
OS X Incident Response
Scripting and Analysis
Description
Key Features
- Focuses exclusively on OS X attacks, incident response, and forensics
- Provides the technical details of OS X so you can find artifacts that might be missed using automated tools
- Describes how to write your own Python and bash-based response scripts, which can be used to collect and analyze volatile data immediately
- Covers OS X incident response in complete technical detail, including file system, system startup and scheduling, password dumping, memory, volatile data, logs, browser history, and exfiltration
Readership
Information security professionals and consultants as well as those involved in any type of Incident Response Analysis and computer security, particularly any analysts that have Mac systems in their environment. Also for students looking to broaden their skillset.
Table of Contents
- Acknowledgments
- Chapter 1: Introduction
- Abstract
- Is there really a threat to OS X?
- What is OS X
- The XNU Kernel
- Digging deeper
- Requirements
- Forensically sound versus incident response
- Incident response process
- The Kill Chain
- Applying the Killchain
- Analysis environment
- Malware scenario
- Chapter 2: Incident Response Basics
- Abstract
- Introduction
- Picking a language
- Root versus nonroot
- Yara
- Basic commands for every day analysis
- Starting an IR script
- Collection
- Analysis
- Analysis scripts
- Conclusion
- Chapter 3: Bash Commands
- Abstract
- Introduction
- Basic bash commands
- System info
- Who info
- User information
- Process information
- Network information
- System startup
- Additional commands
- Miscellaneous
- Bash environment variables
- Scripting the collection
- Analysis
- Conclusion
- Chapter 4: File System
- Abstract
- Introduction
- Brief history
- HFS+ overview
- Inodes, timestamps, permissions, and ownership
- Extended attributes
- File types and traits
- OS X specific file extensions
- File hierarchy layout
- Miscellaneous Files
- File artifacts
- Key File artifacts
- Collection
- Collecting File artifacts
- Analysis scripting
- Analysis
- Conclusion
- Chapter 5: System Startup and Scheduling
- Abstract
- Introduction
- System boot
- Launchd—the beginning and end
- Launch agents versus launch daemons
- Breaking down a property list
- Binary property lists
- Launchctl
- Listing active property lists with launchctl
- Editing property lists using defaults
- Property list overrides
- Crontab
- Persistence via kext
- Additional kext commands
- Less popular persistence methods
- Collection
- Analysis
- Conclusion
- Chapter 6: Browser Analysis
- Abstract
- Introduction
- Safari
- Chrome
- Firefox
- Downloads
- Opera
- Collection
- Analysis
- Conclusion
- Chapter 7: Memory Analysis
- Abstract
- Introduction
- Analysis tools
- Collection
- Analysis
- Conclusion
- Chapter 8: Privilege Escalation & Passwords
- Abstract
- Introduction
- Privileges
- Shellshock
- Passwords
- Collection
- Analysis
- Conclusion
- Chapter 9: Exfiltration
- Abstract
- Introduction
- How valuable data is located
- How data is archived
- Detecting archived files by timestamp
- Compression tools
- How attackers transfer data
- Collection
- Analysis
- Conclusion
- Chapter 10: The Timeline
- Abstract
- December 2015 intrusion timeline
- Wrapping Up
- Chapter 11: Advanced Malware Techniques and System Protection
- Abstract
- Introduction
- Advanced malware techniques
- Additional ASEPS
- System protection
- Conclusion
- Subject Index
Product details
- No. of pages: 270
- Language: English
- Copyright: © Syngress 2016
- Published: May 6, 2016
- Imprint: Syngress
- Paperback ISBN: 9780128044568
- eBook ISBN: 9780128045039
About the Author
Jaron Bradley
Affiliations and Expertise
Ratings and Reviews
Latest reviews
(Total rating for all reviews)
Aditya R. Sun Jun 30 2019
Osx
Recommended and too informative