47 and 48: Internet History:Safari - Last Sess
Page 49 and 50: Internet History:Chrome - Internet
Page 51 and 52: Internet History:Chrome - Cache ~/L
Page 53 and 54: Internet History:FireFox - Cache ~/
Page 55 and 56:
Email:Apple Mail ~/Library/Mail/V2/
Page 57 and 58:
Email:Apple Mail - Attachments“Qu
Page 59 and 60:
Temp & Cache Directories:Java Temp
Page 61 and 62:
Java Temp & Cache:IDX File Contents
Page 64 and 65:
Log Analysis:Apple System Logs Loca
Page 66 and 67:
Log Analysis:Console.appoompa@csh.r
Page 68 and 69:
Log Analysis:syslog -T utc -F raw -
Page 70 and 71:
Log Analysis:praudit -xn /var/audit
Page 72 and 73:
Log Analysismonthly.out Account Aud
Page 74 and 75:
Log Analysis:Account CreationAudit
Page 76 and 77:
Log Analysis:install.logMay 27 11:5
Page 78 and 79:
Volume AnalysisWhat Log Files MRU F
Page 80 and 81:
Volume Analysis:kernel.log Search f
Page 82 and 83:
Volume Analysis:com.apple.finder.pl
Page 84 and 85:
Antivirus:File Quarantine Introduce
Page 86 and 87:
Antivirus:File Quarantine EventsLio
Page 88 and 89:
Antivirus:Extended AttributesComman
Page 90 and 91:
Antivirus:XProtect /System/Library/
Page 92 and 93:
Antivirus:GateKeeper 10.8 - Mountai
Page 94 and 95:
Anti-ForensicsWhat Encryption Optim
Page 96 and 97:
Anti-forensics:Other Encryption App
Page 98 and 99:
Other FilesWhat Kernel Extensions B
Page 100 and 101:
Other Files:CommandUsageBash Histor
Page 102 and 103:
Other Files:Application HookingFlas
Page 104 and 105:
Basic Reverse EngineeringWhat Basic
Page 106 and 107:
Basic Reverse Engineering:Static: l
Page 108 and 109:
Basic Reverse Engineering:Static: o
Page 110 and 111:
Basic Reverse Engineering:Dynamic:
Page 112 and 113:
Reverse Engineering:Dynamic: execsn
Page 114:
When MacsGet HackedSarah Edwards@ia
show all

When Macs Get Hacked - SANS Computer Forensics

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?