macOS-ir - Incident Response on macOS

synackjack profile image Jack Clark ・2 min read

Over summer last year, I picked up a fantastic book from Jaron Bradley, OS X Incident Response: Scripting and Analysis, which covers the development of an incident response (ir) tool for macOS. Originally I was thinking about developing something to reverse engineer iOS apps, but in all honesty I'm not the best at RE so...¯\_(ツ)_/¯

So macOS-ir is a very prototype tool to collect data from a compromised macOS device and analyse it. It's written in bash and requires no tools to be installed to collect the information 1.

The following table shows the data that is collected:2

Collected Data
System Hostname, Software Version, Kernel Information, Uptime, Serial Number
Network ifconfig Output, ARP Table
Disk Mounted Disks and Volumes
Security SIP Status, EFI Integrity, MRT Version, Firewall Status, XProtect Version, Pending Updates, FileVault Status, Firmware Password Status
Application Installed Applications, Signing Status, Install History, Running Processes, Hash of Executables
User List of Users, Hidden Files, Login History, Sudo Users
File File Permissions, File Paths, Created Modified Accessed Dates Per File
Launch Cron Jobs, System and User Launch Agents and Daemons
Browser History and Downloads for Safari, Firefox and Chrome

Once the data has been collected, it can be transferred using one of the following methods:

  • Save directly to USB drive
  • Save to a local disk image
  • Transfer over network using netcat

Of course, the data is encrypted (using OpenSSL) so if the USB is lost, for example, then any sensitive data that is collected, well nobody is getting it.

The analysis script is designed to install any required tools. This prompts to install Xcode tools and installs Homebrew along with required tools using an included Brewfile3.

And bam. Give it the name of the USB drive, path to the .dmg on the disk image or start listening with netcat and it'll start doing it's stuff. The analysis isn't (at this stage) designed to say "Hey, this is malicious" or "You know you have this malware installed" but it aims to summarise data and look for items that aren't as they should be and highlight them.

The output of this tool is a range of PDF files. A main PDF file (stored in \tmp\[Compromised device hostname]\[hostname].pdf) contains the summary of the data. Within the same folder a series of other secondary PDF files are generated which contain the rest of the data. For example, .apps that are unsigned are shown in the main PDF, but all the others are contained in a secondary. It normally goes, if the data is too large or can't be narrowed down, it's in a secondary PDF.

And that is that. A very brief overview of macOS-ir (I'm trying to think of a shorter name, but I'm stuck). If you're wanting to keep an eye on the development, check it out on GitHub! Any feedback is really appreciated.

GitHub logo SynAckJack / macOS-ir

Prototype to collect data and analyse it from a compromised macOS device.

  1. Although it does benefit if XCode tools is installed. Notarization of .apps can be checked. 

  2. Full Disk Access (FDA) must be provided to Terminal.app to collect all of this information. 

  3. Tools can be installed without any analysis with the -i flag. 


markdown guide