OS X Incident Response

Scripting and Analysis
 
 
Syngress (Verlag)
  • 1. Auflage
  • |
  • erschienen am 7. Mai 2016
  • |
  • 270 Seiten
 
E-Book | ePUB mit Adobe DRM | Systemvoraussetzungen
E-Book | PDF mit Adobe DRM | Systemvoraussetzungen
978-0-12-804503-9 (ISBN)
 

OS X Incident Response: Scripting and Analysis is written for analysts who are looking to expand their understanding of a lesser-known operating system. By mastering the forensic artifacts of OS X, analysts will set themselves apart by acquiring an up-and-coming skillset.

Digital forensics is a critical art and science. While forensics is commonly thought of as a function of a legal investigation, the same tactics and techniques used for those investigations are also important in a response to an incident. Digital evidence is not only critical in the course of investigating many crimes but businesses are recognizing the importance of having skilled forensic investigators on staff in the case of policy violations.

Perhaps more importantly, though, businesses are seeing enormous impact from malware outbreaks as well as data breaches. The skills of a forensic investigator are critical to determine the source of the attack as well as the impact. While there is a lot of focus on Windows because it is the predominant desktop operating system, there are currently very few resources available for forensic investigators on how to investigate attacks, gather evidence and respond to incidents involving OS X. The number of Macs on enterprise networks is rapidly increasing, especially with the growing prevalence of BYOD, including iPads and iPhones.

Author Jaron Bradley covers a wide variety of topics, including both the collection and analysis of the forensic pieces found on the OS. Instead of using expensive commercial tools that clone the hard drive, you will learn how to write your own Python and bash-based response scripts. These scripts and methodologies can be used to collect and analyze volatile data immediately.


  • Focuses exclusively on OS X attacks, incident response, and forensics
  • Provides the technical details of OS X so you can find artifacts that might be missed using automated tools
  • Describes how to write your own Python and bash-based response scripts, which can be used to collect and analyze volatile data immediately
  • Covers OS X incident response in complete technical detail, including file system, system startup and scheduling, password dumping, memory, volatile data, logs, browser history, and exfiltration


Jaron Bradley has a background in host-based incident response and forensics. He entered the information security field as an incident responder immediately after graduating from Eastern Michigan University, where he received his degree in Information Assurance. He now works as a Senior Intrusion Analyst, with a focus on OS X and Linux based attacks.
  • Englisch
  • San Diego
  • |
  • USA
Elsevier Science
  • 42,07 MB
978-0-12-804503-9 (9780128045039)
0128045035 (0128045035)
weitere Ausgaben werden ermittelt
  • Cover
  • Title Page
  • Copyright Page
  • Contents
  • Acknowledgments
  • Chapter 1 - Introduction
  • Is there really a threat to OS X?
  • What is OS X
  • The XNU Kernel
  • Digging Deeper
  • Requirements
  • Forensically sound versus incident response
  • Incident Response Process
  • The Kill Chain
  • Applying the Killchain
  • Analysis environment
  • Malware Scenario
  • Chapter 2 - Incident Response Basics
  • Introduction
  • Picking a language
  • Python
  • Ruby
  • Bash
  • Root versus nonroot
  • Yara
  • Basic Commands for Every Day Analysis
  • grep
  • egrep
  • cut
  • awk
  • sed
  • sort
  • uniq
  • Starting an IR Script
  • Collection
  • Analysis
  • Analysis Scripts
  • Yarafly.sh
  • Yara Results Sorted and Counted
  • Conclusion
  • Chapter 3 - Bash Commands
  • Introduction
  • Basic Bash commands
  • System Info
  • date
  • hostname
  • uptime
  • sw_vers
  • uname (-a)
  • spctl (--status)
  • bash -version
  • Who Info
  • whoami
  • who
  • w
  • finger (-m)
  • last ()
  • screen (-ls) (-x)
  • User information
  • id
  • groups
  • printenv
  • dscl . -ls /Users
  • Process Information
  • ps (aux)
  • Network Information
  • ifconfig
  • netstat (-ru) (-an)
  • lsof (-p ) (-i)
  • smbutil (statshares -a)
  • arp (-a)
  • security dump-trust-settings (-s) (-d)
  • networksetup
  • System startup
  • launchctl list
  • crontab -l
  • atq
  • kextstat
  • Additional Commands
  • mdfind (-name) (-onlyin)
  • sysctl (-a)
  • history
  • security list-keychains
  • nvram
  • du -h
  • diskutil list
  • Miscellaneous
  • codesign (-d) (-vv)
  • file
  • md5
  • tcpdump
  • printenv
  • nettop (-m)
  • DTrace
  • Bash Environment Variables
  • Scripting the Collection
  • Analysis
  • Conclusion
  • Chapter 4 - File System
  • Introduction
  • Brief history
  • HFS+ overview
  • Volume Header
  • Allocation File
  • Catalog File
  • Attributes B-Tree
  • Inodes, Timestamps, Permissions, and Ownership
  • Inodes
  • Timestamps
  • Timestamps for Files
  • Timestamps for Folders
  • Permissions
  • Special File Permissions
  • Directory Permissions
  • Sticky Bit
  • Extended Attributes
  • Access Control Lists
  • Resource Forks
  • File Types and Traits
  • OS X Specific File Extensions
  • .dmg
  • .kext
  • .plist
  • .app
  • .dylib
  • .pkg
  • Mach-O binary
  • Popular Scripting Languages Found on OS X
  • File Hierarchy Layout
  • /Applications
  • /Library
  • /System
  • /Users
  • /Volumes
  • /.vol
  • /bin
  • /usr
  • /cores
  • /sbin
  • /dev
  • /etc
  • /tmp
  • /private
  • /var
  • Miscellaneous Files
  • Hidden Files and Directories
  • .DS_Store
  • .Spotlight-V100
  • .metadata_never_index
  • .noindex
  • File Artifacts
  • Logs and Rotation
  • Key File Artifacts
  • ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*
  • ~/.bash_history
  • /etc/profile
  • /etc/bashrc
  • ~/.bash_profile | ~/.bash_login | ~/.profile | ~/.bashrc
  • ~/.bash_logout
  • /var/log/system.log
  • /private/var/log/asl/*.asl
  • ~/Library/Preferences/com.apple.recentitems.plist
  • ~/Library/Preferences/com.apple.finder.plist
  • ~Library/Preferences/com.apple.loginitems.plist
  • ~/Library/Logs/DiskUtility.log
  • /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
  • /private/etc/resolv.conf
  • /private/var/db/launchd.db/com.apple.launchd/overrides.plist
  • /private/etc/kcpassword
  • /private/etc/sudoers
  • /private/etc/hosts
  • /private/var/log/fsck_hfs.log
  • /Library/Logs/AppleFileService/AppleFileServiceError.log
  • /var/log/apache2/access_log
  • /var/log/apache2/error_log
  • /var/log/opendirectoryd.log
  • /var/log/wifi.log
  • /var/log/appfirewall.log
  • /var/log/hdiejectd.log
  • /var/log/install.log
  • /var/audit/*
  • Collection
  • Timestamps
  • Getting a File Listing
  • The catch
  • Collecting File Artifacts
  • Analysis Scripting
  • Analysis
  • Conclusion
  • Further Reading
  • Chapter 5 - System Startup and Scheduling
  • Introduction
  • System Boot
  • Launchd-The Beginning and End
  • Launch Agents Versus Launch Daemons
  • Breaking Down a Property List
  • Binary Property Lists
  • launchctl
  • Listing Active Property Lists with launchctl
  • Editing Property Lists Using Defaults
  • Property List Overrides
  • Crontab
  • Persistence via KEXT
  • Additional KEXT Commands
  • Less Popular Persistence Methods
  • Collection
  • Analysis
  • Conclusion
  • Chapter 6 - Browser Analysis
  • Introduction
  • Safari
  • Safari History Plist
  • Safari History Database
  • Safari Downloads
  • Other Safari Files of Interest
  • Chrome
  • Chrome History
  • Chrome Downloads
  • Other Chrome Files of Interest
  • Firefox
  • Firefox History
  • Downloads
  • Other Firefox Files of Interest
  • Opera
  • Collection
  • Analysis Scripts
  • Timeline the Data
  • Analysis
  • Conclusion
  • Chapter 7 - Memory Analysis
  • Introduction
  • What Tools Do We Need?
  • The Artifacts
  • Physical Memory
  • Swap Files
  • /private/var/vm/swapfile0
  • /private/var/vm/sleepimage
  • Know your Options
  • Memory Acquisition
  • Analysis Tools
  • Strings and Grep
  • Volatility
  • Processes
  • mac_tasks
  • mac_psaux
  • mac_dead_procs
  • mac_psxview
  • mac_netstat
  • mac_network_conns
  • mac_check_syscalls
  • mac_recover_filesystem
  • mac_arp
  • mac_bash
  • mac_procdump
  • Taking it Further
  • Live Memory Analysis
  • Collection
  • Analysis
  • Volatility Analysis
  • Conclusion
  • Chapter 8 - Privilege Escalation & Passwords
  • Introduction
  • Privileges
  • A Quick Note on System Integrity Protection-(Rootless)
  • Privilege Escalation
  • Root Through Standard Installation
  • Social Engineering at the User Level
  • Sudo Piggybacking
  • Setuid Exploitation
  • CVE-2013-1775-Sudo and the System Clock Exploit
  • Shellshock
  • Passwords
  • The Keychain and the Security Command
  • Dumping Login Hashes
  • Quick Hash Dump
  • Dave Grohl
  • Keychaindump
  • Collection
  • Analysis
  • Conclusion
  • Chapter 9 - Exfiltration
  • Introduction
  • How Valuable Data Is Located
  • find
  • mdfind
  • How Data Is Archived
  • tar
  • zip
  • ditto
  • Home Brewed
  • Detecting Archived Files by Timestamp
  • Compression Tools
  • gzip
  • compress
  • bzip2
  • xz, lzma
  • How Attackers Transfer Data
  • FTP/SFTP
  • SCP
  • netcat
  • SMB
  • E-Mail
  • Backdoor
  • Mounting Shares
  • Collection
  • exfiltrator.py
  • Analysis
  • Conclusion
  • Chapter 10 - The Timeline
  • December 2015 Intrusion Timeline
  • Wrapping Up
  • Chapter 11 - Advanced Malware Techniques and System Protection
  • Introduction
  • Advanced Malware Techniques
  • Dylib Hijacking
  • Scanning for Vulnerable Dylibs
  • DYLD_INSERT_LIBRARIES
  • Patching Binaries
  • Bash Tricks
  • SSH authorized_keys
  • Additional ASEPS
  • ~/.MacOSX/environment.plist
  • Plugins
  • Periodic
  • System Protection
  • Quarantine and Gatekeeper
  • X-Protect
  • Sandbox
  • System Integrity Protection
  • Conclusion
  • Subject Index
  • Back Cover

Dateiformat: EPUB
Kopierschutz: Adobe-DRM (Digital Rights Management)

Systemvoraussetzungen:

Computer (Windows; MacOS X; Linux): Installieren Sie bereits vor dem Download die kostenlose Software Adobe Digital Editions (siehe E-Book Hilfe).

Tablet/Smartphone (Android; iOS): Installieren Sie bereits vor dem Download die kostenlose App Adobe Digital Editions (siehe E-Book Hilfe).

E-Book-Reader: Bookeen, Kobo, Pocketbook, Sony, Tolino u.v.a.m. (nicht Kindle)

Das Dateiformat EPUB ist sehr gut für Romane und Sachbücher geeignet - also für "fließenden" Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an. Mit Adobe-DRM wird hier ein "harter" Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.

Weitere Informationen finden Sie in unserer E-Book Hilfe.


Dateiformat: PDF
Kopierschutz: Adobe-DRM (Digital Rights Management)

Systemvoraussetzungen:

Computer (Windows; MacOS X; Linux): Installieren Sie bereits vor dem Download die kostenlose Software Adobe Digital Editions (siehe E-Book Hilfe).

Tablet/Smartphone (Android; iOS): Installieren Sie bereits vor dem Download die kostenlose App Adobe Digital Editions (siehe E-Book Hilfe).

E-Book-Reader: Bookeen, Kobo, Pocketbook, Sony, Tolino u.v.a.m. (nicht Kindle)

Das Dateiformat PDF zeigt auf jeder Hardware eine Buchseite stets identisch an. Daher ist eine PDF auch für ein komplexes Layout geeignet, wie es bei Lehr- und Fachbüchern verwendet wird (Bilder, Tabellen, Spalten, Fußnoten). Bei kleinen Displays von E-Readern oder Smartphones sind PDF leider eher nervig, weil zu viel Scrollen notwendig ist. Mit Adobe-DRM wird hier ein "harter" Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.

Weitere Informationen finden Sie in unserer E-Book Hilfe.


Download (sofort verfügbar)

51,11 €
inkl. 19% MwSt.
Download / Einzel-Lizenz
ePUB mit Adobe DRM
siehe Systemvoraussetzungen
PDF mit Adobe DRM
siehe Systemvoraussetzungen
Hinweis: Die Auswahl des von Ihnen gewünschten Dateiformats und des Kopierschutzes erfolgt erst im System des E-Book Anbieters
E-Book bestellen

Unsere Web-Seiten verwenden Cookies. Mit der Nutzung des WebShops erklären Sie sich damit einverstanden. Mehr Informationen finden Sie in unserem Datenschutzhinweis. Ok