COVID-19 Update: We are currently shipping orders daily. However, due to transit disruptions in some geographies, deliveries may be delayed. To provide all customers with timely access to content, we are offering 50% off Science and Technology Print & eBook bundle options. Terms & conditions.
OS X Incident Response - 1st Edition - ISBN: 9780128044568, 9780128045039

OS X Incident Response

1st Edition

Scripting and Analysis

Author: Jaron Bradley
Paperback ISBN: 9780128044568
eBook ISBN: 9780128045039
Imprint: Syngress
Published Date: 6th May 2016
Page Count: 270
Sales tax will be calculated at check-out Price includes VAT/GST
Price includes VAT/GST

Institutional Subscription

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.


OS X Incident Response: Scripting and Analysis is written for analysts who are looking to expand their understanding of a lesser-known operating system. By mastering the forensic artifacts of OS X, analysts will set themselves apart by acquiring an up-and-coming skillset.

Digital forensics is a critical art and science. While forensics is commonly thought of as a function of a legal investigation, the same tactics and techniques used for those investigations are also important in a response to an incident. Digital evidence is not only critical in the course of investigating many crimes but businesses are recognizing the importance of having skilled forensic investigators on staff in the case of policy violations.

Perhaps more importantly, though, businesses are seeing enormous impact from malware outbreaks as well as data breaches. The skills of a forensic investigator are critical to determine the source of the attack as well as the impact. While there is a lot of focus on Windows because it is the predominant desktop operating system, there are currently very few resources available for forensic investigators on how to investigate attacks, gather evidence and respond to incidents involving OS X. The number of Macs on enterprise networks is rapidly increasing, especially with the growing prevalence of BYOD, including iPads and iPhones.

Author Jaron Bradley covers a wide variety of topics, including both the collection and analysis of the forensic pieces found on the OS. Instead of using expensive commercial tools that clone the hard drive, you will learn how to write your own Python and bash-based response scripts. These scripts and methodologies can be used to collect and analyze volatile data immediately.

For online source codes, please visit:

Key Features

  • Focuses exclusively on OS X attacks, incident response, and forensics
  • Provides the technical details of OS X so you can find artifacts that might be missed using automated tools
  • Describes how to write your own Python and bash-based response scripts, which can be used to collect and analyze volatile data immediately
  • Covers OS X incident response in complete technical detail, including file system, system startup and scheduling, password dumping, memory, volatile data, logs, browser history, and exfiltration


Information security professionals and consultants as well as those involved in any type of Incident Response Analysis and computer security, particularly any analysts that have Mac systems in their environment. Also for students looking to broaden their skillset.

Table of Contents

  • Acknowledgments
  • Chapter 1: Introduction
    • Abstract
    • Is there really a threat to OS X?
    • What is OS X
    • The XNU Kernel
    • Digging deeper
    • Requirements
    • Forensically sound versus incident response
    • Incident response process
    • The Kill Chain
    • Applying the Killchain
    • Analysis environment
    • Malware scenario
  • Chapter 2: Incident Response Basics
    • Abstract
    • Introduction
    • Picking a language
    • Root versus nonroot
    • Yara
    • Basic commands for every day analysis
    • Starting an IR script
    • Collection
    • Analysis
    • Analysis scripts
    • Conclusion
  • Chapter 3: Bash Commands
    • Abstract
    • Introduction
    • Basic bash commands
    • System info
    • Who info
    • User information
    • Process information
    • Network information
    • System startup
    • Additional commands
    • Miscellaneous
    • Bash environment variables
    • Scripting the collection
    • Analysis
    • Conclusion
  • Chapter 4: File System
    • Abstract
    • Introduction
    • Brief history
    • HFS+ overview
    • Inodes, timestamps, permissions, and ownership
    • Extended attributes
    • File types and traits
    • OS X specific file extensions
    • File hierarchy layout
    • Miscellaneous Files
    • File artifacts
    • Key File artifacts
    • Collection
    • Collecting File artifacts
    • Analysis scripting
    • Analysis
    • Conclusion
  • Chapter 5: System Startup and Scheduling
    • Abstract
    • Introduction
    • System boot
    • Launchd—the beginning and end
    • Launch agents versus launch daemons
    • Breaking down a property list
    • Binary property lists
    • Launchctl
    • Listing active property lists with launchctl
    • Editing property lists using defaults
    • Property list overrides
    • Crontab
    • Persistence via kext
    • Additional kext commands
    • Less popular persistence methods
    • Collection
    • Analysis
    • Conclusion
  • Chapter 6: Browser Analysis
    • Abstract
    • Introduction
    • Safari
    • Chrome
    • Firefox
    • Downloads
    • Opera
    • Collection
    • Analysis
    • Conclusion
  • Chapter 7: Memory Analysis
    • Abstract
    • Introduction
    • Analysis tools
    • Collection
    • Analysis
    • Conclusion
  • Chapter 8: Privilege Escalation & Passwords
    • Abstract
    • Introduction
    • Privileges
    • Shellshock
    • Passwords
    • Collection
    • Analysis
    • Conclusion
  • Chapter 9: Exfiltration
    • Abstract
    • Introduction
    • How valuable data is located
    • How data is archived
    • Detecting archived files by timestamp
    • Compression tools
    • How attackers transfer data
    • Collection
    • Analysis
    • Conclusion
  • Chapter 10: The Timeline
    • Abstract
    • December 2015 intrusion timeline
    • Wrapping Up
  • Chapter 11: Advanced Malware Techniques and System Protection
    • Abstract
    • Introduction
    • Advanced malware techniques
    • Additional ASEPS
    • System protection
    • Conclusion
  • Subject Index


No. of pages:
© Syngress 2016
6th May 2016
Paperback ISBN:
eBook ISBN:

About the Author

Jaron Bradley

Jaron Bradley has a background in host-based incident response and forensics. He entered the information security field as an incident responder immediately after graduating from Eastern Michigan University, where he received his degree in Information Assurance. He now works as a Senior Intrusion Analyst, with a focus on OS X and Linux based attacks.

Affiliations and Expertise

Senior Intrusion Analyst, CrowdStrike

Ratings and Reviews